policies and procedures to safeguard information and ensure availability of critical data and systems. Our program further includes review and assessment by external, independent third parties, who assess and report on our defense posture and internal incident response preparedness and help identify areas for continued focus and improvement.

Role of Management

We have an Information Security team that is led by our Chief Information Officer (CIO). Our CIO has led the Century Communities IT efforts since 2016, overseeing multiple acquisitions while modernizing the IT environment. He has held technology leadership roles in both the public and private sectors, with more than 20 years of experience as an IT leader in the homebuilding industry. In that time, our CIO has managed broad initiatives and teams, including IT operations, cybersecurity, business systems, mergers and acquisitions, communications, and business intelligence. His in-depth knowledge and experience are instrumental in developing and executing our cybersecurity strategies. Our CIO reports to our Corporate General Counsel.

We are a member of the Center for Internet Security (CIS), which assists our management in policy and technical support. Some of the benefits of our CIS membership include direct access to cybersecurity advisories and alerts, vulnerability assessments and incident response for entities experiencing a cyber threat, secure information sharing through the Homeland Security Information Network (HISN) portal, tabletop exercises, and weekly malicious domains/IP reports.

The CIO, in his capacity, regularly informs the Corporate General Counsel, Chief Financial Officer (CFO) and Co-Chief Executive Officers (CEOs) of all aspects related to cybersecurity risks and incidents. This ensures that the highest levels of management are kept abreast of the cybersecurity posture and potential risks we are facing.

The CIO and the other members of senior management play a key role in informing the Audit Committee on cybersecurity risks. They provide comprehensive briefings to the Audit Committee on a regular basis, with a minimum frequency of twice per year. These briefings encompass a broad range of topics, including emerging threats, status of ongoing cybersecurity initiatives and strategies, incident reports, and updates regarding compliance with regulatory requirements and industry standards.

In addition to our scheduled meetings, the Audit Committee, CIO and other members of senior management maintain an ongoing dialogue regarding emerging or potential cybersecurity risks. Together, they receive updates on any significant developments in the cybersecurity field, ensuring the Board’s oversight is proactive and responsive. Senior management actively participates in strategic decisions related to cybersecurity, offering guidance and approval for major initiatives, and is involved in incident materiality determinations that would trigger cybersecurity incident disclosure obligations. This active involvement ensures that cybersecurity considerations are integrated into our broader strategic objectives.

Use of Consultants and Advisors

We engage with a range of external experts, including cybersecurity assessors, consultants, auditors, and legal counsel in evaluating and testing our risk management systems. This enables us to leverage specialized knowledge and insights, ensuring our cybersecurity strategies and processes remain current.

Since September 2022, we have engaged a seasoned cyber consultant from the global cybersecurity risk firm, Kroll, LLC, to provide CISO-level advisory services to assist our technology teams, business leadership and Board of Directors with guidance and direction as we strengthen our security systems and improve our cyber readiness, as well as to provide insight and intelligence on existing and emerging threat landscapes. The scope of service includes reviewing our current information security policies, past and current security reports, cybersecurity program, and staffing models to assess our ability to prevent and respond to cyberattack incidents and mitigate any impacts they may have.

In addition, we have retained special data security legal counsel at a leading U.S. law firm whose practice focuses on data breach response and security compliance issues. This legal counsel is specialized in investigating and responding to an event compromising information and systems security, working closely with client resources, third-party forensic consulting experts and law enforcement to identify the nature and scope of a compromise. We also have retained special data privacy legal counsel to assist us in our compliance with the data privacy laws in the various jurisdictions in which we operate our business.

Board Oversight

The Board of Directors is aware of the critical nature of managing risks associated with cybersecurity threats. Our Board of Directors has delegated to the Audit Committee the responsibility to oversee our cybersecurity efforts and cyber related risks. The Audit Committee, which is comprised of entirely independent directors, oversees our (i) information security policies, including periodic assessment of risk of information security breach, training program, significant threat changes and vulnerabilities and monitoring metrics and (ii) effectiveness of information security policy implementation.

As mentioned above, our management team meets with the Audit Committee at least twice a year to review and discuss risk exposure related to our IT systems and data privacy. The purpose of these management updates is to inform the Audit Committee of any potential risks related to our IT systems and data privacy, as well as any relevant mitigation or remediation tactics being implemented. The management team and/or Audit Committee, in turn, regularly provide data protection and cybersecurity reports to the full Board of Directors.

The Audit Committee is composed of members with diverse expertise including, risk management, technology, and finance. Although none of the members of the Audit Committee have any work experience, degree, or certifications related to information security or cybersecurity, the Audit Committee has retained and consulted with Kroll to assist the Audit Committee in its cyber security oversight responsibilities. Because the method and sources of cyberattacks change frequently, Kroll provides invaluable, ongoing updates to inform and educate our Board of Directors on current trends of cybersecurity threats, emerging trends, and best practices. Kroll typically attends and presents at two Board meetings each year.

Risk Management and Strategy

We have integrated cybersecurity risk management into our broader risk management framework to promote a company-wide culture of cybersecurity risk management. This integration ensures that cybersecurity considerations are an integral part of our decision-making processes at every level. Our risk management team and Information Security team works closely with our IT department to continuously evaluate and address cybersecurity risks in alignment with our business objectives and operational needs. We utilize the NIST Cybersecurity Framework to manage our cybersecurity-related risk. The NIST Cybersecurity Framework outlines 108 subcategories of security controls and outcomes over five functions: identify, protect, detect, respond and recover.

In November 2022, Kroll conducted a security maturity assessment of our security system. To perform its assessment, Kroll met with members of our key staff and requested to review documents including, but not limited to, our policies, procedures, past security assessments and penetration tests, documentation regarding network architecture, security road maps and plans. The Century Communities Information Security Team have been working with Kroll to identify potential deficiencies in each category and work to close the identified gaps. With Kroll’s assistance, we have implemented several industry leading solutions, policies and practices to close those findings and matured Century’s defense and resiliency postures. We also have developed an Information Security Incident Response Policy which has been peer reviewed by Kroll. Additionally, we have retained Kroll to assist us in conducting tabletop exercises to evaluate our incident response plan and response capabilities, most recently in September 2023.

The company primarily manages risks for cybersecurity threats associated with its third-party service providers through evaluations and assessments during vendor selection, contract negotiations and contract renewals.

Our Information Security team conducts annual information security awareness training for all employees. In addition, we have retained a third-party vendor to provide regular online awareness training modules for our employees on important topics such as spoof login, impersonation attack, identity theft, stolen laptop, and passwords. Each module contains a video vignette followed by a quick quiz.

In the past three years, we have not experienced any material computer data security breaches as a result of a compromise of our information systems and we are not aware and have not had a significant cybersecurity breach or attack that had a material impact on our business or operating results to date.

Maintaining a robust information security system is an ongoing priority for us and we plan to continue to identify and evaluate new, emerging risks to data protection and cybersecurity both within our Company and through our engagement of third-party service providers like Kroll.