RE/MAX Holdings, Inc. - (RMAX)

10-K Filing Date: February 22, 2024

ITEM 1C. CYBERSECURITY

RE/MAX Holdings, Inc.’s (collective, “Holdings”, the “Company” “we”, “our” or “us”) cybersecurity program is managed by a dedicated Information Security Officer (“ISO”) who is responsible for leading comprehensive cybersecurity strategy, policy, standards, architecture, and processes. Cybersecurity risks are assessed, identified and managed as part of the cybersecurity program and as part of the Company’s enterprise risk management (“ERM”) program, which include, among other aspects, evaluation of cybersecurity specific threats, vulnerability and access management, incident response, monitoring and third-party risk management. We actively engage with internal and external experts and collaborate with our vendors and other third parties on threat intelligence, vulnerability management, and incident response. We provide our employees with periodic training and information on cybersecurity risks and threats, and we also provide educational resources and information to our franchisees about cybersecurity risks and threats.

Holdings has established a dedicated incident response and reporting team comprising cross-functional members across the Company. This team is responsible for identifying, assessing, and effectively managing cybersecurity incidents ensuring a comprehensive and coordinated approach to cybersecurity incident management. This team also facilitates the reporting of material cybersecurity incidents.

Oversight of cybersecurity risks and the cybersecurity program is primarily the responsibility of the Company’s management, including the Chief Information Officer (“CIO”), and oversight of management is the responsibility of our Board of Directors (the “Board”), primarily through the Audit Committee. The ISO leads periodic reviews and discussions with senior management and the Audit Committee, including results of testing and training, initiatives to continuously improve cybersecurity measures and policies, and implementation of new technologies. In addition, the ISO provides regular updates in areas such as rapidly evolving cybersecurity threats, cybersecurity technologies and solutions deployed internally, and major cybersecurity risk areas and efforts to mitigate those risks.

To date we have not experienced any cybersecurity incident that has materially affected our business, results of operation or financial condition. We have also not identified any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected the Company, or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. Although we have adopted various processes and preventative measures with the objective of preventing breaches and minimizing the risks from cybersecurity matters, given the nature of cybersecurity threats which are constantly evolving over time, there is no guarantee that the Company, including its business strategy, results of operations or financial condition, will not be adversely affected by such threats or that our preventative measures and processes will be effective. For further discussion of the Company’s risk related to cybersecurity, see the risk factor “Cyberattacks, security breaches and

40

improper access to, disclosure or deletion of our data, personally identifiable information we collect, or business records could harm our business, damage our reputation and cause losses” in Part I, Item 1A of this Form 10-K.