ST JOE Co - (JOE)

10-K Filing Date: February 21, 2024
Item 1C. Cybersecurity

We maintain a data security plan designed to provide a documented and formalized information security policy to detect, identify, classify and mitigate cybersecurity and other data security threats. This cybersecurity program is based in-part on, and its effectiveness is measured using, the Payment Card Industry Data Security Standard (“PCI DSS”) and is included in our overall enterprise risk management program.

In furtherance of detecting, identifying, classifying and mitigating cybersecurity and other data security threats, we also:

assess baseline configuration standards to meet the intent and effectiveness for overall safety and security (both logically and physically) of critical system components;
track asset inventory for relevant system components;
maintain network connection arrangement documents;
limit access rights to system components to authorized personnel, with end-users being granted access in accordance with stated access rights;
deploy anti-virus solutions on applicable system components, which are enabled for automatic updates and configured for conducting periodic scans as necessary;
provision and harden critical system resources;
use internal and external vulnerability scanning procedures, along with network layer and anti-hacking tests;
facilitate requests for validation of baseline configurations for purposes of regulatory compliance assessments and audits; and
provide cybersecurity training for employees.

20

Conducting our businesses involves the collection, storage, use, disclosure, processing, transfer, and other handling of a wide variety of information, including personally identifiable information, for various purposes in our businesses. Like other comparable-sized companies that process a wide variety of information, our information technology systems, networks and infrastructure and technology have been, and may in the future be, vulnerable to cybersecurity attacks and other data security threats. These types of attacks are constantly evolving, may be difficult to detect quickly, and often are not recognized until after they have been launched against a target. For more information about these and other cybersecurity risks faced by us, see Part 1. Item 1A. Risk Factors.

Our Board has ultimate oversight for risks relating to our data security plan. In addition, the Board has delegated primary responsibility to the Audit Committee for assessing and managing data privacy and cybersecurity risks, reviewing data security and cybersecurity policies and processes with respect to data privacy and cybersecurity risk assessment and management, reviewing steps management has taken to monitor and control such risks, and regular inquires with our management team, internal auditors and independent auditors in connection therewith. The Audit Committee is also responsible for overseeing our investigation of, and response to, any cybersecurity attacks or threats.

We also have a dedicated team of employees overseeing our data security plan and initiatives, led by our Vice President of Information Systems (who has over twenty years’ experience working in cyber and information security roles with large companies), and works directly in consultation with internal and external advisors in connection with these efforts.

We have developed a procedure by which the Board and management are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents. Our Incident Response Team, comprised of representatives of different departments within the Company, including the Vice President of Information Systems, works to identify cybersecurity-related incidents, and reports such incidents, along with any pertinent recommendations to update cybersecurity policies and procedures, to our management team. Our management team regularly reports to the Audit Committee, and more frequently as needed on such matters. The Audit Committee and management also provide an annual report to the Board on pertinent cybersecurity matters.