eXp World Holdings, Inc. 10-K Cybersecurity GRC - 2025-02-20

Page last updated on February 20, 2025

eXp World Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-20 16:14:31 EST.

Filings

10-K filed on 2025-02-20

eXp World Holdings, Inc. filed a 10-K at 2025-02-20 16:14:31 EST
Accession Number: 0001558370-25-001223

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY We recognize the critical importance of creating a multifaceted defense-in-depth cybersecurity ecosystem to protect the confidentiality, integrity, and availability of Company systems and data. Managing Material Risk The Company’s approach to risk management is tailored to its reporting segments. FrameVR.io, which was moved to the North American Realty segment during the first quarter of 2025, independently identifies, assesses, and manages its material risk from cybersecurity threats, and North American Realty, International Realty, and, recently, Other Affiliated Services, operate under a joint risk framework due to the similarities in cybersecurity risk they face. While educational resources about cybersecurity risks are shared amongst Information Technology (“IT”) staff across segments, segment-specific IT staff are empowered to evaluate and address cybersecurity risks within their reporting segment in alignment with the Company’s overall business objectives and operational needs. Where required, IT staff in each reporting segment may communicate with their counterparts in different reporting segments or with executive management of the Company to ensure compliance with cybersecurity incident and data breach reporting requirements under applicable law. Staff across all segments are required to complete company facilitated cybersecurity training at least annually. Engage Third Parties on Risk Management Understanding the complexity and evolving nature of cybersecurity threats, each reporting segment may engage with a range of external experts, including cybersecurity assessors and consultants, to assess, identify, and manage material risks posed by cybersecurity threats, as determined by each reporting segment. Each reporting segment may enable external technologies and specialists, as deemed necessary by the reporting segment, to test, alert, and report on the Company’s various computing ecosystems. These external assets allow the reporting segment leaders to leverage cybersecurity tools applicable to their segment’s risks, ensuring our cybersecurity strategies and processes continue to align with business objectives and operational needs. Segment personnel that engage such third-parties collaborate with these third-parties to review and discuss vulnerabilities and threats, consult on security enhancements for better risk identification, and audit risk management systems. 26 Oversee Third -Party Risk The Company recognizes that third-party service providers may introduce cybersecurity risks related to access to certain systems and data. The Company’s cybersecurity processes include documentation of certain third-party service providers’ security postures, with risk-related information recorded in TrustArc or similar internal tracking tools. Where applicable, these processes involve requesting third-party audit reports. Certain third-party relationships, including individual AI licenses and vendors onboarded through non-IT channels, may not be documented or reviewed as part of the Company’s cybersecurity processes. Where applicable, the Company maintains written contractual provisions requiring third-party service providers to report security incidents. Any information obtained through such reporting may be reviewed and recorded by security personnel. The Company does not routinely provide feedback to third parties on identified risks but may document available security information to facilitate internal awareness. Risk of Cybersecurity Threats To date, the Company has not identified a cybersecurity threat in any reporting segment, including as a result of any previous cybersecurity incidents, that has or is reasonably likely to have a current or future material effect on our business strategy, financial condition, results of operations, liquidity, capital expenditures, or capital resources. For more information regarding risks from cybersecurity threats, see “Item 1A - Risk Factors” in this Annual Report, in particular under the caption “Cybersecurity incidents could disrupt our business operations, result in the loss of critical and confidential information, adversely impact our reputation and harm our business.” Cybersecurity Governance The Company’s Board of Directors (the “Board”) is aware of the critical nature of managing risks associated with cybersecurity threats and meets regularly to discuss managing risk from cybersecurity threats, among other risks facing the Company. The Board has established oversight mechanisms to manage risks associated with cybersecurity threats. Board of Directors Oversight The Board’s Nominating and Corporate Governance Committee is central to the Board’s oversight of cybersecurity risks and bears the primary responsibility for cybersecurity risk oversight. When required, additional information is provided from the IT management from North American Realty and additional staff for each reporting segment for further insight and analysis. The Company is continually monitoring its cybersecurity oversight, strategy and governance for improvement and refinement. Management’s Role Managing Risk The Company’s Chief Technology Officer (“CTO”) oversees cybersecurity risks for North American Realty, International Realty, and, as of recently, Other Affiliated Services; provided, however, that cybersecurity risk management for FrameVR.io, which was moved to the North American Realty segment during the first quarter of 2025, is overseen by the Vice President of FrameVR.io, in consultation with the CTO as requested. The CTO provides comprehensive briefings to the Nominating and Corporate Governance Committee on a quarterly basis covering a broad range of topics, including, without limitation: ● Current cybersecurity landscape and emerging threats; ● Status of ongoing cybersecurity initiatives and strategies within his purview; ● Incident reports and learnings from any cybersecurity events; and ● Compliance with regulatory requirements and industry standards. The CTO receives updates on any significant developments in the cybersecurity domain from North American (excluding FrameVR.io), International Realty, and, recently, Other Affiliated Services which the CTO then reports to the Nominating and Corporate Governance Committee, ensuring the Board’s oversight is proactive and responsive. Personnel from FrameVR.io are empowered to report cybersecurity risk to their respective leaders who may then report to the Nominating and Corporate Governance Committee directly or funnel such reporting to the CEO. 27 Risk Management Personnel Primary oversight and responsibility for managing the Company’s cybersecurity risks resides with the CEO. With over 25 years of experience in technology leadership, entrepreneurship, and real estate innovation, his expertise lies in leveraging technology to transform traditional industries, including pioneering the first fully cloud-based real estate brokerage model. The CEO’s career began in the technology sector, where he founded eShippers.com, an eCommerce and logistics platform that integrated online storefronts with a national fulfillment network. This experience in developing scalable, technology-driven solutions laid the groundwork for his later success in building the Company . His vision for integrating advanced IT systems into real estate has driven eXp Realty’s growth to over 82,000 agents across 24 countries. He holds a degree in Economics and Computer Science from the University of Oklahoma, which supports his ability to align technology initiatives with strategic business goals. Under the CEO’s leadership, the Company continues to innovate through immersive virtual environments, advanced data systems, and scalable global operations, ensuring its position as a leader in real estate technology. Accompanying the CEO with the development of the security ecosystem is key personnel at each reporting segment, including: ● North American Realty and International Realty’s Chief Innovation Officer. The person in this role has over 20 years of experience as a technologist, startup founder, and technology executive with expertise in software development, product management, and real estate technology innovation. He holds a Bachelor of Arts from the College of Charleston and has led transformative technology initiatives, including two successful PropTech startup exits. ● North American Realty and International Realty’s Chief Technology Officer. The person in this role has over 20 years of experience leading global technology teams, delivering innovative software solutions, and driving business transformation. He is experienced in building and delivering secure, scalable technology solutions, with a focus on software reliability, data integrity, and secure system architecture. He is also actively expanding his expertise in cybersecurity, focusing on cloud security, threat mitigation, and risk management to strengthen enterprise system protection. He holds a Master of Science in Computer Science and a Bachelor of Engineering in Mechanical Engineering. He also completed a postgraduate degree in AI and machine learning from the University of Texas at Austin. ● North American Realty and International Realty’s Senior Director of Information Security. The person currently in this role has over 25 years of experience managing enterprise level cyber security programs in various industries in addition to having a Bachelor of Science in Information Technology Management and is a Certified Information Security Manager (CISM), along with ITIL and ISO certifications. ● North American Realty and International Realty’s Senior Director of Data Privacy & GRC. The person in this role has over 15 years of experience in data privacy, governance, and compliance, with expertise in managing enterprise-wide privacy programs and mitigating regulatory risks. She holds a Master of Public Administration and a Bachelor of Science in Political Science, both from Kennesaw State University, and is a Certified Information Privacy Manager (CIPM) and Certified Data Privacy Solutions Engineer. ● Vice President, FrameVR.io. The person currently in this role has Master in Education Technology and a decade working at the intersection of collaboration and spatial computing as a developer and technical product manager. They also have general experience working with information security and privacy frameworks such as SOC-2, GDPR, and COPPA. The Vice President of FrameVR.io reports to the CIO. Monitoring Cybersecurity Incidents Daily security assessments, alert monitoring, and the management of cybersecurity threats are the responsibility of each reporting segment and each reporting segment deploys an approach that is tailored to their risk environment within the Company and its overall business objectives. Notwithstanding the foregoing, Frame. FrameVR.io is independently responsible for its assessments, alert monitoring, and management of cybersecurity threats. When appropriate, each reporting segment escalates information to the CEO of the Company or CTO to ensure awareness of relevant cybersecurity risks across the reporting segments and to enable required incident management procedures applicable to each reporting segment. The reporting segments and FrameVR.io provide information and analysis to aid in the remediation of cybersecurity incidents. Reporting to Board of Directors The CTO , together with reporting segment and FrameVR.io key personnel listed above and with input from the CEO, inform the Nominating and Corporate Governance Committee of relevant material aspects related to cybersecurity risks and threats. This ensures the highest levels of oversight are aware and updated about the cybersecurity posture and potential risks facing the 28 Company. Furthermore, cybersecurity incidents, strategic risk management decisions, and materiality analysis are escalated to the Board, ensuring that they have comprehensive oversight and can provide guidance on critical cybersecurity issues.

Company Information