ST JOE Co 10-K Cybersecurity GRC - 2025-02-26

Page last updated on July 27, 2025

ST JOE Co reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-26 16:18:01 EST.

Filings

10-K filed on 2025-02-26

ST JOE Co filed a 10-K at 2025-02-26 16:18:01 EST
Accession Number: 0001558370-25-001603

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We maintain a data security plan designed to provide a documented and formalized information security policy to detect, identify, classify and mitigate cybersecurity and other data security threats. This cybersecurity program is based in-part on, and its effectiveness is measured using, the Payment Card Industry Data Security Standard (“PCI DSS”), the National Institution of Standard and Technology (“NIST”), and the System and Organization Control (“SOC”), all of which are integrated into our overall enterprise risk management program. This integration ensures that cybersecurity considerations are an integral part of our decision-making processes. In furtherance of detecting, identifying, classifying and mitigating cybersecurity and other data security threats including such threats associated with our use of any third-party vendors. We also: ● assess baseline configuration standards to meet the intent and effectiveness for overall safety and security (both logically and physically) of critical system components; ● track asset inventory for relevant system components ; ● maintain network connection arrangement documents ; ● limit access rights to system components to authorized personnel, with end-users being granted access in accordance with stated access rights; ● deploy anti-virus solutions on applicable system components, which are enabled for automatic updates and configured for conducting periodic scans as necessary; ● provision and harden critical system resources; ● use internal and external vulnerability scanning procedures, along with network layer and anti-hacking tests; ● facilitate requests for validation of baseline configurations for purposes of regulatory compliance assessments and audits; ● provide cybersecurity training for employees; and ● perform Quarterly User Access Reviews (“UAR”). Conducting our businesses involves the collection, storage, use, disclosure, processing, transfer, and other handling of a wide variety of information, including personally identifiable information, for various purposes in our businesses. Like other comparable-sized companies that process a wide variety of information, our information technology systems, networks and infrastructure and technology have been, and may in the future be, vulnerable to cybersecurity attacks and other data security threats. As of the date of this Form 10-K, we do not believe any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect us , including our results of operations or financial condition. However, cybersecurity attacks are constantly evolving, may be difficult to detect quickly, and often are not recognized until after they have been launched against a target. Despite our security measures, there can be no assurance that we, or the third-party vendors with which we interact, will not experience a cybersecurity incident in the future that will materially affect us. For more information about these and other cybersecurity risks faced by us, see Part 1. Item 1A. Risk Factors . Our Board has ultimate oversight for risks relating to our data security plan. In addition, the Board has delegated primary responsibility to the Audit Committee for assessing and managing data privacy and cybersecurity risks, reviewing data security and cybersecurity policies and processes with respect to data privacy and cybersecurity risk assessment and management, reviewing steps management has taken to monitor and control such risks, and regular inquires with our management team, internal auditors and independent auditors in connection therewith. The Audit Committee is also responsible for overseeing our investigation of, and response to, any cybersecurity attacks or threats. We also have a dedicated team of employees overseeing our data security plan and initiatives, led by our Vice President of Information Systems (who has over thirty years’ experience working in cyber and information security related roles with mid-size as well as large companies), that works directly in consultation with internal and external advisors in connection with these efforts. We engage such external advisors to assist with the evaluation of our technology, security, critical risk areas and related controls to improve our ability to identify and detect, protect against, and recover from, cybersecurity incidents and other evolving threats and to appropriately benchmark against industry practices. We have developed a procedure by which the Board and management are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents. Our Incident Response Team, comprised of representatives of different departments within the Company, including the Vice President of Information Systems, works to identify cybersecurity-related incidents, and reports such incidents, along with any pertinent recommendations to update cybersecurity policies and procedures, to our management team. Our management team reports to the Audit Committee, on a quarterly basis and more frequently as needed on such matters. The Audit Committee and management also provide an annual report to the Board on pertinent cybersecurity matters .

Company Information