Harbor Custom Development, Inc. - (HCDIQ)

10-K Filing Date: March 29, 2024
ITEM 1C. CYBERSECURITY.

 

We appreciate the importance of preventing, assessing, identifying, and managing material risks associated with cybersecurity threats. In the ordinary course of our business, we collect and store certain confidential information about our employees, contractors, vendors, and suppliers. Consequently, we have established processes for managing material risks posed by cybersecurity threats.

 

35
 

 

Risk Management and Strategy

 

We have established information security practices to provide effective security controls to protect the privacy and confidentiality of our information. Where appropriate, these processes and policies are integrated into our overall risk management systems and processes.

 

To address cybersecurity risks and strengthen our defenses against potential threats, we employ a set of various measures. This involves staying up to date on emerging data protection laws and promptly adjusting our processes to ensure compliance. Our network is protected by regularly monitored firewalls with intrusion and malware protection. Our employees have also undergone training in customer data handling and usage requirements, proper internet usage, and secure email and social media training. Employees are encouraged to report all suspicious emails or communications to management. Regular phishing email simulations further enhance employee awareness and resilience against cyber threats. Alongside regularly updated endpoint protection provided by TrendMicro, Inc., multiple layers of redundancy are implemented through Microsoft365 and Datto, Inc., ensuring all company and employee data is safe from deletion, either accidental or deliberate.

 

Our processes also include assessing cybersecurity threat risks associated with our use of third-party service providers in the normal course of business, including those who have access to our customer and employee data or our systems. Additionally, we assess cybersecurity considerations in the selection and oversight of our third-party service providers, including due diligence on the third parties that have access to our systems and facilities that house systems and data.

 

We have not experienced any material computer data security breaches as a result of a compromise of our information systems and we are not aware and have not had a significant cybersecurity breach or attack that had a material impact on our business or operating results to date.

 

Protecting our information from cyber threats remains a persistent priority, and we are committed to identifying and assessing emerging risks related to data protection and cybersecurity. This commitment extends to our internal operations and our collaborations with third-party service providers.

 

Governance

 

Our Board of Directors is aware of the critical nature of managing risks associated with cybersecurity threats. Our Board of Directors has delegated to the Audit Committee the responsibility to oversee our cybersecurity efforts and cyber related risks. The Audit Committee, which is comprised of entirely independent directors, oversees risk assessment, training programs, significant threat changes, and vulnerabilities as well as the effectiveness of any information security practices.

 

Although none of the members of the Audit Committee have any work experience, degree, or certifications related to information security or cybersecurity, the Audit Committee is often guided by IT professionals on cybersecurity related issues. Periodically, the Audit Committee receives an overview from IT professionals on our cybersecurity threat risk management and strategy processes, including potential impact on our company, the efforts of management to manage the risks that are identified, and our disaster recovery preparations. IT professionals provide updates to inform and educate our Audit Committee and Board of Directors on current trends of cybersecurity threats, emerging trends, and best practices.

 

Our cybersecurity risk management and strategy processes, as highlighted above, were led by our IT director. Our IT director had over 20 of experience in managing information security, developing cybersecurity strategy, and implementing cybersecurity programs. The IT director monitored the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of the cybersecurity risk management and strategy processes described above. Subsequent to the year-ended December 31, 2023, our IT Director no longer works for the Company, effective February 14, 2024. We have hired a third-party IT service provider to assist with the responsibilities previously conducted by the former IT Director.

 

36