HORTON D R INC /DE/ 10-K Cybersecurity GRC - 2024-11-19

Page last updated on November 19, 2024

HORTON D R INC /DE/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-19 15:47:02 EST.

Filings

10-K filed on 2024-11-19

HORTON D R INC /DE/ filed a 10-K at 2024-11-19 15:47:02 EST
Accession Number: 0000882184-24-000057

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We have processes in place for assessing, identifying, and managing risks from cybersecurity threats that may result in material adverse effects to the confidentiality, integrity and availability of our systems, operations and data. These processes are a part of our overall risk assessment process. Risks from cybersecurity threats include, among other things, unauthorized access, data theft, computer viruses, ransomware, malicious software and other disruptions. We have implemented systems and processes utilizing a multilayered, proactive approach to identify, evaluate, mitigate and prevent potential cybersecurity threats. Each of these layers contain multiple levels of protection and leverage industry standard framework including the National Institute of Standards and Technology (NIST) Cybersecurity Framework. At the management level, these systems and processes are overseen primarily by our Chief Information Officer (CIO) and our Cyber Security Risk Officer (CSRO). We have implemented processes to assess, identify, and manage risks from cybersecurity threats, including the following: - Muti-factor Authentication: We secure access to our network and systems through multi-factor authentication. - Layered Email Protection : We have adopted a layered approach to email protection. - Zero-Trust Security Model : We are working towards a zero-trust security model, utilizing group-based access controls to manage network resources. - Continuous Monitoring : We continuously monitor our systems for security anomalies, to help enable early detection of issues and facilitating a rapid response. - Regular Scans : We conduct weekly and monthly scans to identify and prioritize the mitigation of the most critical vulnerabilities. - Quarterly Penetration Testing : We engage third-party consultants to perform quarterly penetration testing, examining our environment from various perspectives, including end-user and employee use cases, to thoroughly assess system vulnerabilities. - Collaborative Evaluation and Remediation : In collaboration with our third-party consultants, we evaluate the outcomes of our testing, address and remediate any identified issues, and subsequently re-test the environment to confirm that the mitigations have effectively resolved the vulnerabilities. - Regular Assessments and Gap Analyses : Our cybersecurity team regularly meets with the third-party consultants to assess overall risk and conduct gap analyses, ensuring the effectiveness of our current cybersecurity measures. - Comprehensive Risk Assessment : Our comprehensive risk assessment includes evaluating potential security risks associated with the use of external service providers. - Incident Response Readiness : We maintain a documented incident response readiness process that details the procedures to follow in the event of a security incident. - Data Backup : We maintain comprehensive backups of all system files to facilitate data recovery during a security incident. In addition to the above-described technology controls, we have implemented mandatory training and awareness programs designed to educate our employees on cybersecurity risks. These include periodic exercises to help employees identify phishing schemes and other social engineering tactics, and we provide various methods for them to report suspicious activity that may give rise to a cybersecurity incident. To date, we have not identified any risks from known cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. However, because the sophistication of cybersecurity threats continues to increase with rapidly evolving techniques to overcome security measures, the preventative actions we have taken and will continue to take to reduce the risks may not successfully protect our systems against a future cybersecurity incident. For more information on how cybersecurity risk could materially affect our business, please refer to Item 1A, “Risk Factors.” Governance Our Board considers cybersecurity and other information technology risk as part of its risk oversight function. The members of our Board receive reports on our cybersecurity risks and risk management on at least an annual basis from our CIO and CSRO. These reports include reviewing current trends, processes and systems used to mitigate the risk of cybersecurity threats. Our internal audit department also conducts cybersecurity reviews as part of its audit procedures and presents any findings to the Board. We have protocols by which certain cybersecurity incidents would be escalated within the Company and, where appropriate, reported to the Board in a timely manner. We invest a considerable amount of resources in training, tools and other resources to manage risks from cybersecurity threats. Our cybersecurity program is led by an experienced team that creates cybersecurity policies and procedures and possesses expert knowledge related to controls and safeguards related to cybersecurity. Led by our CIO, our cybersecurity team is responsible for assessing and managing risks from cybersecurity threats. The CIO receives reports on cybersecurity threats from the cybersecurity team on an ongoing basis and in conjunction with the CSRO, regularly reviews risk management measures implemented by the Company to identify and mitigate data protection and cybersecurity risks. Our CIO and CSRO work closely with our legal team to oversee compliance with legal, regulatory and contractual security requirements. Our CIO has more than 35 years of experience working in information technology including roles in the commercial software development, healthcare, industrial and professional services sectors. While in those roles, our CIO has led governance, risk, and compliance technology programs and information security programs. The CIO currently reports to the CFO. Our CSRO has more than 23 years of experience working in information technology and cybersecurity roles including software development, identity and access management projects, privilege account management and multi-factor authentication implementations. While in those roles, our CSRO has led projects and implementations for a variety of organizations that assess and create solutions for security concerns. The CSRO currently reports to the CIO. Supporting the CIO and CSRO is a dedicated cybersecurity team that designs and monitors our cybersecurity control framework as well as implements cybersecurity control systems and solutions. Our cybersecurity team collectively holds the following degrees and certifications: Master’s in Cybersecurity, Certified Information Systems Security Professional, Security+, Network+, AQS Certified Cloud Practitioner and Certified Information Systems Auditor.

Company Information