HOVNANIAN ENTERPRISES INC 10-K Cybersecurity GRC - 2024-12-18

Page last updated on December 18, 2024

HOVNANIAN ENTERPRISES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-12-18 16:33:19 EST.

Filings

10-K filed on 2024-12-18

HOVNANIAN ENTERPRISES INC filed a 10-K at 2024-12-18 16:33:19 EST
Accession Number: 0001753926-24-002117

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C CYBERSECURITY Risk Management and Strategy As part of our Enterprise Risk Management function, which is led by our Chief Financial Officer, we have implemented processes to assess, identify and manage material risks facing the Company, including from cyber threats. In fulfilling his Enterprise Risk Management responsibilities, our Chief Financial Officer collaborates closely with members of senior management and others, including outside experts. Our cybersecurity program maps to standards published by The National Institute of Standards and Technology. We believe that our processes provide us with a comprehensive assessment of potential cyber threats. On a regular basis, we conduct scans, penetration tests and vulnerability assessments of our systems. Our processes to assess, identify and manage the material risks from cyber threats includes risks arising from threats associated with third-party service providers, including cloud-based platforms. We have developed a robust Cybersecurity Incident Response Plan which provides a documented framework for assessing cyber threats, managing high severity security incidents and facilitating coordination across multiple platforms throughout the Company and with outside agencies like the Federal Bureau of Investigation. Our cybersecurity team uses advanced tools to constantly monitor emerging threats and respond to potential cybersecurity incidents. In addition, we periodically perform simulations and drills, including tabletop exercises, aimed at evaluating the Company’s cybersecurity preparedness. Internally, we have a Cybersecurity Awareness Program which includes annual training that reinforces our information technology and security policies, standards and practices. Our annual training includes education on how to identify potential cybersecurity risks and ways to protect our resources and information. This training is mandatory for all associates on an annual basis, and it is supplemented by testing initiatives, including periodic phishing tests. In addition, we distribute ongoing educational communications, such as newsletters on cybersecurity awareness and hot topics, throughout the year. We also provide additional specialized security training for our cybersecurity operations team, including attendance at cybersecurity conferences and training seminars, breach simulation exercises and personal accreditation training. From time to time, we engage third-party vendors or service providers to enhance our risk mitigation efforts. For instance, we have periodically engaged an independent cybersecurity advisor to lead a live cybersecurity crisis simulation exercise with our senior management to prepare for a possible cybersecurity incident. In addition, we have engaged other outside assessors, consultants and third parties in connection with enhancing our cybersecurity program. We purchase insurance to protect us against the risk of cybersecurity breaches. Our Enterprise Risk Management function, along with our insurance broker, are responsible for our insurance programs and on a consistent basis our cybersecurity insurance policies are reviewed to assess whether we have appropriate coverage. Enterprise Risk Management also presents updates on our cybersecurity liability insurance to our Board of Directors, including industry claims data and benchmarking. To date, risks from cybersecurity threats have not materially affected us, and we currently do not expect that the risks from cybersecurity threats are reasonably likely to materially affect us, including our business, strategy, results of operations or financial condition. That said, the sophistication of cyber threats continues to increase, and the preventative actions the Company takes to reduce the risk of cyber incidents and protect its systems and information may be insufficient. No matter how well designed or implemented the Company’s cybersecurity controls are, it will not be able to anticipate all security breaches, and it may not be able to implement effective preventive measures against cybersecurity breaches in a timely manner. See Item 1A " Risk Factors - Information technology failures and data security breaches could harm our business. " Governance Role of the Board Our Enterprise Risk Management function is part of our Board of Directors’ overall risk management oversight process, which includes regular meetings to identify and evaluate both short and long-term risks and develop plans to manage such risks effectively. In addition, our Board of Directors established a Cybersecurity Subcommittee of the Corporate Governance and Nominating Committee of the Board of Directors in fiscal 2018 that receives regular updates from our cybersecurity operations team to assess the primary cybersecurity risks facing the Company, including, among other things, the status of projects to strengthen our information security systems, results of assessments performed as part of our Cybersecurity Awareness Program, the measures the Company is taking to mitigate cybersecurity risks and our views of the emerging threat landscape. Reports from outside experts who have been engaged by the Company to review and advise on cybersecurity preparedness are also shared with the Cybersecurity Subcommittee. The Cybersecurity Subcommittee regularly reports to the Board of Directors on the oversight work the subcommittee has performed. Additionally, the Audit Committee of the Board of Directors is responsible for the primary oversight of our Enterprise Risk Management function, which includes an evaluation of cybersecurity risks and threats. In addition to the updates the Cybersecurity Subcommittee provides the Board of Directors, the Board of Directors and Audit Committee receive regular updates from management, including the Chief Information Officer and members of his team, as to changes in our cybersecurity risk profile and/or significant newly identified risks. Our Chief Financial Officer reports directly to both the Audit Committee as well as our Chairman, Chief Executive Officer and President and is responsible for reporting to each on our Company-wide Enterprise Risk Management function. Role of Management Our Chief Information Officer, together with our cybersecurity operations team, maintains 24/7 monitoring and is responsible for the day-to-day procedures related to our cybersecurity risks. We have established an Executive Incident Response Team, which includes our Chief Financial Officer, Chief Information Officer, Vice President, Risk Management, Vice President, Corporate Counsel and other senior officers, which meets at least bi-annually to review our cybersecurity posture and discuss information security matters. The Executive Incident Response Team has primary oversight responsibility for assessing and managing technology and operational risk, including but not limited to, information security, fraud, vendor, data protection and privacy, business continuity and resilience, and cybersecurity risks. We use our Cybersecurity Incident Response Plan as part of the process to keep our management, Board of Directors, Audit Committee and Cybersecurity Subcommittee informed about, and to monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents. The policy is a set of coordinated procedures and tasks that our cybersecurity operations team, under the direction of the Chief Information Officer, executes with the goal of preventing cyber incidents through early detection. In the event there is a cybersecurity incident, the framework is designed to help mitigate the impact and ensure a timely and accurate response. Our cybersecurity framework includes regular assessments to ensure we are following our internal policies and standards, as well as applicable state and federal statutes or regulations. In addition, we validate compliance with our internal data security controls through the use of security monitoring utilities and internal and external audits. Our Cybersecurity management team has extensive experience in the information technology area, including cybersecurity. In particular, our Chief Information Officer has over 25 years of experience managing information technology systems and eight years of experience leading cybersecurity initiatives in the information security area.

Company Information