Anywhere Real Estate Inc. - (HOUS)

10-K Filing Date: February 20, 2024
Item 1C. Cybersecurity
The Board and management believe that cybersecurity is vital to protecting proprietary and confidential information, company operations and maintaining the trust of our customers, agents, franchisees, and employees. The Company has a cybersecurity risk management strategy and a governance framework to assess, identify and manage material risks from cybersecurity threats. As discussed below, the Company utilizes both internal and external resources as part of its cybersecurity program.
Risk Management and Strategy
Anywhere views its cybersecurity strategy through a multi-pronged lens encompassing prevention, detection and response to ensure holistic coverage of the program and our environments.
Prevention. Our cybersecurity program starts with prevention, which includes risk assessment and identification and utilizing that information to design an effective layer of controls as a baseline.

51



Our cybersecurity program includes robust risk assessment and identification processes that are aligned with our overall enterprise risk management (ERM) program. As part of the annual integrated risk assessment process, the cybersecurity team works with ERM, internal audit and our legal compliance function to assess and identify cybersecurity and related risks to our business. These risks are then included, as appropriate, in the updated ERM profile, and with top risks being addressed in the cybersecurity yearly plan. As part of that process, we utilize both internal and third-party resources to identify risks. In addition, Internal Audit regularly conducts operational audits of the cybersecurity processes.
In evaluating the risks posed by third parties, our cybersecurity program also includes a dedicated function for Third Party Risk Management, that oversees the identification and mitigation of risk associated with outsourcing to third party vendors and service providers, particularly focused on vendors who process personal information, intellectual property, or other sensitive information.
Finally, with regard to compliance risk, we utilize third party firms to help us determine compliance with industry standards and regulations. We also maintain a Data Privacy Steering Committee, which is a group of internal legal, risk and IT professionals, to assist management with fulfilling applicable data privacy regulations.
In order to protect our assets, we utilize a multi-layer defense strategy to control who logs on to our network and uses our computers and other devices. We have enforced multi-factor authentication, implemented firewalls, and deployed a VPN alternative solution that delivers a zero trust model for access to our network and resources. We also protect our data through our use of security software, which is regularly updated, encryption of sensitive data, both at rest and in transit, and by conducting regular data backups. We have formal policies for safely disposing of electronic files and old devices and we train all employees annually on cybersecurity and their crucial role in protecting the Company’s assets.
Detection. Our cybersecurity program includes robust tools and processes designed to detect breaches and other cybersecurity incidents as well as unauthorized access and unusual network activity. We utilize a security operations program with 24/7 monitoring by both internal and third parties that includes a variety of detection tools. We also utilize backstop detection and preventative measures, like malware detection.
Response. Our Cyber Security Incident Response Plan (the “Response Plan”) provides the methodology used by the Company to identify and respond to cyber security incidents. The Response Plan serves as a guide to facilitate a consistent and systematic response to cyber security incidents and is designed to (a) prevent or minimize disruption of critical information systems; (b) minimize loss or theft of sensitive information and/or funds; (c) quickly and efficiently remediate, report (including any public or internal company communications or required reporting) and recover from cyber security incidents; and (d) provide a centralized enterprise investigations process. The Response Plan also provides for incorporating lessons learned after an event to prevent future breaches of the same nature.
We utilize internal and external resources to evaluate the effectiveness and maturity of our cybersecurity program. We conduct regular penetration and vulnerability testing. We conduct annual tabletop exercises to test and iterate our Response Plan, while also providing training for the Response Plan working group. In addition, we conduct compliance training and regular phishing assessments for our employees.
To date, we have not experienced any cybersecurity incidents that have materially affected, or are reasonably likely to materially affect, our business strategy, results of operations or financial condition. The cybersecurity risks that could materially affect Anywhere, including our business strategy, results of operations, or financial condition, are set forth in “Item 1A.—Risk Factors”.
Governance
Effective risk management is critical to Anywhere’s ability to achieve its strategy. The Board oversees management in exercising its responsibility for managing risk, considering our framework of policies, procedures, and processes to anticipate, identify, assess, prioritize, and mitigate risks across the Company.
Our Audit Committee shares oversight responsibility with the full Board for our information security and technology risks, including cybersecurity. Anywhere’s Chief Information Security Officer (CISO) reports to the Audit Committee on a quarterly basis and once a year to the full Board on the cybersecurity program, including the Company’s cyber risks and threats, the status of projects to strengthen the Company’s information security systems, assessments of the Company’s security program and the emerging threat landscape. Two Audit Committee members have significant business experience with respect to cybersecurity risks, namely the chair of the committee, who oversaw information security and data privacy as

52



an Enterprise Risk Officer of a Fortune 500 publicly-traded company and a member who is the Chief Product Data, Analytics and Technology Officer of a Fortune 500 publicly-traded company.
While the Board and the committees oversee our risk management, our CEO and other members of senior management (including the Risk Management Committee) are primarily responsible for day-to-day risk management analysis and mitigation and report to the full Board or the relevant committee regarding risk management. We believe this division of responsibility is the most effective approach for addressing our risk management.
Our CISO leads a dedicated internal Global Information Security (“GIS”) team that is responsible for leading enterprise-wide information cybersecurity strategy, policy, standards, architecture, and processes, all of which are designed to prevent, detect and respond to information security threats, as further described in “—Cybersecurity Strategy” above. The CISO’s experience includes more than 20 years in the security and fraud profession in multiple high-risk industries, including the critical infrastructure sector, and encompasses various cybersecurity leadership roles and almost seven years as a CISO. She is a Certified Information Systems Security Professional (CISSP) and has a Master’s Degree in Information Systems Management.
In support of the GIS team, the CISO leads the Information Security Steering Committee, a group of internal security leadership positions that ensure alignment between the company’s information security program and company objectives.
Overseeing enterprise-wide risk management is our Risk Management Committee, chaired by our General Counsel and comprised of key members of our executive management team, including the CISO. The Risk Management Committee meets regularly and plays a core role in the identification, monitoring, mitigation, and management of the risks the Company faces and oversees our enterprise risk management framework, including cybersecurity and data protection/privacy.
Through this dynamic risk assessment and governance process, the Risk Management Committee and Board consistently evaluate the risk environment and adjust the Company's risk profile, including cybersecurity and data privacy risks, and focus as needed to respond to industry and macroeconomic changes and to protect the Company.