Howard Hughes Corp 10-K Cybersecurity GRC - 2024-02-27

Page last updated on April 11, 2024

Howard Hughes Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-27 16:13:45 EST.

Filings

10-K filed on 2024-02-27

Howard Hughes Corp filed an 10-K at 2024-02-27 16:13:45 EST
Accession Number: 0001628280-24-007218

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Our cybersecurity program is an enterprise-wide, risk-based program that is designed to support the security, confidentiality, integrity, and availability of our systems and information. We conduct periodic assessments of the cybersecurity program to identify and manage material cybersecurity threats and risks using internal teams and independent third parties. The assessment results are used to develop appropriate cybersecurity controls best practices and risk mitigation strategies, which are then implemented throughout the Company. We rely on our systems and networks to support our business activities. As some of these networks and systems are managed by third parties, our cybersecurity program also includes evaluation and monitoring of cybersecurity risks associated with its use of third-party service providers. We also leverage third-party experts and vendors to help manage our cybersecurity program, audit the effectiveness of our existing cybersecurity controls, and make recommendations for improvements and best practices. We utilize a Managed Detection and Response service that provides threat intelligence, technology, and specialist expertise to protect our systems and networks from cyber threats. We require all third parties with access to our information systems or data to maintain industry standard cybersecurity programs and to report actual or suspected security incidents to us. We employ a range of tools and strategies to mitigate cybersecurity risks, regularly testing them for effectiveness. Additionally, we continuously assess and improve our cybersecurity stance by conducting vulnerability scans, internal and external network penetration tests, and by integrating threat intelligence updates. We also have specific tools to provide real time, continuous monitoring and protection of our endpoints. To the extent that our proactive monitoring and testing identifies weakness in our cybersecurity readiness, these weaknesses are tracked and remediated as part of our cybersecurity program. Our employees receive security awareness training on an annual basis and are subjected to phishing training and phishing tests throughout the year. Annually, we perform tabletop exercises to test our cybersecurity incident response plan that is kept within our written information security program (WISP). Our cybersecurity program is aligned with industry standards and best practices such as the National Institute of Standards and Technology Cybersecurity Framework. As of the date of this report, we are not aware of any material risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition. However, along with all companies of a similar size, we face common cybersecurity threats. These threats include ransomware and denial-of-service, including sophisticated attacks from criminal ransomware groups and nation state actors. Our customers, supply-chain providers, and subcontractors face similar cybersecurity threats, and an incident impacting us or any of these entities could materially adversely affect our business operations. Governance Management is responsible for measuring and managing cybersecurity risk, specifically the prevention, mitigation, detection, and remediation of cybersecurity incidents as well as the Company s overall information security strategy, policy, and operations. The cybersecurity program is executed by the Company s Senior Vice President of IT Governance, Risk, and Compliance, who has over 15 years of cybersecurity experience in overseeing and managing cybersecurity risk. He is also responsible for maintaining and, in the event of an actual suspected security incident, executing the Company s WISP. HHH s Board of Directors recently formed a technology committee (the Technology Committee) to assume governance and oversight of our cybersecurity program from HHH s Audit Committee. This includes reviewing the cybersecurity program s strategy and effectiveness, the cybersecurity landscape and emerging threats, and reports from any cybersecurity events. The Technology Committee also oversees cybersecurity and digital strategy and, whenever necessary, will communicate with, or advise management to consult with, the HHH Audit Committee regarding technology, digital, and other innovation-related matters that relate to or affect the Company s internal control systems. The Technology Committee will actively participate in strategic cybersecurity decisions and will be responsible for approving major initiatives. Management will provide updates to the Technology Committee on a quarterly basis and will continue to provide updates to the full Board of Directors on an annual basis. When appropriate, the Technology Committee will inform HHH s Board of Directors on important matters. Furthermore, HHH s Board of Directors would be notified in accordance with the Company s incident response plan, of any suspected cyber incidents that may have at least a moderate business impact on the Company. HHC 2023 FORM 10-K | 20 PROPERTIES Table of Contents Index to Financial Statements

Company Information