Howard Hughes Holdings Inc. - (HHH)
10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity
Risk Management and Strategy The HHH cybersecurity program is an enterprise-wide, risk-based program that is designed to support the security, confidentiality, integrity, and availability of our systems and information. We conduct periodic assessments of the cybersecurity program to identify and manage material cybersecurity threats and risks using internal teams and independent third parties. The assessment results are used to develop appropriate cybersecurity controls best practices and risk mitigation strategies, which are then implemented throughout the Company.
We rely on our systems and networks to support our business activities. As some of these networks and systems are managed by third parties, the HHH cybersecurity program also includes evaluation and monitoring of cybersecurity risks associated with its use of third-party service providers. We also leverage third-party experts and vendors to help manage our cybersecurity program, audit the effectiveness of our existing cybersecurity controls, and make recommendations for improvements and best practices. We utilize a Managed Detection and Response service that provides threat intelligence, technology, and specialist expertise to protect our systems and networks from cyber threats. We require all third parties with access to our information systems or data to maintain industry standard cybersecurity programs and to report actual or suspected security incidents to us.
We employ a range of tools and strategies to mitigate cybersecurity risks, regularly testing them for effectiveness. Additionally, we continuously assess and improve our cybersecurity stance by conducting vulnerability scans, internal and external network penetration tests, and by integrating threat intelligence updates. We also have specific tools to provide real time, continuous monitoring and protection of our endpoints. To the extent that our proactive monitoring and testing identifies weakness in our cybersecurity readiness, these weaknesses are tracked and remediated as part of our cybersecurity program. Our employees receive security awareness training on an annual basis and are subjected to phishing training and phishing tests throughout the year. Annually, we perform tabletop exercises to test our cybersecurity incident response plan that is kept within our written information security program (WISP). Our cybersecurity program is aligned with industry standards and best practices such as the National Institute of Standards and Technology Cybersecurity Framework.
As of the date of this report, we are not aware of any material risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition. However, along with all companies of a similar size, we face common cybersecurity threats. These threats include ransomware and denial-of-service, including sophisticated attacks from criminal ransomware groups and nation state actors. Our customers, supply-chain providers, and subcontractors face similar cybersecurity threats, and an incident impacting us or any of these entities could materially adversely affect our business operations.
Governance Management is responsible for measuring and managing cybersecurity risk, specifically the prevention, mitigation, detection, and remediation of cybersecurity incidents as well as the Company’s overall information security strategy, policy, and operations. The cybersecurity program is executed by the Company’s Senior Vice President of IT Governance, Risk, and Compliance, who has over 15 years of cybersecurity experience in overseeing and managing cybersecurity risk. He is also responsible for maintaining and, in the event of an actual suspected security incident, executing the Company’s WISP.
The Company’s Board of Directors recently formed a technology committee (the Technology Committee) to assume governance and oversight of HHH’s cybersecurity program from the Audit Committee. This includes reviewing the cybersecurity program’s strategy and effectiveness, the cybersecurity landscape and emerging threats, and reports from any cybersecurity events. The Technology Committee also oversees cybersecurity and digital strategy and, whenever necessary, will communicate with, or advise management to consult with, the Audit Committee regarding technology, digital, and other innovation-related matters that relate to or affect the Company’s internal control systems. The Technology Committee will actively participate in strategic cybersecurity decisions and will be responsible for approving major initiatives. Management will provide updates to the Technology Committee on a quarterly basis and will continue to provide updates to the full Board of Directors on an annual basis. When appropriate, the Technology Committee will inform the Board of Directors on important matters. Furthermore, the Board of Directors would be notified in accordance with the Company’s incident response plan, of any suspected cyber incidents that may have at least a moderate business impact on the Company.
HHH 2023 FORM 10-K | 26
PROPERTIES |