M/I HOMES, INC. - (MHO)
10-K Filing Date: February 16, 2024
Item 1C. CYBERSECURITY
The Company’s Chief Information Officer (“CIO”) leads our Information Security Committee (a taskforce comprised of senior representatives from primary corporate functions, mortgage and title operations, IT infrastructure, IT security, and external security consultants, which is responsible for developing, updating, implementing and maintaining our cybersecurity strategy, policy (which leverages the NIST CSF framework), standards, architecture, and processes. The CIO provides annual reports to our Board of Directors, and periodic reports to our Chief Executive Office (“CEO”), Chief Financial Officer (“CFO”) and Chief Accounting Officer (“CAO”), and other members of senior management, regarding existing and emerging cybersecurity risks and threats, the status of projects intended to strengthen our information security systems, and assessments of our information security program.
Members of senior management are notified by our Information Security Committee if any cybersecurity incident leads to a breach or loss of any data. These members of senior management are responsible for promptly determining if such an incident is material and notifying our CEO, CFO and our Board of Directors of the material incident and the impact that the incident has had, and is expected to have, on the Company’s reputation, results of operations, financial condition, and business strategy. The Company engages third-party auditors and consultants to evaluate and assist the Company in responding to cybersecurity threats and incidents, and, if necessary, monitoring any exposure of confidential company or customer data. The Company also actively engages with key vendors, industry participants, and intelligence and law enforcement communities as part of our continuing efforts to evaluate and enhance the effectiveness of our information security policies, procedures and strategy, assess our security status, and align our cybersecurity practices with current and emerging cybersecurity risks.
We conduct thorough security assessments of all third-party service providers before engagement and perform regular monitoring of the third-party service providers’ hosted applications designed to ensure compliance with our cybersecurity standards. This occurs through annual assessments by our internal audit function of the third party’s System and Organization Controls (“SOC”) 1 or SOC 2 report or through additional user access reviews by the internal business owner if a SOC 1 or SOC 2 report is unavailable.
Our CIO and his security management team possess primary responsibility for identifying, assessing, monitoring, and managing our cybersecurity risks. Our Board of Directors directly oversees cybersecurity risks, which includes conducting an annual review of the Company’s cybersecurity risks, management’s actions to identify and detect threats, management’s action plans for response and recovery situations, and review of recent enhancements to the Company’s defenses and strategic cybersecurity roadmap. In addition, the Audit Committee receives quarterly cybersecurity updates, which include a review of new processes implemented to monitor cyber risks, and a summary of any recent threats and the Company’s response to those threats.
Our CIO has over 30 years of experience in information technology, including a deep understanding of information technology governance, regulatory compliance and familiarity with the software, tools and programs used by his security management team to identify vulnerabilities, investigate incidents and implement appropriate security measures. In addition, our security management team maintains appropriate and relevant levels of education and certifications, such as Certified Information Security Manager (CISM) and Certified Ethical Hacker (CEH). Furthermore, all employees are required to complete a biannual security awareness training course focusing on data protection, phishing prevention, and credential protection.
As of the date of this report, we are not aware of any material risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition. However, we face a number of cybersecurity risks in the normal course of our business and, from time to time, experience threats to our data and systems, including malware and computer virus attacks. Notwithstanding the extensive measures we employ to address cybersecurity risks, we may not be successful in preventing or mitigating a cybersecurity incident that would be reasonably likely to materially affect us. Although we maintain cybersecurity insurance, the costs we incur related to cybersecurity threats or disruption may not be fully insured. See “Item 1A. Risk Factors” in Part I of this Annual Report on Form 10-K for more information regarding the risk factors associated with cybersecurity risks.
23