M/I HOMES, INC. 10-K Cybersecurity GRC - 2025-02-14

Page last updated on February 14, 2025

M/I HOMES, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-14 10:45:26 EST.

Filings

10-K filed on 2025-02-14

M/I HOMES, INC. filed a 10-K at 2025-02-14 10:45:26 EST
Accession Number: 0000799292-25-000018

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY The Company’s Chief Information Officer (“CIO”) leads our Information Security Committee (a taskforce comprised of senior representatives from primary corporate functions, mortgage and title operations, IT infrastructure, IT security, and external security consultants) , which is responsible for developing, updating, implementing and maintaining our cybersecurity strategy, policy (which leverages the NIST CSF framework), standards, architecture, and processes. The Company has integrated cyber security into its annual risk assessment process. This process identifies critical assets and assesses those assets for potential threats and vulnerabilities. Risks are prioritized based on their impact and likelihood. Controls are assessed to ensure the Company’s controls are appropriate to mitigate risks. It also allows us to identify any gaps that we need to focus on. These gaps are typically part of the Information Security Committees risk register. The Information Security Committee meets quarterly and continuously monitors and re-evaluates risks through this risk register, which was initially developed using the NIST CSF framework. The CIO provides annual reports to our Board of Directors, and periodic reports to our Chief Executive Officer (“CEO”), Chief Financial Officer (“CFO”) and Chief Accounting Officer (“CAO”), and other members of senior management, regarding existing and emerging cybersecurity risks and threats, the status of projects intended to strengthen our information security systems, and assessments of our information security program. Members of senior management are notified by our Information Security Committee if any cybersecurity incident leads to a breach or loss of any data. These members of senior management are responsible for promptly determining if such an incident is material and notifying our CEO, CFO and our Board of Directors of the material incident and the impact that the incident has had, and is expected to have, on the Company’s reputation, results of operations, financial condition, and business strategy. The Company engages third-party auditors and consultants to evaluate and assist the Company in responding to cybersecurity threats and incidents, and, if necessary, monitoring any exposure of confidential company or customer data. The Company also actively engages with key vendors, industry participants, and intelligence and law enforcement communities as part of our continuing efforts to evaluate and enhance the effectiveness of our information security policies, procedures and strategy, assess our security status, and align our cybersecurity practices with current and emerging cybersecurity risks. We conduct thorough security assessments of all third-party service providers before engagement and perform regular monitoring of the third-party service providers’ hosted applications designed to ensure compliance with our cybersecurity standards. This occurs through annual assessments by our internal audit function of the third party’s System and Organization Controls (“SOC”) 1 or SOC 2 report or through additional user access reviews by the internal business owner if a SOC 1 or SOC 2 report is unavailable. Our CIO and his security management team possess primary responsibility for identifying, assessing, monitoring, and managing our cybersecurity risks. Our Board of Directors directly oversees cybersecurity risks, which includes conducting an annual review of the Company’s cybersecurity risks, management’s actions to identify and detect threats, management’s action plans for response and recovery situations, and review of recent enhancements to the Company’s defenses and strategic cybersecurity roadmap. In addition, the Audit Committee receives quarterly cybersecurity updates, which include a review of new processes implemented to monitor cyber risks, and a summary of any recent threats and the Company’s response to those threats. Our CIO has over 30 years of experience in information technology, including a deep understanding of information technology governance, regulatory compliance and familiarity with the software, tools and programs used by his security management team to identify vulnerabilities, investigate incidents and implement appropriate security measures. In addition, our security management team maintains appropriate and relevant levels of education and certifications, such as Certified Information Security Manager (CISM) and Certified Ethical Hacker (CEH). Furthermore, all employees are required to complete a biannual security awareness training course focusing on data protection, phishing prevention, and credential protection. As of the date of this report, we are not aware of any material risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition. However, we face a number of cybersecurity risks in the normal course of our business and, from time to time, experience threats to our data and systems, including malware and computer virus attacks. Notwithstanding the extensive measures we employ to address cybersecurity risks, we may not be successful in preventing or mitigating a cybersecurity incident that would be reasonably likely to materially affect us. Although we maintain cybersecurity insurance, the costs we incur related to cybersecurity threats or disruption may not be fully insured. See “Item 1A. Risk Factors” in Part I of this Annual Report on Form 10-K for more information regarding the risk factors associated with cybersecurity risks. 25

Company Information