Taylor Morrison Home Corp - (TMHC)

10-K Filing Date: February 21, 2024
ITEM 1C | CYBERSECURITY

 

Cybersecurity Risk Management and Strategy

We maintain a comprehensive cybersecurity program, including policies and procedures designed to protect our systems, operations, and data. We perform risk assessments on a quarterly basis to identify and remediate potential cybersecurity threats and vulnerabilities. In connection with our assessment of potential cybersecurity risks, our Information Technology ("IT") team engages in threat modeling, vulnerability scanning and penetration testing. For each identified risk, our IT team will estimate the likelihood of occurrence and potential impact, which will guide the Company in assessing and prioritizing risks. We have also implemented a process to evaluate and review potential cybersecurity risks arising from our use of third-party vendors. As part of our vendor engagement protocols, we will consider, among other things, each potential vendor’s data backup procedures, incident reporting protocols and data privacy and encryption practices. Once a new vendor is onboarded, we monitor their cybersecurity posture utilizing a third-party cybersecurity ratings provider.

 

In addition to our internal exercises to test aspects of our cybersecurity program, we engage independent third parties semi-annually to assess the risks associated with our IT resources and information assets. Among other matters, these third parties analyze information on the interactions of users of our information technology resources, including employees, and conduct penetration tests and scanning exercises to assess the performance of our cybersecurity systems and processes. Annually, we examine our cybersecurity program with these third parties, evaluating its effectiveness in part by considering industry standards and established frameworks, such as the National Institute of Standards and Technology ("NIST"), as guidelines. As a mortgage company, we are also associated with the Federal Financial Institutions Examination Council.

 

For material cybersecurity risks, we’ve developed mitigation plans to reduce the risk’s likelihood of occurrence and/or its expected impact. Such mitigation plans have involved, among other things, implementing additional technology controls or policies, increased training for company personnel or obtaining additional insurance for the identified risk. Our IT team monitors material risks over time and updates the Company’s mitigation plans as appropriate. IT also regularly reports to the leadership team on the status of material risks, mitigation plans and incidents related to such risks.

 

We also maintain a data breach response plan, which is intended to be aligned with the NIST framework, and which is reviewed annually and conveyed to our team members through our mandatory cybersecurity training. We also retain experienced cybersecurity consultants that can assist us in the event of a serious breach, and maintain a cyber insurance policy.

 

For a discussion of how risks from cybersecurity threats affect our business, see “Part 1. Item 1A. Risk Factors – Risk Related to our Business – Information technology failures and data security breaches could harm our business” in this Annual Report on Form 10-K.

 

Cybersecurity Governance

Management is responsible for ongoing assessment and oversight of cybersecurity risks that could significantly impact our operations, finances or reputation. This includes identifying information assets and data systems that are

TAYLOR MORRISON HOME CORPORATION 10-K

36


ITEM 1B THROUGH ITEM 4

 

critical to business functions, determining the vulnerability of those systems to potential cyberattacks, and developing comprehensive protections and response plans.

 

To fulfill these responsibilities, management relies on IT and cybersecurity leadership who possess specialized expertise in relevant areas. Our cybersecurity team is led by our Chief Information Officer ("CIO"), who has more than 25 years of experience working in information technology, of which more than 20 have been with Taylor Morrison. With over ten years of experience developing cybersecurity programs, the CIO leads security control implementation, risk and compliance monitoring, security tool management, and incident response planning.

Reporting to the CIO, the Director of Information Security possesses expert knowledge in threat modeling and vulnerability testing methodologies. The Director of Information Security leads efforts to build security into all IT processes and procedures to protect against risks related to data leakage, broken authentication, injection flaws, improper encryption, and attacks on other application vulnerabilities.

 

Supporting the CIO and Director of Information Security is a team of IT Security professionals who collectively hold the following degrees and certifications: Master’s degree in cybersecurity; Certified Information Systems Security Professional; Certified Ethical Hacker; Security +; Microsoft Certified Professional; Microsoft Certified Solutions Associate; and Microsoft Certified Systems Engineer.

 

Supported by these skilled leaders, management conducts quarterly cyber risk reviews, maintains a cybersecurity risk register, authorizes risk mitigation budgets and activities, and ensures appropriate resources are devoted to protecting against rapidly evolving cyber threats. The Audit Committee and the Board of Directors are also regularly updated on cybersecurity risk assessments, policy changes, significant incidents, and preparedness levels. This enables management to provide oversight, set risk tolerances, and support a comprehensive cybersecurity program that manages material cyber risks to the organization.

 

The CIO updates the Board of Directors biannually on the state of the cybersecurity program, which includes a discussion of the most important cybersecurity risks facing the Company, an update on notable cybersecurity incidents and recent threats, and a summary of the results of the Company’s recent independent cybersecurity assessments, among other items. In addition, the Audit Committee of the Board of Directors receives quarterly cybersecurity updates, which include reports on key cybersecurity metrics, cybersecurity headlines, current risks and mitigation strategies.