Five Point Holdings, LLC - (FPH)

10-K Filing Date: March 02, 2024
ITEM 1C. Cybersecurity
Risk Management and Strategy
We understand the importance of identifying and managing cybersecurity risks that could materially disrupt our business operations. We rely on information technology systems to conduct important operational activities and to maintain business and employee records and financial data. Disruption of these systems could adversely impact our ability to conduct business activities.
We have implemented a cybersecurity risk management program intended to protect the security and availability of our critical systems and information. Our program incorporates certain guiding principles from the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”). This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use the NIST CSF as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Our program includes a cybersecurity incident response plan that consists of incident identification, classification, investigation and diagnosis, response, and recovery.
Our process for managing cybersecurity risk is a collaborative effort that includes key members of our information technology, legal, and finance departments, as well as internal audit and third-party cybersecurity firms. Our cybersecurity program takes into consideration the identification of critical data assets, information technology systems, third party service providers, and business processes that may be susceptible to cybersecurity threats. Potential technology vendor relationships are vetted based on the nature of services or technology being provided, and we continue to evaluate these relationships to determine the ongoing necessity of the services and the vendor’s risk management posture.
As part of our cybersecurity program, we have implemented various strategies and processes to manage cybersecurity risks, which include:
providing training and guidance to our employees on cybersecurity threats and emerging trends, including phishing simulations to increase awareness of potential critical security threats;
obtaining independent and objective assessments by our internal audit department;
21

annual review of Service Organization Controls (“SOC”) reports from our critical third-party vendors based upon a determination of their relative importance and risk level;
implementing preventative and detective security tools; and
using both internal resources and third-party security firms to provide ongoing monitoring of both internal systems as well as activity within third-party environments.
We also maintain insurance coverage for cybersecurity incidents. We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. We describe the risks from cybersecurity threats that could affect our operations and financial results under the heading “Cyber-attacks or acts of cyber-terrorism could disrupt our business operations and information technology systems or result in the loss or exposure of confidential or sensitive employee or company information.” included as part of our Item 1A. Risk Factors of this Annual Report on Form 10-K, which disclosures are incorporated by reference herein.
Governance
Our board of directors has designated the audit committee to oversee our exposure to risk, including risks related to cybersecurity threats, and the steps management has taken to monitor and control such risks. The audit committee receives periodic updates from our Vice President – Information Systems on our cybersecurity program and potential material cybersecurity threats. The audit committee is regularly informed about (1) the results of independent and objective assessments of key components of our cybersecurity program as reported by our internal audit department and (2) material risks that could impact our operations or financial condition and the measures implemented to adequately mitigate relevant risks. The audit committee regularly reports to our board of directors regarding its activities, including those related to cybersecurity risk oversight, and members of our board of directors periodically discuss cybersecurity matters with members of management.
We have established a security committee, which contains management representation from our information technology, legal, and finance groups. The security committee includes our Vice President – Information Systems, who has more than 15 years of experience in the following information technology areas: compliance, security, auditing, vendor management, and systems and network operations. The security committee oversees our cybersecurity incident response plan and is responsible for assessing and managing cybersecurity threats and evaluating the potential impact of such threats on our business strategy, results of operations, and overall financial condition. The security committee supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the information technology systems environment. Our Vice President - Information Systems is responsible for proposing strategies and tactics to mitigate cybersecurity threats, which are subject to review and approval by the security committee.