Dream Finders Homes, Inc. - (DFH)
10-K Filing Date: February 29, 2024
ITEM 1C. CYBERSECURITY
The Company’s cybersecurity risk management program is integrated into our overall enterprise risk management process and is based on the National Institute of Standards and Technology Cybersecurity Framework (“NIST Framework”). The program is comprised of a comprehensive set of policies and procedures designed to protect and identify threats to our Information Technology (“IT”) systems and data, including those employed by our third-party service providers. Our dedicated cybersecurity team collaborates with business operations personnel as well as certain third parties, as applicable, to provide a comprehensive suite of cybersecurity services, encompassing network security, anti-malware solutions, email security measures, endpoint security, detection systems, application security, data safeguards, access management protocols, cybersecurity awareness initiatives, incident response strategies, threat intelligence, IT risk assessment and vulnerability management. We also maintain insurance coverage for cybersecurity incidents.
The Company also engages third parties to perform periodic assessments of certain aspects of our cybersecurity measures, including vulnerability assessments and audits and independent reviews of our information security control environment and operating effectiveness. The results of such assessments, audits and reviews are reported to the Nominating and Governance Committee and the Board of Directors, and the Company adjusts its cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, audits and reviews.
Our Board of Directors has delegated oversight of cybersecurity risks to our Nominating and Governance Committee. Executive management, inclusive of our Vice President of IT (“VP of IT”) in conjunction with our National Vice President of Finance (“NVP of Finance”), provides regular updates to the Nominating and Governance Committee including any updates to our program in response to new or changed cybersecurity risks, as well as ongoing metrics around the effectiveness of our existing cybersecurity strategies.
The VP of IT and the NVP of Finance work in coordination with the Cybersecurity Response Committee, which also includes our Chief Financial Officer (“CFO”) and representatives from legal, internal audit and SEC reporting functions. In the event of a cyber incident, the Cybersecurity Response Committee utilizes a formal incident response plan based on the NIST Framework to assess and manage cybersecurity threats. The incident response plan encompasses the containment, eradication, recovery, and resolution processes for the incident, while also detailing the individuals and groups that need to be notified.
The VP of IT has served in various roles in information technology and information security for over 24 years, including serving as the Chief Information Security Officer of a healthcare company and a member of the cyber emergency response team at several companies. The VP of IT holds undergraduate and graduate degrees in computer science and has attained various professional certifications in cybersecurity. The NVP of Finance and the rest of the Cybersecurity Response Committee hold undergraduate and graduate degrees in their respective fields, and have over 50 years of collective experience managing enterprise risks at the Company and at similar companies, including risks arising from cybersecurity threats.
Cybersecurity threats have not materially affected the Company, including our business strategy, results of operations or financial condition, to date. Risks relating to cybersecurity threats and potential impacts to our business strategy, results of operations or financial condition are discussed in “Risk Factors” herein.