Page last updated on February 4, 2026
KB HOME reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-01-23 16:31:45 EST.
Filings
10-K filed on 2026-01-23
KB HOME filed a 10-K at 2026-01-23 16:31:45 EST
Accession Number: 0000795266-26-000017
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
Item 1C - Cybersecurity in this report. Our systems have faced a variety of phishing, denial-of-service and other attacks and occasional theft of encrypted employee laptops. To help counter the growing volume and sophistication of cyberattacks and other attempts to gain unauthorized access to sensitive business or individuals' personal information, including the potential of fraudulent schemes inducing our employees, customers, trade partners, or other third parties to disclose information or unknowingly provide access to systems or data, whether in our sales offices or elsewhere, and considering the use of artificial intelligence and other technology to compromise our user access protocols, we have implemented administrative, physical and multi-layered technical controls and processes. These measures are designed to help address and mitigate cybersecurity risks and protect our IT resources and sensitive information, and include employee education and awareness training, as well as assessments conducted by external third parties. Our technical defense layers are designed to provide multiple, overlapping measures to establish appropriate system security configurations and protect against exploitation of a vulnerability that may arise or if a security 24 control fails. For these defenses, we rely on third parties that we believe, but cannot guarantee, are capable of performing the protective service for which we have engaged them. We conduct periodic incident response tabletop exercises, with third-party support and reviews, and we perform an annual cybersecurity risk assessment to identify potential areas of focus. Our IT security costs, including cybersecurity insurance, are significant and will likely rise in tandem with the sophistication and frequency of system attacks. We also depend on our service providers, GR Alliance and other mortgage lenders, with whom we share some personal identifying and confidential information, to secure our data and the homebuyer information they collect from us. However, our, GR Alliance 's and our service providers' measures may be inadequate and possibly have operational or security vulnerabilities that could go undetected for some period of time. If our IT resources are compromised, we may be severely limited in conducting our business and achieving our strategic goals for an extended period, experience internal control failures or lose access to operational assets or funds. A substantial disruption, or security breach suffered by us, GR Alliance / KBHS or a service provider, particularly our cloud service provider which hosts many of our IT resources, could damage our reputation and result in the loss of customers or revenues, in sensitive personal information being publicly disclosed or misused and/or regulatory or legal proceedings against us. We may incur significant expenses to resolve such issues. While, to date, we have not had a significant cybersecurity breach or attack that had a material impact on our business or consolidated financial statements, there can be no assurance our efforts to maintain the security and integrity of these systems will be effective or that attempted security breaches, cyber-attack, data theft or disruptions would not occur in the future, be successful or damaging. Beyond our service providers, we depend on independent third parties to handle certain processes required to complete land purchases and home closings, including title insurers and escrow/settlement companies. Should these third parties, as well as independent mortgage lenders and other firms involved in real property transactions, experience their own cybersecurity incidents or IT resource failures that disrupt or prevent their performance of necessary real estate transaction services, our ability to close on land transactions or our customers' ability to close on their homes, as well as our production schedules and delivery forecasts, may be significantly disrupted and have a material impact on our operations or consolidated financial statements, including by causing home sales contract cancellations. Legal and Compliance Risks . As discussed above under Item 1 - Business in this report, our operations are subject to myriad legal and regulatory requirements, which can delay our operational activities, raise our costs and/or prohibit or restrict homebuilding in some areas. These requirements often provide broad discretion to government authorities, and they could be interpreted or revised in ways unfavorable to us. The costs to comply, or associated with any noncompliance, are, or can be, significant and variable from period to period. With respect to environmental laws, in addition to the risks and potential operational costs discussed above, we have been, and we may in the future be, involved in federal, state and local air and water quality agency investigations or proceedings for potential noncompliance with their rules, including rules governing discharges of materials into the air and waterways; stormwater discharges from community sites; wetlands and listed species habitat protection; and governmental health and safety rules and requirements, such as those enforced by the federal Occupational Safety and Health Administration and similar state agencies. We could incur penalties and/or be restricted from developing or building at certain community locations during or as a result of such agencies' investigations or findings. Additionally, we are involved in legal, arbitral or regulatory proceedings or investigations incidental to our business, the outcome or settlement of which could result in material claims, losses, monetary damage awards, penalties, or other direct or indirect payments recorded against our earnings, or injunctions, consent decrees or other voluntary or involuntary restrictions or adjustments to our business operations or practices. Any adverse results could be beyond our expectations, insurance coverages and/or accruals at particular points in time. Unfavorable outcomes, as well as unfavorable investor, analyst or news reports related to our industry, company, personnel, governance or operations, may also generate negative publicity, including on social media and the internet, damaging our reputation and resulting in the loss of customers or revenues. We may also face similar reputational impacts if our sustainability initiatives or objectives and/or our social or governance practices do not meet the standards set by investors or third-party rating services. Additionally, low third-party ratings could result in our common stock being excluded from certain indexes or not being recommended for or selected by investors with certain mandates or priorities. To reduce the risks and expected significant costs of defending intra-corporate proceedings in multiple venues and to help ensure that such matters are considered within a well-established body of law, our By-Laws provide that, subject to certain exceptions, Delaware state courts are the exclusive forum for specified internal corporate affairs actions and federal courts are the exclusive forum for any action asserting a claim arising under the Securities Act of 1933, as amended. These provisions may limit a stockholder's ability to bring a claim in their favored forum. At the same time, if a court were to allow for an alternative forum, or we waive the provision's application, for a particular matter, we may incur additional costs associated with resolving an otherwise relevant action in another jurisdiction(s). The European Union and state governments, notably California, Colorado, Delaware and Nevada, have enacted or enhanced data privacy regulations, and other governments are considering establishing similar or stronger protections. These 25 regulations impose certain obligations for securing, and potentially removing, specified personal information in our systems, and for apprising individuals of the information we have collected about them. We have incurred costs in an effort to address these data privacy risks and requirements, and our costs may increase significantly as risks become increasingly complex or if new or changing requirements are enacted, and based on how individuals exercise their rights. Despite our efforts, any noncompliance could result in our incurring substantial penalties and reputational damage. KBHS ' operations are heavily regulated. If GR Alliance , which oversees KBHS ' operations, or KBHS is found to have violated regulations, or mortgage investors demand KBHS repurchase mortgage loans it has sold to them, or cover their losses, for claimed contract breaches, KBHS could face significant liabilities, which, if they exceed its reserves, could result in our recognizing losses on our KBHS equity interest. Our financial results may be materially affected by our use of critical accounting estimates and the adoption of new or amended financial accounting standards, as well as regulatory or outside auditor guidance or interpretations. In addition, to the extent we expand our disclosures on our sustainability initiatives in line with certain private reporting frameworks and investor requests, our failure to report accurately or achieve progress on our metrics on a timely basis, or at all, could adversely affect our r eputation, business, financial performance and growth. Other Risks . The risk factors described above are not our only salient risks. Political events, war, terrorism, weather or other natural/environmental disasters, and other risks that are currently unknown or are currently or may initially be seen as immaterial, could also have a material adverse impact on our business, consolidated financial statements and/or common stock's market price. Item 1B. UNRESOLVED STAFF COMMENTS None. Item 1C. CYBERSECURITY Risk Management and Strategy. We have policies and procedures for identifying, assessing and managing material risks associated with cybersecurity threats. To help protect our IT resources, we have instituted administrative, physical and technical controls and processes and commissioned third-party assessments. The technical defense measures we have implemented are designed to address vulnerabilities that may arise, including from a security control failure. These measures currently involve a combination of artificial intelligence; machine learning computer network monitoring; malware and antivirus resources; firewall systems; and endpoint detection and response. We also utilize cloud service defenses; Internet address and content filtering monitoring software intended to secure against known malicious websites and potential data exfiltration; and enterprise gateway security for workforce mobile devices and applications. Additionally, a variety of cyber intelligence and threat monitoring sources provide us with ongoing updates on potential or emerging risks. For all these measures we rely on third-party providers that we believe are capable of performing the service for which they have been engaged or on certain governmental agencies. Before we engage a third-party provider for these types of services and resources, we typically conduct a security review involving, as relevant to the service or resource, discussions with the provider's security personnel, evaluation of auditor reports, and other requested information and documentation. We evaluate, and adjust as determined appropriate, our cybersecurity strategies and measures based on the above-noted threat monitoring sources, learnings from periodic incident response tabletop exercises in which members of senior management participate; penetration tests and scanning exercises; and an annual cybersecurity and/or cloud security risk assessment conducted with help from outside experts informed by the National Institute of Standards and Technology Cybersecurity framework. Our IT function also undertakes a specific risk review, assisted in part by independent consultants and other third parties, that is integrated into the overall annual enterprise risk management assessment the board of directors' audit and compliance committee oversees. Our internal audit department incorporates the results from this risk review, and cybersecurity-related enhancements identified through the review, in designing and conducting its IT function audits, in some cases with a third-party firm's assistance. To support the ongoing identification and management of cybersecurity issues, all employees are required to complete cybersecurity awareness training, including social engineering, password best practices, data classification and phishing awareness, with additional training for handling of customer personal information. We also publish a monthly security awareness newsletter along with performing ongoing internal phishing assessments. We also consider and evaluate cybersecurity risks associated with KBHS and third-party service providers that we have identified as having the greatest potential to expose us to cybersecurity threats. We have established due diligence procedures with KBHS and such third-party service providers, as well as communication channels as part of their breach and incident response processes. We also review annually the System and Organization Controls reports of third-party vendors hosting our data to ensure they maintain adequate access management controls including physical safeguards, disaster recovery capabilities, 26 data privacy and notification processes, onboarding processes, incident response procedures and periodic independent testing of the vendor capabilities. We depend on our third-party service providers, KBHS and outside service providers to our customers with whom we share some personal identifying and confidential information to secure the information they receive from us. Our business strategy, results of operations, or financial condition may be materially affected if our IT resources are compromised, whether by an intentional attack, natural or man-made disaster, electricity blackout, IT/cybersecurity failure, systems misconfiguration, denial-of-service attacks, service provider error, mismanaged user access protocols, personnel action, or otherwise. Depending on source or severity, among other factors, should any such compromise(s) occur, we may be severely limited in conducting operations for an extended period, experience internal control failures, be cut off from assets or funds, face reputational damage, lose customers and related revenues and/or have private party or governmental legal proceedings instituted against us, and incur significant expenses to resolve any such issues. Similar impacts may result from a substantial disruption, or security incident or breach, suffered by KBHS or an outside service provider to our customers, which could also result in sensitive personal information being publicly disclosed or misused. Governance . Our management is responsible for the ongoing assessment of, and for developing and implementing our strategies and measures to address, material cybersecurity risks. Our board of directors through its audit and compliance committee oversees management's cybersecurity assessment activities and protective strategies and measures. This includes engaging in periodic reviews with management covering, among other things, our cybersecurity practices and risks. Several of our directors have experience with overseeing cybersecurity practices and incident management. Our chief information officer ("CIO") periodically provides this review to the audit and compliance committee, with the most recent review conducted in January 2026. The CIO, who has more than 35 years of experience in IT and cybersecurity, is supported by a chief information security officer, who has more than 30 years of experience in IT and cybersecurity, and various employees and dedicated contract personnel experienced with IT and cybersecurity matters who are responsible for procuring, using, maintaining, updating and evaluating the cybersecurity measures detailed above. These individuals also hold numerous cloud, security and privacy certifications. We have a cybersecurity incident response plan ("CIRP") that, among other things. defines roles and responsibilities, outlines steps for managing a cybersecurity event that is assessed to be a cybersecurity incident, including determining whether such an incident is material and required to be publicly disclosed per SEC rules, and specifies internal and external communication channels with respect to a cybersecurity incident. Our IT function, which is led by the CIO, maintains and is initially responsible for executing on our CIRP and specific runbooks, which describe processes for evaluating and escalating, depending on severity, within the enterprise and up to our senior executive management and board of directors the cybersecurity threats and incidents, or potential threats or incidents, identified through our cybersecurity measures. This team also maintains other policies and procedures concerning cybersecurity matters, such as encryption standards, antivirus protection, remote access, multifactor authentication, data classification, confidential information and the use of the internet, social media, email and wireless devices. We also maintain insurance coverage for cybersecurity insurance as part of our overall insurance portfolio. Our IT systems have faced a variety of phishing, denial-of-service and other attacks. Although we have not identified any cybersecurity incidents during the fiscal years covered by this report that have materially affected or are reasonably likely to materially affect our business strategy, consolidated results of operations or consolidated financial condition, we can provide no assurance that our security measures will be successful and therefore we may experience a cybersecurity incident that materially affects our business strategy, consolidated results of operations, consolidated financial condition or reputation, including, but not limited to those described above. For more information about the cybersecurity risks we face, see Item 1A - Risk Factors .
Item 1C. CYBERSECURITY Risk Management and Strategy. We have policies and procedures for identifying, assessing and managing material risks associated with cybersecurity threats. To help protect our IT resources, we have instituted administrative, physical and technical controls and processes and commissioned third-party assessments. The technical defense measures we have implemented are designed to address vulnerabilities that may arise, including from a security control failure. These measures currently involve a combination of artificial intelligence; machine learning computer network monitoring; malware and antivirus resources; firewall systems; and endpoint detection and response. We also utilize cloud service defenses; Internet address and content filtering monitoring software intended to secure against known malicious websites and potential data exfiltration; and enterprise gateway security for workforce mobile devices and applications. Additionally, a variety of cyber intelligence and threat monitoring sources provide us with ongoing updates on potential or emerging risks. For all these measures we rely on third-party providers that we believe are capable of performing the service for which they have been engaged or on certain governmental agencies. Before we engage a third-party provider for these types of services and resources, we typically conduct a security review involving, as relevant to the service or resource, discussions with the provider's security personnel, evaluation of auditor reports, and other requested information and documentation. We evaluate, and adjust as determined appropriate, our cybersecurity strategies and measures based on the above-noted threat monitoring sources, learnings from periodic incident response tabletop exercises in which members of senior management participate; penetration tests and scanning exercises; and an annual cybersecurity and/or cloud security risk assessment conducted with help from outside experts informed by the National Institute of Standards and Technology Cybersecurity framework. Our IT function also undertakes a specific risk review, assisted in part by independent consultants and other third parties, that is integrated into the overall annual enterprise risk management assessment the board of directors' audit and compliance committee oversees. Our internal audit department incorporates the results from this risk review, and cybersecurity-related enhancements identified through the review, in designing and conducting its IT function audits, in some cases with a third-party firm's assistance. To support the ongoing identification and management of cybersecurity issues, all employees are required to complete cybersecurity awareness training, including social engineering, password best practices, data classification and phishing awareness, with additional training for handling of customer personal information. We also publish a monthly security awareness newsletter along with performing ongoing internal phishing assessments. We also consider and evaluate cybersecurity risks associated with KBHS and third-party service providers that we have identified as having the greatest potential to expose us to cybersecurity threats. We have established due diligence procedures with KBHS and such third-party service providers, as well as communication channels as part of their breach and incident response processes. We also review annually the System and Organization Controls reports of third-party vendors hosting our data to ensure they maintain adequate access management controls including physical safeguards, disaster recovery capabilities, 26 data privacy and notification processes, onboarding processes, incident response procedures and periodic independent testing of the vendor capabilities. We depend on our third-party service providers, KBHS and outside service providers to our customers with whom we share some personal identifying and confidential information to secure the information they receive from us. Our business strategy, results of operations, or financial condition may be materially affected if our IT resources are compromised, whether by an intentional attack, natural or man-made disaster, electricity blackout, IT/cybersecurity failure, systems misconfiguration, denial-of-service attacks, service provider error, mismanaged user access protocols, personnel action, or otherwise. Depending on source or severity, among other factors, should any such compromise(s) occur, we may be severely limited in conducting operations for an extended period, experience internal control failures, be cut off from assets or funds, face reputational damage, lose customers and related revenues and/or have private party or governmental legal proceedings instituted against us, and incur significant expenses to resolve any such issues. Similar impacts may result from a substantial disruption, or security incident or breach, suffered by KBHS or an outside service provider to our customers, which could also result in sensitive personal information being publicly disclosed or misused. Governance . Our management is responsible for the ongoing assessment of, and for developing and implementing our strategies and measures to address, material cybersecurity risks. Our board of directors through its audit and compliance committee oversees management's cybersecurity assessment activities and protective strategies and measures. This includes engaging in periodic reviews with management covering, among other things, our cybersecurity practices and risks. Several of our directors have experience with overseeing cybersecurity practices and incident management. Our chief information officer ("CIO") periodically provides this review to the audit and compliance committee, with the most recent review conducted in January 2026. The CIO, who has more than 35 years of experience in IT and cybersecurity, is supported by a chief information security officer, who has more than 30 years of experience in IT and cybersecurity, and various employees and dedicated contract personnel experienced with IT and cybersecurity matters who are responsible for procuring, using, maintaining, updating and evaluating the cybersecurity measures detailed above. These individuals also hold numerous cloud, security and privacy certifications. We have a cybersecurity incident response plan ("CIRP") that, among other things. defines roles and responsibilities, outlines steps for managing a cybersecurity event that is assessed to be a cybersecurity incident, including determining whether such an incident is material and required to be publicly disclosed per SEC rules, and specifies internal and external communication channels with respect to a cybersecurity incident. Our IT function, which is led by the CIO, maintains and is initially responsible for executing on our CIRP and specific runbooks, which describe processes for evaluating and escalating, depending on severity, within the enterprise and up to our senior executive management and board of directors the cybersecurity threats and incidents, or potential threats or incidents, identified through our cybersecurity measures. This team also maintains other policies and procedures concerning cybersecurity matters, such as encryption standards, antivirus protection, remote access, multifactor authentication, data classification, confidential information and the use of the internet, social media, email and wireless devices. We also maintain insurance coverage for cybersecurity insurance as part of our overall insurance portfolio. Our IT systems have faced a variety of phishing, denial-of-service and other attacks. Although we have not identified any cybersecurity incidents during the fiscal years covered by this report that have materially affected or are reasonably likely to materially affect our business strategy, consolidated results of operations or consolidated financial condition, we can provide no assurance that our security measures will be successful and therefore we may experience a cybersecurity incident that materially affects our business strategy, consolidated results of operations, consolidated financial condition or reputation, including, but not limited to those described above. For more information about the cybersecurity risks we face, see Item 1A - Risk Factors .
Company Information
| Name | KB HOME |
| CIK | 0000795266 |
| SIC Description | Operative Builders |
| Ticker | KBH - NYSE |
| Website | |
| Category | Large accelerated filer |
| Fiscal Year End | November 30 |