CAVCO INDUSTRIES INC. - (CVCO)
10-K Filing Date: May 24, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity Risk Management and Strategy
We maintain a comprehensive cybersecurity risk management program modeled by relevant standards provided by organizations such as the National Institute of Standards and Technology ("NIST") and the International Organization for Standardization (27001 - Information Security Standard). Our cybersecurity program is part of our enterprise risk management strategy and includes policies and procedures designed to safeguard the confidentiality, integrity, and availability of our information assets.
Our cybersecurity program includes an incident response plan. Our incident response plan addresses the detection, reporting, analysis, response, recovery, communication, documentation, and post-incident review of cybersecurity incidents. We test and evaluate this plan on a routine basis. We train our team members on cybersecurity risks and mitigation and retain experienced cybersecurity consultants prepared to assist us in the event of any breach. For material cybersecurity risks, we’ve developed mitigation measures to reduce the risk’s likelihood of occurrence and/or its expected impact. Such mitigation measures have involved, among other things, implementing additional technology controls or policies, increased training for Company personnel, and obtaining additional insurance for the identified risk. Our Information Technology ("IT") team monitors material risks over time and updates the Company’s mitigation measures as appropriate. The IT team also regularly reports to the Company’s leadership team on the status of material risks, mitigation measures, and incidents related to such risks.
In addition to our incident response plan, we perform risk assessments throughout the year to identify and remediate potential cybersecurity threats and vulnerabilities. In connection with our assessment of potential cybersecurity risks, our IT team engages in threat modeling, vulnerability scanning and penetration testing.
We have also implemented a process to evaluate and review potential cybersecurity risks arising from our use of third-party vendors. As part of our vendor engagement protocols, we will consider, among other things, each potential vendor’s data backup procedures, incident reporting protocols and data privacy and encryption practices.
In addition to our internal exercises to test aspects of our cybersecurity program, we engage independent third parties annually to assess the risks associated with our IT resources and information assets. Among other matters, these third parties analyze information on the interactions of users of our information technology resources, including employees, and conduct penetration tests and scanning exercises to assess the performance of our cybersecurity systems and processes. Annually, we examine our cybersecurity program with these third parties, evaluating its effectiveness in part by considering industry standards and established frameworks, such as those set by NIST as guidelines.
For a discussion of how risks from cybersecurity threats affect our business, see “Part 1. Item 1A. Risk Factors – Risk Related to our Business – Information technology failures and data security breaches could harm our business” in this Annual Report on Form 10-K. As of the date of this Annual Report, we do not believe that any risks from cybersecurity threats, including as a result of previous cybersecurity incidents, have materially affected or are reasonably likely to have a material adverse effect on us, our business strategy, results of operations, or financial condition.
Cybersecurity Governance
Our Board has overall responsibility for risk oversight, with its committees assisting the Board in performing this function based on their respective areas of expertise. Our Board has delegated oversight of risks related to cybersecurity to the Legal and Compliance Oversight ("LCO") Committee and the review of materiality determinations of cyber incidents to the Audit Committee.
27
The LCO Committee is charged with, among other responsibilities, reviewing our cybersecurity processes for assessing key strategic, operational, and compliance risks. Further, the LCO Committee receives periodic reports on cybersecurity risks and management of those risks from our Senior Director of IT Governance, Risk and Compliance (“Senior Director”). The Senior Director’s presentations to the LCO Committee include assessments of cyber risks, the threat landscape, updates on incidents, and reports on our investments in cybersecurity risk mitigation and governance.
The Chair of the Audit Committee is regularly informed of both material and non-material cybersecurity risks and incidents. The full Audit Committee is notified any time our incident response program has determined that a cybersecurity incident is material or requires reporting to a regulatory body.
Our cybersecurity team is led by our Senior Director who reports directly to our Chief Financial Officer and is responsible for assessing and managing cybersecurity risks. The Senior Director is a Certified Information Security Professional and a Certified Information Systems Auditor with over 20 years of experience evaluating and remediating IT risk and leads security control implementation, risk and compliance monitoring, security tool management, and incident response planning. Reporting to the Senior Director, the Director of Information Security possesses expert knowledge in threat modeling and vulnerability testing methodologies. The Director of Information Security leads efforts to build security into all IT processes and procedures to protect against risks related to data leakage, broken authentication, injection flaws, improper encryption, and attacks on other application vulnerabilities.
28