Meritage Homes CORP - (MTH)
10-K Filing Date: February 14, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
Our ability to conduct our business may be impaired, or our customer and employee personal information may be vulnerable, if our IT resources are compromised, degraded, damaged or fail. Such events may include, but are not limited to: a virus or other harmful circumstance; intentional penetration or disruption of our information technology resources by a third party; natural disaster; hardware or software corruption or failure or telecommunications system failure; service provider error or failure; intentional or unintentional personnel actions (including the failure to follow our security protocols); or lost connectivity to our networked resources. We prioritize cybersecurity and consumer data privacy. Our IT department is responsible for coordinating the protection of our information systems and the data they maintain.
In order to manage technology risk and secure technology ecosystems, our information security framework is based on the National Institute of Standards and Technology ("NIST") principles, which we execute through our adherence to the Center for Internet Security ("CIS18") control framework. The CIS18 framework provides us the ability to align measurable controls to actions and benchmark against recognized standards. Using these recognized industry standards, we approach cyber risk
25
management utilizing multiple layers of policies and technology to detect, protect against, and respond to cyberattacks. Following our multi-pronged approach to protecting our systems and data, we:
•administer monthly mandatory ongoing information security training for all employees throughout the year;
•maintain privacy policy, security protocols and internal security controls;
•use a zero trust network that verifies the device and user identity while restricting network access to only what is needed;
•limit access to network resources to only devices that are owned and administered by the Company;
•require multi-factor authentication for all employee user accounts;
•maintain application-aware firewalls to limit cyberattack access to data;
•use data breach detection software and a cybersecurity operations center that actively monitors our systems;
•conduct internal technical cyber incident exercises with the information security team and our third-party cybersecurity service providers; and
•conduct an annual independent comprehensive security assessment, including penetration and vulnerability testing along with ransomware simulation, to evaluate the security of our environment and provide us the opportunity to understand and address any deficiencies in our security program.
We review all technology third party vendors and technology service providers for the following: access management controls including physical safeguards, disaster recovery capabilities, data privacy and notification processes, onboarding processes, incident response procedures, and periodic independent testing of the vendor capabilities. In addition, we review annually the System and Organization Controls ("SOC") Type 1 and SOC Type 2 reports of all of our third-party vendors hosting our data to ensure they conform to those requirements.
We also have response and recovery protocols in place to address potential cyberattacks, including a disaster recovery plan and an incident response plan that includes defined incident severities and response matrices. These plans are reviewed and updated at least annually and we maintain third-party cybersecurity insurance. We did not have any material cybersecurity incidents during the fiscal years covered by this report. For a discussion of how risks from cybersecurity threats affect our business, see Part I, Item 1A - " Risk Factors – Operational Risks – Information technology failures and data security breaches could harm our business” in this Annual Report on Form 10-K.
Governance
Cybersecurity and affiliated risks related to our information technology are a key component of our Board of Director’s ("Board") risk oversight. The Audit Committee assists the Board in evaluating our information and cybersecurity risks and overseeing our efforts to mitigate these risks. Our Audit Committee is also responsible for reviewing and analyzing significant financial and operational risks and how management is managing and mitigating such risks through its internal controls and financial risk management processes and is regularly engaged in discussions with management regarding business risks, operational risks, transactional risks, cybersecurity and financial risks. Our Chief Information Officer provides a formal update to our Audit Committee at least twice per year, reviewing cybersecurity risks, trends, plans for future actions and measurements against recognized external cybersecurity frameworks and benchmarks.
Our cybersecurity program is led and managed by experienced technology leadership that drives the creation of our security strategy, policies, and procedures as well as possesses expert knowledge in the execution of the related controls and safeguards. Our Chief Information Officer (CIO) has more than 30 years of experience working in information technology including chief information officer roles in the financial services, banking, healthcare, and hospitality sectors. While in those roles, the CIO has led governance, risk, and compliance technology programs and information security programs. Supporting the CIO is a dedicated cybersecurity team that designs and monitors cybersecurity control framework as well as implements cybersecurity control systems and solutions. This cybersecurity team collectively holds the following degrees and certifications: Master’s in Cybersecurity, Certified Information Systems Security Professional, Certified Information Security Manager, Microsoft Certified Cybersecurity Architect Expert, Graduate Certificates in Enterprise Cybersecurity and Data Science, Security+ and Certified Information Systems Auditor.
26