XML 53 R36.htm IDEA: XBRL DOCUMENT v3.24.4
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
Risk Management and Strategy

We recognize the importance of assessing, identifying and managing material risks associated with cybersecurity threats. We have implemented cybersecurity policies, procedures, technologies and controls to aid in our efforts to access, identify and manage such risks. Material risks from cybersecurity threats are managed across GM, GM Financial, Cruise, service providers such as data processors, third-party suppliers, dealers and vendors, and monitoring such risks and threats are integrated into the Company's overall risk management program.

GM has a Cybersecurity Management Board that brings together representatives from senior management across the Company's Software & Services, Product Development, Information Technology, Manufacturing, Finance, Communications, Human Resources, Legal and Public Policy organizations to provide guidance and monitor overall company cybersecurity risk. The Company's cybersecurity maturity scorecard, cybersecurity threats and incident information are reviewed by the Company's Chief Information Security Officer (CISO), the Risk and Cybersecurity Committee of the Company's Board of Directors and the Cybersecurity Management Board during standing meetings as well as in impromptu sessions, when appropriate. During the reviews, various topics are discussed, which may include:

implementation and maturity of the Company's cybersecurity program, risk management framework, including cybersecurity risk policies, procedures and governance;
cybersecurity and privacy risk, including potential impact to the Company's employees, customers, supply chain, joint ventures and other stakeholders;
intelligence briefings on notable cyber events impacting the industry; and
cybersecurity budget and resource allocation, including industry benchmarking and economic modeling of various potential cybersecurity events.

The Company maintains administrative, physical, technical and organizational safeguards, including employee training, incident response capability reviews and exercises, cybersecurity insurance and business continuity mechanisms for the protection of the Company's assets. From time to time, the Company's processes are audited and validated by internal and external experts. The Company leverages a third-party cybersecurity program with the goal of minimizing disruption to the Company's business and production operations, strengthening supply chain resilience in response to cyber-related events and supporting the integrity of components and systems used in its products and services.
When cybersecurity incidents occur, the GM Cybersecurity team's focus is on responding to and containing the threat and minimizing impact. When we become aware of a cybersecurity incident, we have defined policies and procedures to respond to and recover from such incident as quickly as possible. In the event of a cybersecurity incident, the Cybersecurity team also assesses, among other factors, safety impact, supply chain and manufacturing disruption, data and personal information loss, business operations disruption, projected cost and potential for reputational harm, with support from external technical, legal and law enforcement, as appropriate. Our policies and procedures are reviewed periodically for alignment with regulatory requirements and the threat landscape.

In the last three fiscal years, the Company has not experienced any material cybersecurity incidents and expenses incurred from cybersecurity incidents were immaterial (including penalties and settlements, of which there were none). For a discussion of whether and how any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or, if realized, are reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition, see Item 1A. Risk Factors – "Risks related to our intellectual property, cybersecurity, information technology and data management practices", which are incorporated by reference into this Item 1C.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block] We recognize the importance of assessing, identifying and managing material risks associated with cybersecurity threats. We have implemented cybersecurity policies, procedures, technologies and controls to aid in our efforts to access, identify and manage such risks. Material risks from cybersecurity threats are managed across GM, GM Financial, Cruise, service providers such as data processors, third-party suppliers, dealers and vendors, and monitoring such risks and threats are integrated into the Company's overall risk management program
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]
The GM Board of Directors is responsible for overseeing the Company's enterprise risk, and has established its Risk and Cybersecurity Committee with specific responsibility for overseeing our cybersecurity program, among other things. The Company's cybersecurity organization is led by the CISO, who is responsible for assessing and managing material risks from cybersecurity threats and reports to the Risk and Cybersecurity Committee. The CISO has served in this role since December 2024 and has more than 20 years of experience in various information technology, cybersecurity and software engineering roles. The CISO's experience includes building and leading cybersecurity functions at large enterprises, startups, and research and development centers, as well as leading software engineering teams responsible for building and operating large-scale software services. The CISO also has expertise in building and designing secure software, scalable and resilient systems, incident response practices, privacy programs and other critical security disciplines and practice areas. The CISO holds a master's degree in information security policy and management, has taught information security courses at the graduate level, is an inventor on cybersecurity-related patents and has been a speaker at leading cybersecurity conferences.

The CISO and the Cybersecurity Management Board monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including through the operation of the Company's incident response plans, which include escalation to the Risk and Cybersecurity Committee, as appropriate, and simulated exercises.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] The Company's cybersecurity organization is led by the CISO, who is responsible for assessing and managing material risks from cybersecurity threats and reports to the Risk and Cybersecurity Committee.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
The CISO and the Cybersecurity Management Board monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including through the operation of the Company's incident response plans, which include escalation to the Risk and Cybersecurity Committee, as appropriate, and simulated exercises.
Cybersecurity Risk Role of Management [Text Block]
The GM Board of Directors is responsible for overseeing the Company's enterprise risk, and has established its Risk and Cybersecurity Committee with specific responsibility for overseeing our cybersecurity program, among other things. The Company's cybersecurity organization is led by the CISO, who is responsible for assessing and managing material risks from cybersecurity threats and reports to the Risk and Cybersecurity Committee. The CISO has served in this role since December 2024 and has more than 20 years of experience in various information technology, cybersecurity and software engineering roles. The CISO's experience includes building and leading cybersecurity functions at large enterprises, startups, and research and development centers, as well as leading software engineering teams responsible for building and operating large-scale software services. The CISO also has expertise in building and designing secure software, scalable and resilient systems, incident response practices, privacy programs and other critical security disciplines and practice areas. The CISO holds a master's degree in information security policy and management, has taught information security courses at the graduate level, is an inventor on cybersecurity-related patents and has been a speaker at leading cybersecurity conferences.

The CISO and the Cybersecurity Management Board monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including through the operation of the Company's incident response plans, which include escalation to the Risk and Cybersecurity Committee, as appropriate, and simulated exercises.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] The Company's cybersecurity organization is led by the CISO, who is responsible for assessing and managing material risks from cybersecurity threats and reports to the Risk and Cybersecurity Committee. The CISO has served in this role since December 2024 and has more than 20 years of experience in various information technology, cybersecurity and software engineering roles. The CISO's experience includes building and leading cybersecurity functions at large enterprises, startups, and research and development centers, as well as leading software engineering teams responsible for building and operating large-scale software services. The CISO also has expertise in building and designing secure software, scalable and resilient systems, incident response practices, privacy programs and other critical security disciplines and practice areas. The CISO holds a master's degree in information security policy and management, has taught information security courses at the graduate level, is an inventor on cybersecurity-related patents and has been a speaker at leading cybersecurity conferences.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
GM has a Cybersecurity Management Board that brings together representatives from senior management across the Company's Software & Services, Product Development, Information Technology, Manufacturing, Finance, Communications, Human Resources, Legal and Public Policy organizations to provide guidance and monitor overall company cybersecurity risk. The Company's cybersecurity maturity scorecard, cybersecurity threats and incident information are reviewed by the Company's Chief Information Security Officer (CISO), the Risk and Cybersecurity Committee of the Company's Board of Directors and the Cybersecurity Management Board during standing meetings as well as in impromptu sessions, when appropriate. During the reviews, various topics are discussed, which may include:

implementation and maturity of the Company's cybersecurity program, risk management framework, including cybersecurity risk policies, procedures and governance;
cybersecurity and privacy risk, including potential impact to the Company's employees, customers, supply chain, joint ventures and other stakeholders;
intelligence briefings on notable cyber events impacting the industry; and
cybersecurity budget and resource allocation, including industry benchmarking and economic modeling of various potential cybersecurity events.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true