Meritage Homes CORP 10-K Cybersecurity GRC - 2025-02-20

Page last updated on February 20, 2025

Meritage Homes CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-20 15:26:11 EST.

Filings

10-K filed on 2025-02-20

Meritage Homes CORP filed a 10-K at 2025-02-20 15:26:11 EST
Accession Number: 0000833079-25-000021

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Our ability to conduct our business may be impaired, or our customer and employee personal information may be vulnerable, if our IT resources are compromised, degraded, damaged or fail. Such events may include, but are not limited to: a virus or other harmful circumstance; intentional penetration or disruption of our information technology resources by a third party; natural disaster; hardware or software corruption or failure or telecommunications system failure; service provider error or failure; intentional or unintentional personnel actions (including the failure to follow our security protocols); or lost connectivity to our networked resources. We prioritize cybersecurity and data privacy. Our IT department is responsible for coordinating the protection of our information systems and the data they maintain. 25 Cybersecurity is an integral part of the Company’s Enterprise Risk Management (“ERM”). In order to manage technology risk and secure technology ecosystems, our information security framework is based on the National Institute of Standards and Technology (“NIST”) principles, which we execute through our adherence to the Center for Internet Security (“CIS18”) control framework. The CIS18 framework provides us the ability to align measurable controls to actions and benchmark against recognized standards. Using these recognized industry standards, we approach cyber risk management utilizing multiple layers of policies and technology to detect, protect against, and respond to cyberattacks. Following our multi-pronged approach to protecting our systems and data, we: - administer monthly mandatory ongoing information security training for all employees throughout the year; - maintain security protocols and internal security controls; - maintain a privacy policy that governs our collection, processing, and securing of personal information; - limit collection and storage of information regarding our customers, suppliers and employees; - use a zero trust network that verifies the device and user identity while restricting network access to only what is needed; - limit access to network resources to only devices that are owned and administered by the Company; - require multi-factor authentication for all employee user accounts; - maintain application-aware firewalls to limit cyberattack access to data; - use data breach detection software and a cybersecurity operations center that actively monitors our systems; - conduct internal technical cyber incident exercises with our information security team and our third-party cybersecurity service providers; and - conduct an annual independent comprehensive security assessment, including penetration and vulnerability testing along with ransomware simulation, to evaluate the security of our environment and provide us the opportunity to understand and address identified deficiencies in our security program. We review all technology third party vendors and service providers for the following: access management controls including physical safeguards, disaster recovery capabilities, data privacy and notification processes, onboarding processes, and incident response procedures. In addition, we perform periodic independent testing of vendor capabilities and review the annual System and Organization Controls (“SOC”) Type 1 and/or SOC II Type 2 reports of all of our third-party vendors hosting our data to ensure they conform to those requirements. Our IT department, lead by our Chief Information Officer (“CIO”) , maintains and is responsible for our cybersecurity incident response plans. Our cybersecurity incident response plans include processes for evaluating and escalating our response to cybersecurity incidents across our organization, up to and including our senior executive management and Board, and, where required, making public disclosures. Cybersecurity threats and incidents (including potential cybersecurity threats and incidents) are identified through our cybersecurity detection, prevention, and mitigation tools and procedures. These plans are reviewed and updated at least annually and we maintain third-party cybersecur ity insurance. We have not identified any material cybersecurity incidents during the fiscal years covered by this report. For a discussion of how risks from cybersecurity threats affect our business, see Part I, Item 1A - " Risk Factors - Operational Risks - Information technology failures and data security breaches could harm our business" in this Annual Report on Form 10-K. Governance Cybersecurity and data privacy risks related to our information technology resources are a key component of our Board’s risk oversight. The Audit Committee assists the Board in evaluating our cybersecurity and data privacy risks and overseeing our efforts to mitigate these risks. Our Audit Committee is also responsible for reviewing and analyzing significant financial and operational risks and how management is managing and mitigating such risks through its internal controls and financial risk management processes and is regularly engaged in discussions with management regarding business risks, operational risks, transactional risks, cybersecurity, enterprise-level and financial risks. Our CIO provides a formal update to our Audit Committee at least twice per year, reviewing cybersecurity risks, trends, plans for future actions and measurements against recognized external cybersecurity frameworks and benchmarks and our Vice President of Internal Audit/Compliance conducts an annual ERM survey, which includes cybersecurity risk, and provides the findings to the Board. 26 Our cybersecurity program is led and managed by experienced technology leadership that drives the creation of our cybersecurity and data privacy strategy, policies, and procedures and consists of experts in the execution of the related controls and safeguards. Our CIO has more than 30 years of experience working in information technology including chief information officer roles in the financial services, banking, healthcare, and hospitality sectors. While in those roles, the CIO has led governance, risk, and compliance technology programs and information security programs. Supporting the CIO is a dedicated cybersecurity team that designs and monitors cybersecurity control framework and data privacy procedures, as well as implements cybersecurity control systems and solutions. This cybersecurity team collectively has experience in: cybersecurity, information systems management and security, and related fields of focus.

Company Information