Landsea Homes Corp - (LSEA)
10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management and Strategy
We have developed and implemented a cybersecurity risk management program, managed by our Vice President of Information Technology (“IT”), which is intended to assess, identify, and manage risks from cybersecurity threats, protect the confidentiality, integrity, and availability of our critical systems and information, and provide a framework for handling cybersecurity threats and incidents.
Our cybersecurity risk management program is integrated with our overall enterprise risk management program, and is aligned with the methodologies, reporting channels and governance processes that have been established by the Company’s enterprise risk management teams. Our cybersecurity risk management program outlines the activities we take to prepare for, detect, respond to, and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate, and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage.
Our cybersecurity risk management program includes the following key elements:
•risk assessments designed to help identify cybersecurity risks to our critical systems, information, services, and our broader enterprise IT environment.
•a team, which reports to our Vice President of IT, comprised of IT security, IT infrastructure, and IT compliance personnel principally responsible for directing (1) our cybersecurity risk assessment processes, (2) our security processes, and (3) our response to cybersecurity incidents.
•where appropriate, the use of external cybersecurity service providers, overseen by the IT Infrastructure Manager to assess, test or otherwise assist with aspects of our security processes.
•cybersecurity awareness training of employees with access to our IT systems.
•a cybersecurity incident response plan and Security Operations Center (SOC) to respond to cybersecurity incidents; and
•a risk management process for service providers.
Although we have previously experienced and expect to continue to experience cybersecurity events, we do not believe that risks from cybersecurity threats, including as a result of any of these previous events, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. However, there can be no assurance that future cybersecurity incidents, information and security breaches and technology failures, including as a result of cybersecurity incidents, information and security breaches and technology failures experienced by our third parties, will not have a material adverse impact on us, including our business strategy, results of operations and financial condition.
Cybersecurity Governance
Our Board, which has overall oversight responsibility for our risk management, considers cybersecurity risk critical to the enterprise and has delegated primary cybersecurity risk oversight to the Audit Committee. The Audit Committee, which is responsible for reviewing and discussing the Company’s practices with respect to risk assessment and risk management, and risks related to matters including, among other things, information technology and cybersecurity, and therefore oversees management’s design, implementation, and enforcement of our cybersecurity risk management program. The Audit Committee receives reports, at least quarterly, from our Vice President of IT on our cybersecurity risks, including briefings on our cyber risk management program and cybersecurity events. The Audit Committee also receives periodic presentations from our Vice President of IT, supported by our management team or external experts, which address a wide range of additional cybersecurity topics including key cybersecurity metrics, the status of the Company’s information security systems and assessments of the Company’s cybersecurity, among other things. The Audit Committee regularly reports to our Board on cybersecurity matters.
Landsea Homes Corp. | 2023 Form 10-K | 37
Management is responsible for identifying and assessing cybersecurity risks, establishing processes to ensure that such potential cybersecurity risk exposures are monitored and putting in place appropriate mitigation measures. Our Vice President of IT, who reports to our Chief Financial Officer has primary responsibility at the management level for leading our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our external cybersecurity service providers. Our Vice President of IT has significant experience in managing and leading IT and cybersecurity teams, including over 20 years of relevant work experience at the Company and elsewhere.
Our Vice President of IT also supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means. These include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public, or private sources, including external cybersecurity service providers; and alerts and reports produced by security tools deployed in the IT environment.