Green Brick Partners, Inc. 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

Green Brick Partners, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 16:48:09 EST.

Filings

10-K filed on 2024-02-29

Green Brick Partners, Inc. filed an 10-K at 2024-02-29 16:48:09 EST
Accession Number: 0001373670-24-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY The Audit Committee ( Audit Committee ) of the Company s Board of Directors (the Board ) is actively involved in oversight of the Company s risk management program, and cybersecurity represents an integral component of the Company s overall approach to enterprise risk management ( ERM ). A cybersecurity threat is any potential unauthorized occurrence, on or conducted through, the Company s information systems that may result in adverse effects on the confidentiality, integrity or availability of the Company s information systems or any information residing therein. The Company s cybersecurity policies, standards, processes and practices are fully integrated into the Company s ERM program and are based on recognized frameworks established by the Center for Internet Security Cybersecurity Framework. In general, the Company seeks to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, security and availability of the information that the Company collects and stores by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. Cybersecurity risk management and strategy As one of the critical elements of the Company s overall ERM approach, the Company s cybersecurity program is focused on the following key areas: Collaborative Approach: The Company has implemented a comprehensive, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the disclosure and reporting of such material incidents may be made by management in a timely manner. Technical Safeguards: The Company deploys technical safeguards that are designed to protect the Company s information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, 18 TABLE OF CONTENTS anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence. Incident Response and Recovery Planning: The Company has established and maintains incident response and recovery plans that address the Company s response to a cybersecurity incident, and such plans are tested and evaluated on a regular basis. Third-Party Risk Management: The Company maintains a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of the Company s systems, as well as the systems of third parties that could adversely impact the Company s business in the event of a cybersecurity incident affecting those third-party systems. Outside Consultants: The Company engages various outside consultants, including contractors, auditors, and other third parties, to among other things : monitor Company networks, servers and endpoints to identify vulnerabilities; conduct bi-weekly email phishing campaigns for Company employees to evaluate employee responses to such campaigns, identify vulnerabilities and advise on possible attack preparedness and responses; obtain information of a cybersecurity incident and isolate compromised systems and electronic data from further exposure; and determine and execute mitigation and remediation options and plans. Education and Awareness: The Company provides annual, mandatory training for personnel regarding cybersecurity threats as a means to equip the Company s personnel with effective tools to address cybersecurity threats, and to communicate the Company s evolving information security policies, standards, processes and practices. If an employee fails a bi-weekly phishing campaign they are re-enrolled in the Company s cybersecurity awareness training. The Company conducts periodic assessment and testing of the Company s policies, standards, processes and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, including annual penetration testing, adoption of an incident response plan, employee email phishing campaigns, email security monitoring, real-time vulnerability scanning and intrusion detection, employee cyber security awareness program, real-time (offsite) backups of production systems, regular audits and progress reports, and continuous improvement of the information security management system. The Company engages third parties, which it believes is the top of the market, to perform assessments on the Company s cybersecurity measures, including audits and independent reviews of the Company s information security control environment and operating effectiveness. The results of such assessments, audits and reviews are reported to the Audit Committee, and the Company adjusts its cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, audits and reviews. Governance As discussed above, the Board has delegated to the Audit Committee the responsibility for monitoring and overseeing the Company s cybersecurity and other information technology risks, controls, strategies and procedures. The Audit Committee periodically evaluates the Company s information security strategies to ensure its effectiveness and, if appropriate, may also include a review from third-party experts. The Company s Vice President of IT reports to the Audit Committee as part of every regularly scheduled quarterly meeting of the Audit Committee (or more frequently, as needed) regarding technological risk exposure and cybersecurity risk management strategy. In addition, the full Board may review and assess cybersecurity risks as part of its responsibilities for oversight of the Company s broad ERM program. The Company s Vice President of IT, Randall Anderson, in coordination with the Company s Chief Executive Officer ( CEO ), Chief Financial Officer ( CFO ), and General Counsel ( GC ), works collaboratively across the Company to implement a program designed to protect the Company s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with the Company s incident response and recovery plans. The Company maintains a cyber incident response plan to timely, consistently, and compliantly address cybersecurity threats that may occur despite the Company s safeguards. The response plan covers preparation, detection and analysis, containment and investigation, notification (which may include timely notice to the Board if deemed material or appropriate), eradication and recovery, and incident closure and post-incident analysis. The Company retains a third-party cyber security firm to leverage in the event of a cyber security incident. The Company s response planning is reviewed annually and kept up to date with industry developments. The scope of this plan is enterprise-wide and includes the Company s business units and subsidiaries. Through ongoing communications with management, the Company s Vice President of IT monitors the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time and reports such threats and incidents to the Audit Committee when appropriate. 19 TABLE OF CONTENTS Management s Expertise Mr. Anderson holds a bachelor s degree in business administration with a focus on supply chain management and operations engineering from the University of Texas at Austin. He has served in various roles in information technology and information security for over 10 years, including as an IT business analyst with another publicly traded homebuilder where he was responsible for maintaining production data structures and system trainings. Mr. Anderson currently serves as a CyberUSA advisory board member where he regularly attends seminars given by cyber industry experts, including certain governmental agencies. Mr. Anderson is continually informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. Staying informed on developments in the cyber industry is crucial to the Company s effective prevention, detection, mitigation and remediation of any cybersecurity incidents. In addition, the Company s CEO, CFO and GC each hold undergraduate and graduate degrees in their respective fields, and each have over 20 years of experience managing risks at the Company or at similar companies, including risks arising from cybersecurity threats. Risks from Cybersecurity Threats Cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected or are reasonably likely to affect the Company, including its business strategy, results of operations or financial condition.

Company Information