PULTEGROUP INC/MI/ 10-K Cybersecurity GRC - 2025-02-06

Page last updated on February 6, 2025

PULTEGROUP INC/MI/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-06 14:08:23 EST.

Filings

10-K filed on 2025-02-06

PULTEGROUP INC/MI/ filed a 10-K at 2025-02-06 14:08:23 EST
Accession Number: 0000822416-25-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We have established processes and policies for assessing, identifying, and managing material risks posed by cybersecurity threats. Our processes and policies are designed to be based upon the National Institute of Standards and Technology (NIST) Cybersecurity Framework with our processes focused on : (i) developing organizational understanding to manage cybersecurity risks, (ii) applying safeguards to protect our systems, (iii) detecting the occurrence of a cybersecurity incident, (iv) responding to a cybersecurity incident and (v) recovering from a cybersecurity incident. Where appropriate, these processes and policies are integrated into our overall risk management systems and processes. For instance, all of our employees with network access are required to complete information security and privacy training on an annual basis. We are also frequently working to improve our information technology systems and provide employee awareness training around phishing, malware, and other cyber risks to enhance our levels of protection. We have engaged independent consultants and other third-parties to assist us in establishing and improving our policies. We conduct tabletop simulation exercises with outside consultants at least annually to test our processes and policies and use feedback from those exercises to improve our processes. Our senior management team members are active participants in each of those exercises, and members of the Audit Committee of our Board of Directors have participated in some of those exercises as well. Our processes and policies include the identification of those third-party relationships that have the greatest potential to expose us to cybersecurity threats and, upon identification, we conduct additional due diligence as a part of establishing those relationships. We also maintain insurance coverage for cybersecurity matters as part of our overall insurance portfolio. For additional information concerning cybersecurity risks we face to our business strategy, results of operations and financial condition, see Item 1A Risk Factors - Information technology failures or data security breaches could harm our business and result in substantial costs. Governance Cybersecurity and risks related to our information technology and other computer resources are an important focus of our Board of Directors’ risk oversight. Our Audit Committee receives materials on a frequent basis to address the identification and status of information technology cybersecurity risks, and management, including our Chief Information Officer (“CIO”) and Chief Information Security Officer (“CISO”) , provides quarterly updates to our Audit Committee and an update to our Board of Directors at least annually with respect to cybersecurity matters. Our Audit Committee regularly reviews and discusses with management the strategies, processes, procedures, and controls pertaining to the management of the Company’s information technology operations, including cybersecurity risks. This enables management to provide oversight, set risk tolerances, and support a comprehensive cybersecurity program that manages material cybersecurity risks to the Company. 18 Aspects of the information systems of our Homebuilding operations and our Financial Services operations are separate and distinct, and, prior to the third quarter of 2024, each operation had a separate CIO and CISO. In August of 2024, our information technology operations were centralized under a single CIO and a single CISO, each with enterprise-wide responsibilities. Our CISO reports to our CIO and is responsible for managing the information security team and working to ensure the team is assessing and managing cybersecurity risks in accordance with our processes and procedures. Our CIO has over 30 years’ experience managing enterprise information technology systems. Our CISO has over 25 years’ experience working in information technology and cybersecurity roles and is a certified information security manager as certified by the Information Systems Audit and Control Association (ISACA). Pursuant to our Cybersecurity Incident Response Plan (“CIRP”), when a cybersecurity event has been identified through our detection processes, it is assessed in order to determine whether the event is a cybersecurity incident. Our CIRP designates the primary manager of a cybersecurity incident, describes the parties who should be informed about the incident, and outlines the processes for containment, eradication, recovery, and resolution of the incident. Depending on the severity and impact of a cybersecurity threat, members of our senior management team and Board of Directors are notified of an incident and kept informed of the mitigation and remediation of the incident. We are not aware of any material cybersecurity incidents in the last three years.

Company Information