Millrose Properties, Inc. 10-K Cybersecurity GRC - 2026-03-02

Page last updated on March 2, 2026

Millrose Properties, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-02 08:00:57 EST.

Filings

10-K filed on 2026-03-02

Millrose Properties, Inc. filed a 10-K at 2026-03-02 08:00:57 EST
Accession Number: 0002017206-26-000002

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risks Management and Strategy We rely on our Manager's cybersecurity program, to identify, assess, and manage material risks to our business from cybersecurity threats. With oversight from our Board, our Manager and executive officers are responsible for establishing and monitoring the effectiveness of our controls for cybersecurity risk and have implemented an enterprise-wide information security program designed to identify, protect against, detect, assess, respond to, and manage reasonably foreseeable cybersecurity risks and threats to our systems. Our Manager's cybersecurity risk management processes are integrated into our broader risk management processes and are evaluated in conjunction with other operational and business risks. The program, which is supported in part by third-party consultants and service providers, includes cybersecurity risk assessments, an incident response plan, business continuity planning, as well as ongoing vulnerability scanning and periodic penetration testing. In addition, Kennedy Lewis has implemented mandatory cybersecurity training for all employees and phishing tests designed to raise awareness and educate personnel on cybersecurity risks. To protect our systems from cybersecurity threats, our Manager uses various security tools that help prevent, identify, escalate, investigate, resolve and recover from identified vulnerabilities and security incidents in a timely manner. These include, but are not limited to, software for employee access monitoring and reporting, threat detection, and mobile device controls. Cybersecurity threats may also arise from internal sources, including employee misconduct, misuse of authorized access, human error, or failures to follow established security policies and procedures. Our Manager's cybersecurity program is designed to mitigate such internal risks through access controls, monitoring and logging, segregation of duties, mandatory cybersecurity training, and policies governing acceptable use and data protection. Our risk management processes include oversight and identification of cybersecurity threats related to third-party service providers. Service provider due diligence may include, as appropriate depending on the nature of the service and the provider's access to our data, periodic reviews of the provider's business continuity planning, data protection, and cybersecurity practices, as well as contractual commitments to maintain IT systems in accordance with cybersecurity standards. As of the date of this Form 10-K, we are not aware of any risks from cybersecurity threats, including as a result of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect us, including in our business strategy, results of operations or financial condition. However, our business is highly dependent on our ability to collect, use, store and manage organizational and property data. If any of our significant information and data management systems do not operate properly or are disabled, we could suffer a material disruption of our business or managing real estate, loss of sensitive data, regulatory intervention, breach of confidentiality or other contract provisions, or reputational damage. These systems may fail to operate properly or become disabled as a result of events wholly or partially beyond our control, including disruptions of electrical or 61 communications services, natural disasters, political instability, terrorist attacks, sabotage, computer viruses, deliberate attempts to disrupt our computer systems through "hacking," "phishing," or other forms of both deliberate or unintentional cyber-attack, or our inability to occupy our office location. See "Part I, Item 1A. Risk Factors" for more information on risks from cybersecurity threats that are reasonably likely to materially affect our business strategy, results of operations and financial condition. Governance The Audit Committee of the Board (the "Audit Committee") oversees Millrose's cybersecurity risk as part of our overall risk management policies. The Board, including the Audit Committee, receives updates on a quarterly basis from our Manager and executive officers on our cybersecurity program, including measures taken to address cybersecurity risks and significant cybersecurity incidents. Our Chief Technology Officer ("CTO") leads the cybersecurity program, and is responsible for developing, implementing, and monitoring our cybersecurity infrastructure and managing our response to threats or security incidents, in coordination with our Manager's IT and Compliance team. Our General Counsel provides oversight on legal and regulatory aspects of cybersecurity risk management. We engage a third party to assist with cybersecurity risk assessment, policies and documentation, training and tabletop exercises, and vulnerability scanning and penetration testing. Our CTO has served in this role since February 2025 and has more than ten years of technology and cybersecurity experience. He is concurrently a Managing Director at Kennedy Lewis where he has been responsible for managing the firm's technology and analytical capabilities since 2022. 62

Company Information