Kennedy-Wilson Holdings, Inc. 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

Kennedy-Wilson Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 16:31:27 EST.

Filings

10-K filed on 2024-02-22

Kennedy-Wilson Holdings, Inc. filed an 10-K at 2024-02-22 16:31:27 EST
Accession Number: 0001408100-24-000060

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk management and strategy We have implemented and maintain a cybersecurity risk management program that includes information security processes designed to prevent, detect, remediate, and manage material risks from cybersecurity incidents and threats to our critical computer networks, third-party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, strategic or competitive in nature, and tenant data ( Information Systems and Data ). We design and assess our program based on the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). This does not imply that we meet any particular technical standards, specifications, or requirements at all times, only that we use the NIST CSF as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Our cybersecurity risk management program includes: risk assessment processes to monitor, evaluate and identify risks to our Information Systems and Data; a multidisciplinary team, including members from our executive management team, our information security and technology function, and legal team (internal and engaged external experts) to identify, assess, and manage cybersecurity threats and risks; security tools throughout our IT environment to monitor for and identify cybersecurity risks and incidents; the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security processes; technical, physical, and organizational measures, processes, standards, and/or policies to address cybersecurity threats to our Information Systems and Data; cybersecurity awareness training of our employees, incident response personnel, and senior management; and a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents. We are not aware of any risks from cybersecurity threats, including as a result of any cybersecurity incidents, which have materially affected or are reasonably likely to materially affect our Company, including our business strategy, results of operations, or financial condition. Please refer to Item 1A. Risk factors in this annual report on Form 10-K, including Our business could be adversely affected by security breaches through cyber-attacks, cyber intrusions or otherwise. , for additional discussion about cybersecurity-related risks. Governance Our Board of Directors holds oversight responsibility over the Company s strategy and risk management, including material risks related to cybersecurity threats. This oversight is executed directly by the Board of Directors and through its committees. The Audit Committee of the Board of Directors (the Audit Committee ) oversees the management of systemic risks, including cybersecurity. The Audit Committee engages in regular discussions with management and engaged consultants 31 Table of Contents and legal advisers regarding the Company s significant financial risk exposures and the measures implemented to monitor and control these risks, including those that may result from material cybersecurity threats. These discussions include the Company s risk assessment and risk management policies. Our management, represented by our Chief Financial Officer and Vice President, Information Systems, lead our cybersecurity risk management processes and oversees their implementation and maintenance. Management is responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Company s overall risk management strategy, communicating key priorities to relevant personnel, approving budgets, approving cybersecurity processes, and reviewing cybersecurity assessments and other cybersecurity-related matters. As described above, we also have engaged a third-party IT and cybersecurity firm that works closely with our management to implement and manage our processes and controls to assess, identify, and manage material risks from cybersecurity threats. Our management and information systems teams, oversee the work of our third-party IT and cybersecurity firm and regularly communicates with members of the team. Members of this third-party IT and cybersecurity team have collectively over 54 years of prior work experience and are responsible for the implementation of our cybersecurity strategy and responses as well as individuals having the position of cybersecurity analyst, cybersecurity engineer. In addition, our Vice President, Information Systems, has 38 years of prior work experience in information systems and technology, including with respect to cybersecurity issues and threats. Through the policies and controls described above, including our incident response policy, members of our management team, including our Chief Financial Officer, our Executive Vice President, Global Risk Management and our General Counsel, as well as representatives of the third-party IT and cybersecurity team are informed about cybersecurity threats and incidents affecting our information systems and direct our efforts to prevent, detect, mitigate, and remediate cybersecurity threats and incidents. Management, including the Vice President, Information Systems and Executive Vice President, Global Risk Management, serves on the Company s incident response team to help the Company address cybersecurity incidents. In addition, the Company s incident response processes include reporting to the Audit Committee for certain cybersecurity incidents. The Audit Committee holds quarterly meetings and receives periodic reports from management, including our Chief Financial Officer, concerning the Company s significant cybersecurity threats and risk and the processes the Company has implemented to address them. The Audit Committee also receives periodic reports from the Company’s internal audit team with respect to regular network penetration and related tests to ensure that the Company’s defense tools, processes and procedures are operating as designed.

Company Information