M.D.C. HOLDINGS, INC. - (MDC)
10-K Filing Date: January 30, 2024
Item 1C. Cybersecurity.
The Company understands the importance of preventing, assessing, identifying, and managing material risks associated with cybersecurity threats. Cybersecurity processes to assess, identify and manage risks from cybersecurity threats have been incorporated as a part of the Company’s overall risk assessment process. On a regular basis we implement into our operations these cybersecurity processes, technologies, and controls to assess, identify, and manage material risks. Specifically, we engage a third-party cybersecurity firm to assist with network and endpoint monitoring, cloud system monitoring and assessment of our incident response procedures. Further, we employ periodic penetration testing and tabletop exercises to inform our risk identification and assessment of material cybersecurity threats.
To manage our material risks from cybersecurity threats and to protect against, detect, and prepare to respond to cybersecurity incidents, we undertake the below listed activities:
a.Monitor emerging data protection laws and implement changes to our processes to comply;
b.Conduct periodic customer data handling and use requirement training for our employees;
c.Conduct annual cybersecurity management and incident training for employees involved in our systems and processes that handle sensitive data;
d.Conduct regular phishing email simulations for all employees; and
e.Carry cybersecurity risk insurance that provides protection against the potential losses arising from a cybersecurity incident
Our incident response plan coordinates the activities that we and our third-party cybersecurity provider take to prepare to respond and recover from cybersecurity incidents, which include processes to triage, assess severity, investigate, escalate, contain, and remediate an incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage.
As part of the above processes, we engage with consultants to review our cybersecurity program to help identify areas for continued focus, improvement, and compliance.
Our processes also include assessing cybersecurity threat risks associated with our use of third-party services providers in normal course of business use, including those in our supply chain or who have access to our customer and employee data or our systems. Third-party risks are included within our risk management process discussed above. In addition, we assess cybersecurity considerations in the selection and oversight of our third-party services providers, including due diligence on the third parties that have access to our systems and facilities that house systems and data.
19
We describe whether and how risks from identified cybersecurity threats have or that are reasonably likely to affect our financial position, results of operations and cash flows, under the heading “Information technology failures and cybersecurity breaches could harm our business” included as part of our Item 1A. Risk Factors of this Annual Report on Form 10-K, which disclosures are incorporated by reference herein.
Our Audit Committee of the Board of Directors is responsible for oversight of our risk assessment, risk management, disaster recovery procedures and cybersecurity risks. Periodically during each year, the Audit Committee receives an overview from our Vice President of IT of our cybersecurity threat risk management and strategy processes, including potential impact on the Company, the efforts of management to manage the risks that are identified and our disaster recovery preparations. Members of the Board of Directors regularly engage in discussions with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs.
Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our Vice President of IT. Our Vice President of IT has over 20 years of experience in various roles involving managing information security, developing cybersecurity strategy, and implementing cybersecurity programs. The Vice President of IT is informed about and monitors the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of the cybersecurity risk management and strategy processes described above, including our incident response plan.