Toll Brothers, Inc. 10-K Cybersecurity GRC - 2024-12-20

Page last updated on December 20, 2024

Toll Brothers, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-12-20 16:05:05 EST.

Filings

10-K filed on 2024-12-20

Toll Brothers, Inc. filed a 10-K at 2024-12-20 16:05:05 EST
Accession Number: 0000794170-24-000051

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We have established processes and policies for assessing, identifying and managing material risks posed by cybersecurity threats. Our processes and policies are based upon the National Institute of Standards and Technology (NIST) Cybersecurity Framework with our processes focused on: (i) developing organizational understanding to manage cybersecurity risks, (ii) applying safeguards to protect our systems, (iii) detecting the occurrence of a cybersecurity incident, (iv) responding to a cybersecurity incident and (v) recovering from a cybersecurity incident. Where appropriate, these processes and policies are integrated into our overall risk management systems and processes. We take a risk-based approach to cybersecurity, with processes that include: - requiring our employees with network access to complete information security and privacy training on an annual basis; - continuously working to improve our information technology systems and providing employee awareness training around phishing, malware, and other cyber risks to enhance our levels of protection; - conducting penetration testing with the assistance of outside consultants at least annually to assess vulnerabilities and use feedback from those exercises to improve our processes and defenses; - conducting tabletop exercises with the assistance of outside consultants to assess and improve where appropriate our processes and policies; and - conducting diligence, and seeking engagements of, sophisticated, cloud-based third-party service providers for certain critical functions. We have engaged knowledgeable third parties to assist us in establishing and improving our policies, and monitoring and responding to cyber threats. Our processes and policies include the identification of those third-party relationships that have the greatest potential to expose us to cybersecurity threats and, upon identification, we conduct additional due diligence as a part of establishing those relationships. We also manage risks related to cybersecurity by maintaining insurance coverage as part of our overall insurance portfolio. For additional information concerning cybersecurity risks we face, see “Item 1A Risk Factors - Information technology failures or data security breaches could harm our business”. Governance Our Board of Directors has delegated the primary responsibility to oversee cybersecurity matters to our Audit and Risk Committee. Our Audit and Risk Committee regularly reviews the measures implemented to identify and mitigate data 20 protection and cybersecurity risks. As part of such reviews, our Audit and Risk Committee receives quarterly reports and presentations from team members responsible for overseeing our cybersecurity risk management, including our Chief Information Officer (CIO), which address a wide range of topics, including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends, and information security considerations arising with respect to our peers and third parties. At the management level, our cybersecurity program is managed by our CIO. Our CIO joined the Company in 2014 and has over 20 years of experience leading information technology teams, including with respect to cloud-based system integration, strategic IT transformations, and the unification, standardization and implementation of technological solutions. Our CIO is supported by our information security team, which is led by our Director of Information & Cybersecurity who has over 20 years of experience in information security, and which is tasked with monitoring, detecting, preventing and responding to cyber incidents. We have also engaged a team of dedicated professionals employed by our cybersecurity consultant, which includes our Chief Information Security Officer (CISO). Our CISO has extensive experience assessing and managing cybersecurity programs and cybersecurity risk and has over 25 years of experience in information security. His background includes technical experience, strategy and architecture focused roles, cyber and threat experience, and various leadership roles in all areas of information technology. Pursuant to our Information Technology Incident Response Plan (IRP), when a cybersecurity event has been identified through our detection processes, it is assessed in order to determine whether the event is a cybersecurity incident. Our IRP designates the primary manager of a cybersecurity incident, describes the parties who should be informed about the incident and outlines the processes for containment, eradication, recovery and resolution of the incident. Depending on the severity and impact of a cybersecurity threat, members of our senior management team, the Audit and Risk Committee and the full Board of Directors are notified of an incident and kept informed of the mitigation and remediation of the incident. We are not aware of any material cybersecurity incidents in the last three years.

Company Information