LENNAR CORP /NEW/ 10-K Cybersecurity GRC - 2025-01-23

Page last updated on January 23, 2025

LENNAR CORP /NEW/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-01-23 17:25:12 EST.

Filings

10-K filed on 2025-01-23

LENNAR CORP /NEW/ filed a 10-K at 2025-01-23 17:25:12 EST
Accession Number: 0001628280-25-002404

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy We rely extensively on information technology (“IT”) systems, including Internet sites, data hosting facilities and other hardware and software platforms, some of which are hosted by third parties, to assist in conducting our businesses. These systems, like those used by most companies, may be vulnerable to a variety of disruptions, including, but not limited to, those caused by natural disasters, telecommunications failures, hackers, and other security issues. Moreover, these IT systems, like those used by most companies, are subject to the possibility of computer viruses or other malicious codes, and to security breaches, cyber incidents, ransomware attack or phishing-attacks. Cybersecurity is an integral part of risk management at our Company, and we maintain a comprehensive process for assessing, identifying and managing material risks from cybersecurity threats, which is part of our overall risk management system and processes. We have installed and continually upgrade an array of protections against cyber-intrusions. Our cybersecurity risk management processes are based upon the National Institute of Standards and Technology (NIST) Cybersecurity Framework, as well as various other regulatory requirements and industry-specific standards. We implement risk-based controls to protect our information, the information of our customers, suppliers, and other third parties, our information systems, our business operations, and our products and related services. These controls include multifactor authentication on all critical systems, firewalls, encryption, anti-virus protections, intrusion detection and prevention systems and identity management systems. We provide mandatory cybersecurity awareness training of threats to associates at least annually and routinely deploy simulated phishing tests to increase security awareness. Our IT team regularly tests our controls through penetration testing, vulnerability scanning, internal compliance assessments, threat-hunting operations and attack simulation. Additionally, in connection with our cybersecurity risk management processes, from time to time, we engage independent third parties to assess our cybersecurity program and to assist us with defining our cybersecurity strategy, uplifting our processes and aligning our objectives. Outside counsel has also advised the Board about legal obligations in managing cybersecurity issues and risks. We maintain a cybersecurity incident response plan, which provides a framework for handling cybersecurity incidents based on, among other factors, the potential severity of the incident and facilitates cross-functional coordination across the Company. We also conduct “tabletop” exercises, including exercises facilitated by third parties, during which we simulate cybersecurity incidents to ensure that we are prepared to respond to such an incident and to highlight any areas for potential improvement in our cybersecurity incident response plan. These exercises are conducted at both the technical level and senior management level and have included participation by members of our Board. Our cybersecurity risk management processes extend to the oversight and identification of threats associated with our use of third-party service providers, including through due diligence of such providers’ cybersecurity practices, contractual obligations to operate their IT systems in accordance with certain cybersecurity standards and ongoing monitoring. Our business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats, including as a result of previous cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks and any future material incidents . See “Risk Factors” in Item 1A of this Annual Report on Form 10-K for more information on risks from cybersecurity threats that are reasonably likely to materially affect our business strategy, results of operations and financial condition. Governance Management Our Chief Technology Officer (“CTO”) is responsible for assessing and managing our material risks from cybersecurity threats. We have also established a cross-functional Cyber Steering Committee, which includes our CTO, Chief Information Security Officer (“CISO”), General Counsel, certain business leaders on a rotating basis and representatives of human resources and communications. The CISO, supported by inputs from the CTO team leads, delivers quarterly updates to the Committee on key risks and overall security program posture, as well as monthly strategic updates to the CTO on high visibility and key action items. Our CTO regularly reports to our Board and the Audit Committee. Our CTO has served in this role since 2023 and has over 25 years of experience in the technology industry. Prior to his current role, he served as the CTO of Tyson Foods and before arriving at Tyson, he was the Chief Information Officer at Hewlett Packard, and then CIO at Hewlett Packard Enterprise. Board of Directors Our Audit Committee is responsible for the oversight of cybersecurity risks and receives a cybersecurity report from our CTO at least quarterly, and more often as needed, including in the event of a significant cybersecurity incident. The report includes information regarding the nature of threats, defense and detection capabilities, incident response plans and associate training activities. Our Board retains responsibility for the oversight of our overall risk management systems and processes and is briefed our CTO on cybersecurity risks on a quarterly basis.

Company Information