Tri Pointe Homes, Inc. - (TPH)
10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity
We maintain a cybersecurity program that is designed to protect our information, and that of our customers, against cybersecurity threats that may result in material adverse effects on the confidentiality, integrity, and availability of our information systems. We have implemented a comprehensive risk-based approach to identifying, preventing, and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner.
Our Risk Assessment Committee, which is comprised of individuals from our information technology, risk management, and internal audit departments, meets periodically to discuss our exposure to cyber risks as well as our efforts to mitigate the potential impact of such risks to our business or otherwise transfer such risk, including through the use of insurance products. Additionally, as part of our risk-based approach to cybersecurity:
•our information technology systems and internal controls undergo annual audit;
•we conduct annual penetration testing in consultation with a third-party consultant to assess any vulnerabilities in our systems and utilize the results to evaluate and remediate any identified issues;
•we perform daily vulnerability scans of all computers within our system;
•we use single sign-on and multi-factor authentication;
•we conduct diligence on, and seek engagements of, sophisticated, cloud-based third-party service providers for critical functions;
•we have implemented a zero-trust security model with group-based access to resources on our network;
•we monitor applicable privacy and data protection laws and regulations and implement changes, as necessary, to remain in compliance;
•we maintain cyber liability and crime insurance policies;
•we maintain immutable backups of the files on our systems to aid in the recovery of our data and for operational continuity, in the event of an incident or incursion; and
•our employees participate in mandatory cybersecurity training, including a recurring cyber-phishing awareness campaign designed to assess our employees’ awareness of and responses to phishing requests.
We also maintain a written Cyber Security Policy that establishes a framework for how we respond to data breaches, cyber attacks, and other security incidents, and discusses our employees’ obligations with respect thereto. We maintain additional policies, including regarding the establishment of physical and environmental security requirements for protection of our information assets and security measures taken to protect privileged accounts with access to critical resources, sensitive data, and system configurations. Further, we have adopted a Cyber Security Incident Response Plan that applies in the event of a cybersecurity threat or incident (the “IRP”) to provide a standardized framework for responding to security incidents. The IRP sets out a coordinated approach to investigating, containing, documenting, and mitigating incidents.
Due to evolving cybersecurity threats, it has been and will continue to be difficult to prevent, detect, mitigate, and remediate cybersecurity incidents. We also rely on information technology and third-party vendors to support our operations, including our secure processing of personal, confidential, sensitive, proprietary, and other types of information. Despite ongoing efforts to continued improvement of our and our vendors’ ability to protect against cyber incidents, we may not be able to protect all information systems, and such incidents may lead to reputational harm, revenue and client loss, legal actions, statutory penalties, among other consequences. Risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected us, including our business strategy, results of operations, or financial condition. While we have not experienced any material cybersecurity threats or incidents, there can be no guarantee that we will not be the subject of future successful attacks, threats, or incidents or that we will be successful in mitigating the consequences any such incidents. Additional information on cybersecurity risks we face can be found in Part I, Item 1A “Risk Factors” of this report under the heading “Risks Related to Our Business,” which should be read in conjunction with the foregoing information.
Our Board has delegated the primary responsibility to oversee cybersecurity matters to our Audit Committee. Our Board and Audit Committee regularly review the measures implemented to identify and mitigate data protection and cybersecurity risks. As part of such reviews, our Board and Audit Committee receive reports and presentations from team members responsible for overseeing our cybersecurity risk management, including our Chief Information Officer (CIO), which address a wide range of topics, including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends, and information security considerations arising with respect
- 34 -
to our peers and third parties. We have implemented protocols by which certain cybersecurity incidents are escalated internally and, where appropriate, reported timely to our Board and Audit Committee.
At the management level, our CIO, certain directors on our information technology team, and our director of risk management, in consultation with our senior management team, have broad oversight of our cyber risk management processes. Our information technology team regularly discusses the risk management measures implemented by the Company to identify and mitigate data protection and cybersecurity risks.
Through December 31, 2023, the date on which our CIO retired, our CIO, who had extensive cybersecurity knowledge and skills gained from over 25 years of experience in the construction industry, including four years as our CIO, led the team responsible for implementing, monitoring, and maintaining cybersecurity and data protection practices across our business and reported directly to our Chief Financial Officer. This team, during our search for a new CIO, continues to implement, monitor, and maintain our cybersecurity program and provides reports on cybersecurity threats to management on an ongoing basis. In conjunction with management, this team regularly reviews our risk management measures to identify and mitigate data protection and cybersecurity risks and also works closely with our legal team to oversee compliance with legal, regulatory, and contractual security requirements.