Douglas Elliman Inc. - (DOUG)
10-K Filing Date: March 08, 2024
ITEM 1C. CYBERSECURITY
We have a comprehensive approach to identifying and managing cybersecurity risks that involves our information technology security personnel, senior management, Audit Committee and Board of Directors. Our cybersecurity risk management function is integrated into our overall risk management system and processes.
Governance. The Board of Directors has formally tasked the Audit Committee with oversight responsibility to review cybersecurity and data privacy risks. The Audit Committee receives regular reports from management about cybersecurity matters. In addition to regular reporting, we have procedures by which potential cybersecurity incidents are reported in a timely manner to the Chief Technology Officer, who then notifies the Chief Operating Officer and General Counsel of cybersecurity incidents and they collectively determine if a specific incident warrants escalation to the Audit Committee and the Board of Directors. Our CTO, who has more than 25 years of information security and cybersecurity experience, manages cybersecurity at the corporate segment and oversees a team of dedicated cybersecurity personnel employed in our real estate brokerage segment. Our governance procedures are generally designed to identify, assess, mitigate, prevent and, where required, respond to cybersecurity security incidents and threats in a timely manner to minimize the loss or compromise of information and assets and to facilitate incident resolution.
Cybersecurity incident identification and response. We use several processes and procedures to protect our data, systems and employees from cyber incidents, to reduce our overall cybersecurity risk profile, and to identify and respond to cybersecurity incidents in a timely manner. These processes and procedures leverage a variety of tools, including a security incident and event manager interface that uses behavioral analytics and provides live metrics and reports of attempted breaches and logs of firewalls, authentication attempts, emails, anti-malware, attempted intrusions and applications. We also conduct periodic tests to assess our processes and procedures and the threat landscape, which include, among other things, the engagement of third-party experts for external and internal penetration testing and system security assessments.
We have adopted an incident response plan that applies upon the occurrence of a cybersecurity incident involving a breach of our own information technology systems and applications. Pursuant to this response plan, if an incident occurs, a multi-disciplinary team is assembled that includes our CTO and General Counsel and, if appropriate, our COO and CFO, which in turn may leverage the expertise of third-party consultants, external legal counsel and other resources. The plan includes procedures designed to facilitate containment of, and responses to, a cybersecurity incident, which are based on the type of incident, the location of the incident and the breadth of the incident. The plan also establishes procedures for notifying any impacted parties, including our customers, law enforcement and regulatory authorities, third-party vendors and insurance providers. Our CTO will provide periodic updates to the Audit Committee and, when appropriate, the Board of Directors during this process.
After an incident, we would review and document the causes and effects of the incident, evaluate the remediation plan, and consider post-incident improvements. Where applicable, the CTO reports these findings to the Audit Committee and, when appropriate, the Board of Directors.
Processes to identify material risks associated with the use of third-party service providers. In addition to internal resources, we utilize third-party service providers to supplement and maintain our information technology systems. We have procedures to oversee and identify cybersecurity risks associated with our use of these third-party service providers, including procedures that apply if a cybersecurity incident occurs at a third-party service provider that results in our systems or data or our customers’ data being compromised. These processes and procedures include, among others, a diligence review conducted by our information technology team of substantially all of our external business partners and a focused review of any such third parties’ cybersecurity audit attestations, such as Service Organization Controls, NIST 800 alignments, ISO certifications, PCI
25
DSS compliance or other recognized external reviews. In the case of a cybersecurity incident affecting a third-party, these procedures also govern interactions with personnel of the impacted third-party to determine the date, scope and effects of the cybersecurity incident, review the response and remediation measures taken by the third-party and conduct an inventory of potentially compromised data. Our notification process for a cybersecurity incident affecting a third-party is the same as the notification process that applies to a cybersecurity incident that affects our own information technology systems and applications.
Cybersecurity risks and previous incidents. We and certain of our third-party service providers have experienced, and expect to continue to experience, internal and external cybersecurity threats and incidents, which can result, and have resulted, in the misappropriation and unavailability of critical data and confidential or proprietary information (our own and that of third parties, including personally identifiable information) and the disruption of business operations. However, we have not been subject to cybersecurity incidents that, individually or in aggregate, have been material to our operations or financial condition, but we cannot provide assurance that they will not have a material impact in the future. See Item 1A. Risk Factors.