PULTEGROUP INC/MI/ - (PHM)

10-K Filing Date: February 05, 2024
ITEM 1C. CYBERSECURITY

Risk Management and Strategy

We have established processes and policies for assessing, identifying and managing material risks posed by cybersecurity threats. Our processes and policies are based upon the National Institute of Standards and Technology (NIST) Cybersecurity Framework with our processes focused on: (i) developing organizational understanding to manage cybersecurity risks, (ii) applying safeguards to protect our systems, (iii) detecting the occurrence of a cybersecurity incident, (iv) responding to a cybersecurity incident and (v) recovering from a cybersecurity incident. Where appropriate, these processes and policies are integrated into our overall risk management systems and processes. For instance, all of our employees with network access are required to complete information security and privacy training on an annual basis. We are continuously working to improve our information technology systems and provide employee awareness training around phishing, malware, and other cyber risks to enhance our levels of protection. We have engaged independent consultants and other third-parties to assist us in establishing and improving our policies. We conduct tabletop exercises with outside consultants at least annually to test our processes and policies and use feedback from those exercises to improve our processes. Our senior management and members of the Audit Committee of our Board of Directors participate in those exercises. Our processes and policies include the identification of those third-party relationships which have the greatest potential to expose us to cybersecurity threats and, upon identification, we conduct additional due diligence as a part of establishing those relationships. We also maintain insurance coverage for cybersecurity insurance as part of our overall insurance portfolio. For additional information concerning cybersecurity risks we face, see Item 1A Risk Factors – Information technology failures or data security breaches could harm our business and result in substantial costs.

Governance

Cybersecurity and risks related to our information technology and other computer resources are an important focus of our Board of Directors’ risk oversight. Our Audit Committee receives materials on a frequent basis to address the identification and status of information technology cybersecurity risks, and management, including our Chief Information Officers (CIO) and Chief Information Security Officers (CISO), provides quarterly updates to our Audit Committee and an annual update to our Board of Directors with respect to cybersecurity matters.

Aspects of the information systems of our Homebuilding operations and our Financial Services operations are separate and distinct, and therefore each operation has a separate CIO and CISO. The CIOs are responsible for managing their respective CISO and ensuring their information security team is assessing and managing cybersecurity risks in accordance with our processes and procedures. Each of our CIOs has over 20 years’ experience managing enterprise information technology systems. The CISO of our Homebuilding operations is a certified information security manager as certified by the Information Systems Audit and Control Association (ISACA).

Pursuant to our Cybersecurity Incident Response Plan (CIRP), when a cybersecurity event has been identified through our detection processes, it is assessed in order to determine whether the event is a cybersecurity incident. Our CIRP designates the primary manager of a cybersecurity incident, describes the parties who should be informed about the incident and outlines the processes for containment, eradication, recovery and resolution of the incident. Depending on the severity and impact of a cybersecurity threat, members of our senior management team and Board of Directors are notified of an incident and kept
17


informed of the mitigation and remediation of the incident. We are not aware of any material cybersecurity incidents in the last three years.