Page last updated on January 24, 2025
KB HOME reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-01-24 16:26:12 EST.
Filings
10-K filed on 2025-01-24
KB HOME filed a 10-K at 2025-01-24 16:26:12 EST
Accession Number: 0000795266-25-000014
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
Item 1C - Cybersecurity in this report. Our systems have faced a variety of phishing, denial-of-service and other attacks and occasional theft of encrypted employee laptops. To help counter the growing volume and sophistication of cyberattacks, including the potential of fraudulently inducing our employees, customers, trade partners and other third parties to disclose information or unknowingly provide access to systems or data, as well as state and other actors using artificial intelligence technology, we have implemented administrative, physical and multi-layered technical controls and processes to help address and mitigate cybersecurity risks and protect our IT resources, including employee education and awareness training, as well as third-party assessments. Our technical defense layers are designed to provide multiple, overlapping measures to protect against exploitation of a vulnerability that may arise or if a security control fails. For these defenses, we rely on a combination of artificial intelligence, machine learning computer network monitoring, malware and antivirus resources, firewall systems, vendor cloud service defenses, internet address and content filtering monitoring software that secures against known malicious websites and potential data exfiltration, and a variety of cyber intelligence threat monitoring sources that provide ongoing updates, all provided from third 23 parties that we believe, but cannot guarantee, are capable of performing the protective service for which we have engaged them. We conduct periodic incident response tabletop exercises, with third-party support and reviews, and have established communication channels with KBHS security personnel and key partners regarding their breach and incident response processes. In addition, we perform an annual cybersecurity risk assessment to identify potential areas of focus. We also depend on our service providers, GR Alliance and other mortgage lenders with whom we share some personal identifying and confidential information to secure our information and the homebuyer information they collect from us. Our IT security costs, including cybersecurity insurance, are significant and will likely rise in tandem with the sophistication and frequency of system attacks. However, our, GR Alliance ’s and our service providers’ measures may be inadequate and possibly have operational or security vulnerabilities that could go undetected for some period of time. If our IT resources are compromised by an intentional attack, natural or man-made disaster, electricity blackout, IT failure or systems misconfiguration, service provider error, mismanaged user access protocols, personnel action, or otherwise, we may be severely limited in conducting our business and achieving our strategic goals for an extended period, experience internal control failures or lose access to operational assets or funds. A substantial disruption, or security breach suffered by GR Alliance / KBHS or a service provider, particularly our cloud service provider which hosts many of our IT resources, could damage our reputation and result in the loss of customers or revenues, in sensitive personal information being publicly disclosed or misused and/or legal proceedings against us. We may incur significant expenses to resolve such issues. While, to date, we have not had a significant cybersecurity breach or attack that had a material impact on our business or consolidated financial statements, there can be no assurance our efforts to maintain the security and integrity of these systems will be effective or that attempted security breaches, cyber-attack, data theft or disruptions would not occur in the future, be successful or damaging. Beyond our service providers, we depend on independent third parties to handle certain processes required to complete land purchases and home closings, including title insurers and escrow/settlement companies. Should these third parties, as well as independent mortgage lenders and other firms involved in real property transactions, experience their own cybersecurity incidents or IT resource failures that disrupt or prevent their performance of necessary real estate transaction services, our ability to close on land transactions or our customers’ ability to close on their homes, as well as our production schedules and delivery forecasts, may be significantly disrupted and have a material impact on our operations or consolidated financial statements, including by causing home sales contract cancellations. Legal and Compliance Risks . As discussed above under Item 1 - Business in this report, our operations are subject to myriad legal and regulatory requirements, which can delay our operational activities, raise our costs and/or prohibit or restrict homebuilding in some areas. These requirements often provide broad discretion to government authorities, and they could be interpreted or revised in ways unfavorable to us. The costs to comply, or associated with any noncompliance, are, or can be, significant and variable from period to period. With respect to environmental laws, in addition to the risks and potential operational costs discussed above, we have been, and we may in the future be, involved in federal, state and local air and water quality agency investigations or proceedings for potential noncompliance with their rules, including rules governing discharges of materials into the air and waterways; stormwater discharges from community sites; and wetlands and listed species habitat protection. We could incur penalties and/or be restricted from developing or building at certain community locations during or as a result of such agencies’ investigations or findings. Additionally, we are involved in legal, arbitral or regulatory proceedings or investigations incidental to our business, the outcome or settlement of which could result in material claims, losses, monetary damage awards, penalties, or other direct or indirect payments recorded against our earnings, or injunctions, consent decrees or other voluntary or involuntary restrictions or adjustments to our business operations or practices. Any adverse results could be beyond our expectations, insurance coverages and/or accruals at particular points in time. Unfavorable outcomes, as well as unfavorable investor, analyst or news reports related to our industry, company, personnel, governance or operations, may also generate negative publicity, including on social media and the internet, damaging our reputation and resulting in the loss of customers or revenues. We may also face similar reputational impacts if our sustainability initiatives or objectives and/or our social or governance practices do not meet the standards set by investors or third-party rating services. Additionally, low third-party ratings could result in our common stock being excluded from certain indexes or not being recommended for or selected by investors with certain mandates or priorities. To reduce the risks and expected significant costs of defending intra-corporate proceedings in multiple venues and to help ensure that such matters are considered within a well-established body of law, our By-Laws provide that, subject to certain exceptions, Delaware state courts are the exclusive forum for specified internal corporate affairs actions and federal courts are the exclusive forum for any action asserting a claim arising under the Securities Act of 1933, as amended. These provisions may limit a stockholder’s ability to bring a claim in their favored forum. At the same time, if a court were to allow for an alternative forum, or we waive the provision’s application, for a particular matter, we may incur additional costs associated with resolving an otherwise relevant action in another jurisdiction(s). 24 The European Union and state governments, notably California and Nevada, have enacted or enhanced data privacy regulations, and other governments are considering establishing similar or stronger protections. These regulations impose certain obligations for securing, and potentially removing, specified personal information in our systems, and for apprising individuals of the information we have collected about them. We have incurred costs in an effort to address these data privacy risks and requirements, and our costs may increase significantly as risks become increasingly complex or if new or changing requirements are enacted, and based on how individuals exercise their rights. Despite our efforts, any noncompliance could result in our incurring substantial penalties and reputational damage. KBHS ’ operations are heavily regulated. If GR Alliance , which oversees KBHS ’ operations, or KBHS is found to have violated regulations, or mortgage investors demand KBHS repurchase mortgage loans it has sold to them, or cover their losses, for claimed contract breaches, KBHS could face significant liabilities, which, if they exceed its reserves, could result in our recognizing losses on our KBHS equity interest. Our financial results may be materially affected by the adoption of new or amended financial accounting standards, and regulatory or outside auditor guidance or interpretations. In addition, to the extent we expand our disclosures on our sustainability initiatives in line with certain private reporting frameworks and investor requests, or the proposed SEC rules mentioned above, if adopted, our failure to report accurately or achieve progress on our metrics on a timely basis, or at all, could adversely affect our r eputation, business, financial performance and growth. Other Risks . The risk factors described above are not our only salient risks. Political events, war, terrorism, weather or other natural/environmental disasters, and other risks that are currently unknown or are currently or may initially be seen as immaterial, could also have a material adverse impact on our business, consolidated financial statements and/or common stock’s market price. Item 1B. UNRESOLVED STAFF COMMENTS None. Item 1C. CYBERSECURITY Risk Management and Strategy. We have policies and procedures for identifying, assessing and managing material risks associated with cybersecurity threats. To help protect our IT resources, we have instituted administrative, physical and technical controls and processes and commissioned third-party assessments. The technical defense measures we have implemented are designed to address vulnerabilities that may arise, including from a security control failure. These measures currently involve a combination of artificial intelligence; machine learning computer network monitoring; malware and antivirus resources; firewall systems; endpoint detection and response; cloud service defenses; Internet address and content filtering monitoring software intended to secure against known malicious websites and potential data exfiltration; and a variety of cyber intelligence and threat monitoring sources, which provide ongoing updates, all provided by third parties that we believe are capable of performing the service for which they have been engaged or governmental agencies. When engaging a third party for these types of services and resources, we typically conduct a security review involving, as relevant to the service or resource, discussions with the firm’s security personnel, evaluation of auditor reports, and other requested information and documentation. We evaluate, and adjust as determined appropriate, our cybersecurity strategies and measures based on the above-noted threat monitoring sources, learnings from periodic incident response tabletop exercises in which members of senior management participate; penetration tests and scanning exercises; and an annual cybersecurity and/or cloud security risk assessment conducted with help from outside experts informed by the National Institute of Standards and Technology Cybersecurity framework. Our IT function also undertakes a specific risk review, assisted in part by independent consultants and other third parties, that is integrated into the overall annual enterprise risk management assessment the board of directors’ audit and compliance committee oversees. Our internal audit department incorporates the results from this risk review, and cybersecurity-related enhancements identified through the review, in designing and conducting its IT function audits, in some cases with a third-party firm’s assistance. To support the ongoing identification and management of cybersecurity issues, all employees are required to complete cybersecurity awareness training, including social engineering, password best practices, data classification and phishing awareness, with additional training for handling of customer personal information. We also publish a monthly security awareness newsletter along with performing ongoing internal phishing assessments. We also consider and evaluate cybersecurity risks associated with KBHS and third-party service providers that we have identified as having the greatest potential to expose us to cybersecurity threats. We have established due diligence procedures with KBHS and such third-party service providers, as well as communication channels as part of their breach and incident response processes. We also review annually the System and Organization Controls reports of third-party vendors hosting our 25 data to ensure they maintain adequate access management controls including physical safeguards, disaster recovery capabilities, data privacy and notification processes, onboarding processes, incident response procedures and periodic independent testing of the vendor capabilities. We depend on our third-party service providers, KBHS and outside service providers to our customers with whom we share some personal identifying and confidential information to secure the information they receive from us. Our business strategy, results of operations, or financial condition may be materially affected if our IT resources are compromised, whether by an intentional attack, natural or man-made disaster, electricity blackout, IT/cybersecurity failure, systems misconfiguration, denial-of-service attacks, service provider error, mismanaged user access protocols, personnel action, or otherwise, as we may be severely limited in conducting operations for an extended period, experience internal control failures, be cut off from assets or funds, face reputational damage, lose customers and related revenues and/or have private party or governmental legal proceedings instituted against us, and incur significant expenses to resolve any such issues. Similar impacts may result from a substantial disruption, or security incident or breach KBHS or an outside service provider to our customers suffers, which could also result in sensitive personal information being publicly disclosed or misused. Governance . Our management is responsible for the ongoing assessment of, and for developing and implementing our strategies and measures to address, material cybersecurity risks. Our board of directors through its audit and compliance committee oversees management’s cybersecurity assessment activities and protective strategies and measures. This includes engaging in periodic reviews with management covering, among other things, our cybersecurity practices and risks . Our chief information officer (“CIO”) periodically provides this review to the audit and compliance committee, with the most recent review conducted in January 2025. The CIO, who has more than 34 years of experience in IT and cybersecurity, is supported by a chief information security officer and various employees and dedicated contract personnel experienced with IT and cybersecurity matters who are responsible for procuring, using, maintaining, updating and evaluating the cybersecurity measures detailed above. These individuals also hold numerous cloud, security and privacy certifications. Our IT function, which is led by the CIO, maintains and is initially responsible for executing on a cybersecurity incident response plan and specific runbooks, which describe processes for evaluating and escalating, depending on severity, within the enterprise and up to our senior executive management and board of directors the cybersecurity threats and incidents, or potential threats or incidents, identified through our cybersecurity measures, as well as making public disclosures thereof. This team also maintains other policies and procedures concerning cybersecurity matters, such as encryption standards, antivirus protection, remote access, multifactor authentication, data classification, confidential information and the use of the internet, social media, email and wireless devices. We also maintain insurance coverage for cybersecurity insurance as part of our overall insurance portfolio. Our IT systems have faced a variety of phishing, denial-of-service and other attacks. Although we have not identified any cybersecurity incidents during the fiscal years covered by this report that have materially affected or are reasonably likely to materially affect our business strategy, consolidated results of operations or consolidated financial condition, we can provide no assurance that our security measures will be successful and therefore we may experience a cybersecurity incident that materially affects our business strategy, consolidated results of operations, consolidated financial condition or reputation, including, but not limited to those described above. For more information about the cybersecurity risks we face, see Item 1A - Risk Factors .
Item 1C. CYBERSECURITY Risk Management and Strategy. We have policies and procedures for identifying, assessing and managing material risks associated with cybersecurity threats. To help protect our IT resources, we have instituted administrative, physical and technical controls and processes and commissioned third-party assessments. The technical defense measures we have implemented are designed to address vulnerabilities that may arise, including from a security control failure. These measures currently involve a combination of artificial intelligence; machine learning computer network monitoring; malware and antivirus resources; firewall systems; endpoint detection and response; cloud service defenses; Internet address and content filtering monitoring software intended to secure against known malicious websites and potential data exfiltration; and a variety of cyber intelligence and threat monitoring sources, which provide ongoing updates, all provided by third parties that we believe are capable of performing the service for which they have been engaged or governmental agencies. When engaging a third party for these types of services and resources, we typically conduct a security review involving, as relevant to the service or resource, discussions with the firm’s security personnel, evaluation of auditor reports, and other requested information and documentation. We evaluate, and adjust as determined appropriate, our cybersecurity strategies and measures based on the above-noted threat monitoring sources, learnings from periodic incident response tabletop exercises in which members of senior management participate; penetration tests and scanning exercises; and an annual cybersecurity and/or cloud security risk assessment conducted with help from outside experts informed by the National Institute of Standards and Technology Cybersecurity framework. Our IT function also undertakes a specific risk review, assisted in part by independent consultants and other third parties, that is integrated into the overall annual enterprise risk management assessment the board of directors’ audit and compliance committee oversees. Our internal audit department incorporates the results from this risk review, and cybersecurity-related enhancements identified through the review, in designing and conducting its IT function audits, in some cases with a third-party firm’s assistance. To support the ongoing identification and management of cybersecurity issues, all employees are required to complete cybersecurity awareness training, including social engineering, password best practices, data classification and phishing awareness, with additional training for handling of customer personal information. We also publish a monthly security awareness newsletter along with performing ongoing internal phishing assessments. We also consider and evaluate cybersecurity risks associated with KBHS and third-party service providers that we have identified as having the greatest potential to expose us to cybersecurity threats. We have established due diligence procedures with KBHS and such third-party service providers, as well as communication channels as part of their breach and incident response processes. We also review annually the System and Organization Controls reports of third-party vendors hosting our 25 data to ensure they maintain adequate access management controls including physical safeguards, disaster recovery capabilities, data privacy and notification processes, onboarding processes, incident response procedures and periodic independent testing of the vendor capabilities. We depend on our third-party service providers, KBHS and outside service providers to our customers with whom we share some personal identifying and confidential information to secure the information they receive from us. Our business strategy, results of operations, or financial condition may be materially affected if our IT resources are compromised, whether by an intentional attack, natural or man-made disaster, electricity blackout, IT/cybersecurity failure, systems misconfiguration, denial-of-service attacks, service provider error, mismanaged user access protocols, personnel action, or otherwise, as we may be severely limited in conducting operations for an extended period, experience internal control failures, be cut off from assets or funds, face reputational damage, lose customers and related revenues and/or have private party or governmental legal proceedings instituted against us, and incur significant expenses to resolve any such issues. Similar impacts may result from a substantial disruption, or security incident or breach KBHS or an outside service provider to our customers suffers, which could also result in sensitive personal information being publicly disclosed or misused. Governance . Our management is responsible for the ongoing assessment of, and for developing and implementing our strategies and measures to address, material cybersecurity risks. Our board of directors through its audit and compliance committee oversees management’s cybersecurity assessment activities and protective strategies and measures. This includes engaging in periodic reviews with management covering, among other things, our cybersecurity practices and risks . Our chief information officer (“CIO”) periodically provides this review to the audit and compliance committee, with the most recent review conducted in January 2025. The CIO, who has more than 34 years of experience in IT and cybersecurity, is supported by a chief information security officer and various employees and dedicated contract personnel experienced with IT and cybersecurity matters who are responsible for procuring, using, maintaining, updating and evaluating the cybersecurity measures detailed above. These individuals also hold numerous cloud, security and privacy certifications. Our IT function, which is led by the CIO, maintains and is initially responsible for executing on a cybersecurity incident response plan and specific runbooks, which describe processes for evaluating and escalating, depending on severity, within the enterprise and up to our senior executive management and board of directors the cybersecurity threats and incidents, or potential threats or incidents, identified through our cybersecurity measures, as well as making public disclosures thereof. This team also maintains other policies and procedures concerning cybersecurity matters, such as encryption standards, antivirus protection, remote access, multifactor authentication, data classification, confidential information and the use of the internet, social media, email and wireless devices. We also maintain insurance coverage for cybersecurity insurance as part of our overall insurance portfolio. Our IT systems have faced a variety of phishing, denial-of-service and other attacks. Although we have not identified any cybersecurity incidents during the fiscal years covered by this report that have materially affected or are reasonably likely to materially affect our business strategy, consolidated results of operations or consolidated financial condition, we can provide no assurance that our security measures will be successful and therefore we may experience a cybersecurity incident that materially affects our business strategy, consolidated results of operations, consolidated financial condition or reputation, including, but not limited to those described above. For more information about the cybersecurity risks we face, see Item 1A - Risk Factors .
Company Information
| Name | KB HOME |
| CIK | 0000795266 |
| SIC Description | Operative Builders |
| Ticker | KBH - NYSE |
| Website | |
| Category | Large accelerated filer |
| Fiscal Year End | November 29 |