EXP World Holdings, Inc. - (EXPI)
10-K Filing Date: February 22, 2024
CYBERSECURITY
We recognize the critical importance of creating a multifaceted defense-in-depth cybersecurity ecosystem to protect the confidentiality, integrity, and availability of Company systems and data.
Managing Material Risk
The Company’s approach to risk management is unique to each reporting segment, with Virbela and Other Affiliated Services each independently identifying, assessing, and managing their material risk from cybersecurity threats, and North American Realty and International Realty operating under a joint risk framework due to the similarities in cybersecurity risk they face. While educational resources about cybersecurity risks are shared amongst Information Technology (“IT”) staff across segments, segment-specific IT staff are empowered to evaluate and address cybersecurity risks within their reporting segment in alignment with the Company’s overall business objectives and operational needs. Where required, IT staff in each reporting segment may communicate with their counterparts in different reporting segments or with executive management of the Company to ensure compliance with cybersecurity incident and data breach reporting requirements under applicable law.
Engage Third Parties on Risk Management
Understanding the complexity and evolving nature of cybersecurity threats, each reporting segment engages with a range of external experts, including cybersecurity assessors and consultants, to assess, identify, and manage material risks posed by cybersecurity threats, as determined by each reporting segment’s IT personnel. Each reporting segment has enabled external technologies and specialists, as deemed necessary by the reporting segment, to continuously test, alert, and report on the Company’s various computing ecosystems. These external assets allow the reporting segment IT leaders to leverage cybersecurity tools applicable to their segment’s risks, ensuring our cybersecurity strategies and processes continue to align with business objectives and operational needs. Segment IT personnel collaborate with these third-parties to review and discuss vulnerabilities and threats, consult on security enhancements for better risk identification, and audit risk management systems.
Oversee Third-Party Risk
Due to the risks associated with third-party access to certain systems and data in each reporting segment, when a reporting segment enters into a relationship with a third-party service provider that presents a cybersecurity risk, various security assessments may be issued by the reporting segment to enable the applicable reporting segment to identify, oversee, and manage these risks. The security assessments are designed to establish communication channels as between the reporting segment and the third-party for purposes of cybersecurity risk management and reporting, as well as to ensure that security controls are established as necessary to comply with that reporting segment’s security and privacy policies. Such assessments may include an initial assessment conducted by the IT staff of the reporting segment, an annual assessment thereafter by the IT staff of the reporting segment, and ongoing monitoring of tools deployed within the third-party’s environment by the third-party’s IT staff or equivalent thereof. Where applicable, the reporting segment imposes security incident reporting requirements on third-party
22
service providers via written contract in order to ensure the timely reporting of incidents. Information obtained in initial and ongoing assessments as well as incident reports are presented to applicable reporting segment staff who (i) review and engage the third party on preventative and responsive actions based on such assessments and reports, as applicable, and (ii) evaluate the continued relationship with the third party and terminate the relationship, if necessary.
Risk of Cybersecurity Threats
To date, the Company has not identified a cybersecurity threat in any reporting segment, including as a result of any previous cybersecurity incidents, that has or is reasonably likely to have a current or future material effect on our business strategy, financial condition, results of operations, liquidity, capital expenditures, or capital resources.
Cybersecurity Governance
eXp World Holdings, Inc.’s Board of Directors (the “Board”) is aware of the critical nature of managing risks associated with cybersecurity threats and meets regularly to discuss managing risk from cybersecurity threats, among other risks facing the Company. The Board has established oversight mechanisms to ensure effective governance in managing risks associated with cybersecurity threats.
Board of Directors Oversight
The Board’s Nominating and Corporate Governance Committee is central to the Board’s oversight of cybersecurity risks and bears the primary responsibility for cybersecurity risk oversight. When required, additional information is provided from the IT management for each reporting segment for further insight and analysis. The Company is continually monitoring its cybersecurity oversight, strategy and governance for improvement and refinement.
Management’s Role Managing Risk
The Company’s Chief Information Officer (“CIO”) plays a key role in informing the Nominating and Corporate Governance Committee of cybersecurity risks across the reporting segments. This management member provides comprehensive briefings to the Nominating and Corporate Governance Committee on a quarterly basis. These briefings include a broad range of topics, including:
● | Current cybersecurity landscape and emerging threats; |
● | Status of ongoing cybersecurity initiatives and strategies in various reporting segments; |
● | Incident reports and learnings from any cybersecurity events; and |
● | Compliance with regulatory requirements and industry standards. |
The CIO receives updates on any significant developments in the cybersecurity domain from each reporting segment, which the CIO then reports to the Nominating and Corporate Governance Committee, ensuring the Board’s oversight is proactive and responsive.
Risk Management Personnel
Primary oversight and responsibility for managing the Company’s cybersecurity risks resides with the CIO. With over 25 years of experience in business and information technology management, the current Company CIO is an accomplished software executive with an exceptional record of building large-scale product delivery organizations, which include product management, engineering, information technology, and information security. The current Company CIO is graduate of Southern Methodist University where he obtained his M.B.A. and University of Oklahoma where he received his B.S. in Computer Sciences.
Accompanying the CIO with the development of the security ecosystem is key personnel at each reporting segment, including:
● | North American and International Realty’s Sr. Director of Information Security. The person currently in this role has over 15 years of experience managing enterprise level cyber security programs in various industries in addition to having a Bachelor of Science in Information Technology Management and Information Security Manager Certification. |
23
● | Virbela’s Director of IT. The person currently in this role has a Master of Computer Information Systems degree and has fifteen years of professional experience in IT roles, specializing in data management and security, operational reliability and assurance, and regulatory compliance. They are experienced in information security practices, having been involved in SOC 2, GDPR, CCPA, and PCI DSS compliance frameworks. |
● | Virbela’s Vice President of Frame. The person currently in this role has a Master in Education Technology and a decade working at the intersection of collaboration and spatial computing as a developer and technical product manager. They also have broad experience working with information security and privacy frameworks such as SOC-2, GDPR, and COPPA. |
● | Virbela’s President. The person currently in this role has a Doctorate of Philosophy in Consulting Psychology and over eleven (11) years of expertise designing and managing the Virbela product, including its cyber vulnerabilities, data collection, and related processes. |
● | Other Affiliated Services Vice President, Operations. The person currently in this role has Master of Business Administration in Accounting and Business/Management with sophisticated professional experience in software implementation and business intelligence. His experience encompasses conducting security audits, implementing intrusion detection with cloud service providers, developing access controls and API encryption, and mitigating risks through vendor relations. Additionally, he has worked in IT policy development, single sign-on implementation, and cloud security. |
The staff in each reporting segment have extensive knowledge of cybersecurity risk applicable to their reporting segment.
Monitoring Cybersecurity Incidents
Daily security assessments, alert monitoring, and the management of cybersecurity threats are the responsibility of each reporting segment. When appropriate, each reporting segment escalates information to the CIO to ensure awareness of cybersecurity risks across the reporting segments and to enable required incident management procedures applicable to each reporting segment. The reporting segments provide analysis to aid in the remediation of cybersecurity incidents. Each reporting segment has developed an incident response plan to pool resources that determines actions and remediation efforts, including escalation to the CIO, when necessary.
Reporting to Board of Directors
The CIO, in his capacity, informs the Chief Executive Officer of the Company and Chief Strategy Officer of eXp Realty, LLC of all aspects related to cybersecurity risks and threats. This ensures the highest levels of management are knowledgeable and updated about the cybersecurity posture and potential risks facing the Company. Furthermore, cybersecurity incidents, strategic risk management decisions, and materiality analysis are escalated to the Board, ensuring that they have comprehensive oversight and can provide guidance on critical cybersecurity issues.
|