SONIDA SENIOR LIVING, INC. - (SNDA)

10-K Filing Date: March 27, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity Risk Management and Strategy
28

We have developed and implemented a cybersecurity framework intended to assess, identify, and manage risks from threats to the security of our information, systems, products, and network using a risk-based approach. The framework is informed in part by the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, NIST 800-53 and International Organization for Standardization 27001 (“ISO 27001”) Framework, although this does not imply that we meet all technical standards, specifications, or requirements under the NIST or ISO 27001.
Our key cybersecurity processes include the following:
Risk-based controls for information systems and information on our networks: We seek to maintain an information technology infrastructure that implements physical, administrative and technical controls that are calibrated based on risk and designed to protect the confidentiality, integrity and availability of our information systems and information stored on our networks, including customer information, personal information, intellectual property and proprietary information.
Cybersecurity incident response plan and testing: We have a cybersecurity incident response plan and dedicated team to respond to cybersecurity incidents. When a cybersecurity incident occurs or we identify a vulnerability, we have a strategic partner (a Managed Security Service Provider (“MSSP”)) that is responsible for leading the initial assessment of priority and severity. Our cybersecurity team assists in responding to incidents depending on severity levels and seeks to improve our cybersecurity incident management plan through periodic tabletops or simulations at the enterprise level.
Training: We provide security awareness training to help our employees understand their information protection and cybersecurity responsibilities at the Company. We also provide additional role-based training to some employees based on customer requirements, regulatory obligations, and industry risks.
Supplier risk assessments: We have implemented a third-party risk management process that includes expectations regarding information and cybersecurity. That process, among other things, provides for us to perform cybersecurity assessments on certain suppliers based on an assessment of their risk profile and a related rating process. We also seek contractual commitments from key suppliers to appropriately secure and maintain their information technology systems and protect our information that is processed on their systems.
Third-party assessments of the Company: We have engaged third-party cybersecurity companies to periodically assess our cybersecurity posture and to assist in identifying and remediating risks from cybersecurity threats.

We also consider cybersecurity, along with other risks to us, within our enterprise risk management framework. The enterprise risk management framework includes internal reporting at the enterprise level, with consideration of key risk indicators, trends and countermeasures for cybersecurity and other types of significant risks. In the last fiscal year, we have not identified risks from known cybersecurity threats, including any prior cybersecurity incidents, which have materially affected us, including our operations, business strategy, results of operations, cash flow or financial condition.
Cybersecurity Governance
The Audit Committee of our Board of Directors is responsible for board-level oversight of risks from cybersecurity threats, and the Audit Committee reports back to the full Board of Directors about this and other areas within its responsibility. As part of its oversight role, the Audit Committee receives reporting about the Company’s practices, programs, notable threats or incidents and other developments related to cybersecurity throughout the year, including through periodic updates, from our Chief Technology Officer.

Our Chief Technology Officer reports to our Chief Executive Officer and leads the Company’s overall cybersecurity function, including the assessment and management of cybersecurity risks. The Chief Technology Officer has over 25 years of experience in managing and leading information technology or cybersecurity teams and participates in various cybersecurity organizations. The Chief Technology Officer collaborates with operation vice presidents and department vice presidents to identify and analyze cybersecurity risks to us; considers industry trends; implements controls, as appropriate and feasible, to mitigate these risks; and enables business leaders to make risk-based business decisions that implicate cybersecurity considerations. The Chief Technology Officer meets with senior leadership to review and discuss our cybersecurity program, including emerging cyber risks, threats, and industry trends. The Chief Technology Officer also supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, including by collaborating with
29

external security personnel and internal business stakeholders, and incorporating threat intelligence and other information obtained from governmental, public, or private sources to inform our cybersecurity technologies and processes.