BEAZER HOMES USA INC 10-K Cybersecurity GRC - 2024-11-13

Page last updated on November 13, 2024

BEAZER HOMES USA INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-13 16:44:23 EST.

Filings

10-K filed on 2024-11-13

BEAZER HOMES USA INC filed a 10-K at 2024-11-13 16:44:23 EST
Accession Number: 0000915840-24-000069

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We maintain a cybersecurity program designed to detect, identify, classify and mitigate cybersecurity and other data security threats as part of our efforts to protect and maintain the confidentiality and security of homebuyer, customer, employee, vendor and supplier information, and non-public information about the Company, which has been strategically integrated into our enterprise risk management program to promote a company-wide culture of cyber risk awareness. The foundation of our cybersecurity program is based on the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, which includes a set of controls to prevent, detect, and respond to cybersecurity and other data security threats and incidents. Additionally, in furtherance of detecting, identifying, and managing material cybersecurity and other data security threats, we also: - maintain robust information security and privacy policies that are reviewed and updated on an annual basis; - engage with a range of third-party service providers, including cybersecurity consultants, to evaluate, monitor, and test our cyber management systems and related risks; - conduct audits, penetration tests, threat and vulnerability assessments, cybersecurity risk monitoring, and security enhancement consultations, using both internal and external resources; - maintain and continue to evolve our Cybersecurity Incident Management program, which includes regular incident respon se tabletop exercises, cybersecurity-related disaster recovery and business resiliency plans, and related communications and business continuity procedures; - conduct security assessments of third-party software products and hosting providers prior to engagement; - implement ongoing monitoring procedures for third-party service providers’ hosted applications to ensure continued alignment with our cybersecurity standards and compliance requirements; - provide mandatory annual security and privacy awareness training, along with monthly phishing simulations, to all of our employees. These trainings and simulations are designed to ensure employees are well-versed in the behaviors and requirements necessary to safeguard the Company’s information resources; and - maintain cyber liability insurance to protect against the financial impact of a cyber incident. We have a dedicated team of employees managing our cybersecurity program and initiatives, led by the Company’s Chief Information Security Officer, who reports to our Chief Information Officer and brings over 20 years of experience in senior leadership roles leading information security and technology teams across private and public companies. The team works directly in consultation with internal and external advisors to execute our cybersecurity strategies. Pursuant to our cybersecurity program, potential cybersecurity threats are classified by risk levels and threat mitigation efforts are typically prioritized based on those risk classifications, while focus also remains on maintaining the resiliency of our information systems. In the event we identify a potential cybersecurity issue, we have defined procedures for responding to such issues, including procedures that address when and how to engage with Company management, the Board of Directors, other stakeholders and law enforcement. Our Board of Directors has ultimate oversight responsibility for risks relating to our cybersecurity program. In addition, the Audit Committee assists the Board of Directors in monitoring our cybersecurity and data security risk exposures and compliance with the Company’s cybersecurity program, and regularly makes inquiries of the Company’s management team, internal auditors and independent auditors regarding these risk exposures and compliance matters. We have also established an IT Committee, which is an ad hoc committee comprised of at least two members of the Board of Directors. The IT Committee is responsible for advising and assisting the Board of Directors in overseeing the Company’s customer relationship management and enterprise resource planning software and technology and regularly meets with the Company’s management team with respect to these initiatives. 21 Conducting our businesses involves the collection, storage, use, disclosure, processing, transfer, and other handling of a wide variety of information, including personally identifiable information, for various purposes. Like other companies that process a wide variety of information, our information technology systems, networks and infrastructure and technology have been, and may in the future be, vulnerable to cybersecurity attacks and other data security threats. These types of attacks are constantly evolving, may be difficult to detect quickly, and often are not recognized until after they have been launched against a target. While, to date, we have not had a significant cybersecurity breach or attack that has had a material impact on our business strategy, results of operations, or financial condition, there can be no assurance that our efforts to maintain the security and integrity of these types of IT networks and related systems will be effective or that attempted security breaches or disruptions would not be successful or damaging. For more information about these and other cybersecurity risks faced by us, see Part 1. Item 1A. “Risk Factors.”

Company Information