United Homes Group, Inc. - (UHG)
10-K Filing Date: March 15, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
UHG recognizes the critical importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard its information systems and protect the confidentiality, integrity, and availability of its data. UHG has cybersecurity and risk management processes in place to adapt to the changing cybersecurity landscape and respond to emerging threats in a timely and effective manner. UHG leverages the National Institute of Standards and Technology (NIST) framework, which organizes cybersecurity risks into five categories: identify, protect, detect, respond, and recover. UHG monitors its systems to assess cybersecurity risks and threats.
UHG’s information technology (IT) security team reviews enterprise risk management-level cybersecurity risks and reports on these findings. In addition, UHG has a set of company-wide policies and procedures that directly or indirectly relate to cybersecurity, such as policies related to encryption standards, antivirus protection, remote access, multifactor authentication, confidential information and the use of the internet, social media, email and wireless devices. These policies go through an internal review process and are approved by appropriate members of management.
Managing Material Risks & Integrated Overall Risk Management
35
UHG has integrated cybersecurity risk management into its broader risk management framework. This integration ensures that cybersecurity considerations are an integral part of UHG’s decision-making process. Members of UHG’s management work closely with the IT department to continuously evaluate and address cybersecurity risks in alignment with UHG’s business objectives and operational needs.
Engage Third Parties on Risk Management
Recognizing the complexity and evolving nature of cybersecurity threats, UHG’s IT personnel incorporate external resources and advisors as needed on cybersecurity planning, reporting, and monitoring. These third-party relationships enable UHG to leverage specialized knowledge and insights, to ensure UHG’s cybersecurity strategies and processes are aligned with industry best practices. In addition to collaboration with various third-parties, all of UHG’s employees are required to complete cybersecurity training at least once every three years and also have access to more frequent cybersecurity training through online training courses.
Oversee Third Party Risk
UHG utilizes various third-party software applications in the functioning of its core business. UHG conducts assessments of all third-party providers and maintains ongoing reviews to ensure compliance with its cybersecurity standards. The internal business owners of the hosted applications are required to document user access reviews at least annually and provide from the vendor a System and Organization Controls (SOC) 1 or SOC 2 report. If a third-party vendor is not able to provide a SOC 1 or SOC 2 report, UHG takes additional steps to assess their cybersecurity preparedness and assess its relationship on that basis. UHG’s assessment of risks associated with the use of third-party providers is part of its overall cybersecurity framework.
Monitor Cybersecurity Incidents
UHG’s IT security team regularly monitors alerts and meets to discuss threat levels, trends, and remediation. The team also prepares a monthly report on cybersecurity threats and risk areas and conducts an annual risk assessment. This ongoing knowledge acquisition and continuing education is crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. If a security event is alerted, upper management and the incident response team are notified and the steps identified in the Incident Response Plan, or IRP, are initiated. This plan includes immediate actions to mitigate the impact and long-term strategies for remediation and prevention of future incidents.
Risks from Cybersecurity Threats
UHG faces risks from cybersecurity threats that could have a material adverse effect on its business, financial condition, results of operations, cash flows or reputation. For more information about the cybersecurity risks UHG faces, see the risk factor entitled “An information systems interruption or breach in security could adversely affect UHG” in Item 1A., Risk Factors. UHG has not encountered cybersecurity challenges that have materially impaired its operations or financial standing.
Governance
UHG’s Board is acutely aware of the critical nature of managing risks associated with cybersecurity threats, and recognizes the significance of these threats to UHG’s operational integrity and shareholder confidence.
Risk Management Personnel
UHG’s Chief Administrative Officer and the Director of IT are responsible for developing and implementing UHG’s information security program. UHG’s Chief Administrative Officer represented companies in IT integration, AI, and SaaS businesses over a span of two decades in private legal practice, and UHG’s Director of IT has more than 17 years of experience in data, application, and server security.
Board of Directors Oversight
The Audit Committee is central to the Board’s oversight of cybersecurity risks and bears the primary responsibility for this domain. The Audit Committee is composed of board members with diverse expertise including risk management and finance, equipping them to oversee cybersecurity risks effectively.
Management’s Role Managing Risk and Reporting to the Board
36
The Chief Administrative Officer and the Director of IT play a pivotal role in informing the Audit Committee on cybersecurity risks. They provide comprehensive briefings to the Audit Committee on a regular basis, with a minimum frequency of once per year. These briefings encompass a broad range of topics, including:
•Current cybersecurity landscape and emerging threats;
•Actions being taken by the Company to minimize or address such threats;
•Status of ongoing cybersecurity initiatives and strategies;
•Incident reports and learnings from any cybersecurity events; and
•Compliance with regulatory requirements and industry standards.
In addition to scheduled meetings, the Audit Committee, the Chief Administrative Officer and the Director of IT maintain an ongoing dialogue regarding emerging or potential cybersecurity risks. Together, they receive updates on any significant developments in the cybersecurity domain, ensuring the Board’s oversight is proactive and responsive. This involvement ensures that cybersecurity considerations are integrated into the broader strategic objectives. The Audit Committee conducts an annual review of the company’s cybersecurity posture and the effectiveness of its risk management strategies. This review helps in identifying areas for improvement and ensuring the alignment of cybersecurity efforts with the overall risk management framework.