American Healthcare REIT, Inc. - (AHR)

10-K Filing Date: March 22, 2024
Item 1C. Cybersecurity.
Our information technology networks, those of our operators and managers and those of third parties on whom we rely are important enablers to our ability to perform day-to-day operations of our business. Our business operations depend on the secure collection, storage, transmission and other processing of proprietary, confidential or sensitive data.
We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats. Our cybersecurity program includes several safeguards such as access controls, multi-factor authentication, continuous monitoring and alerting systems for internal and external threats and external vulnerability testing. Additionally, we conduct regular evaluation of our cybersecurity program, encompassing internal reviews and third-party assessments to ensure its effectiveness and resilience.
Governance
Our board retains ultimate oversight of cybersecurity risk, which it manages through our enterprise risk management program. Our board has delegated primary responsibility of overseeing cybersecurity risks to the Audit Committee. The Audit Committee's responsibilities include reviewing cybersecurity strategies with management, assessing processes and controls pertaining to the management of our information technology operations and their effectiveness and seeking to confirm that management's response to potential cybersecurity incidents is timely and effective. At least annually, the Audit Committee reviews with the management team our cybersecurity risk exposures and the steps that management has taken to monitor and control such exposures. This review may cover a variety of relevant topics, potentially including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations related to our operators, managers and third parties. The scope and focus of each review are determined based on current priorities and emerging issues in cybersecurity.
48

Management and Cybersecurity Working Group
Reporting to the Chief Operating Officer, our Vice President of Information Technology, with extensive cybersecurity knowledge and skills from over 15 years of relevant work experience at our company and elsewhere, leads the team responsible for developing and implementing our information security program across our business. This team comprises individuals with relevant educational and technical experience, including a dedicated IT Systems & Security Administrator, with responsibility for various aspects of cybersecurity within our organizations. This team works closely with the Legal department to oversee compliance and regulatory and contractual security requirements. Our Chief Operating Officer also leads our Cybersecurity Incident Management Team, which is comprised of a cross-functional team including Internal Audit, Legal, Information Technology, Risk Management and Accounting leaders. These individuals meet regularly and are informed about and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents. Our Chief Operating Officer is responsible for reporting on cybersecurity and information technology to the Audit Committee.
Information Security Program
Our Vice President of Information Technology and his information security team provide regular reports to the Chief Operating Officer and other relevant teams on various cybersecurity threats, assessments and findings. In addition to our internal cybersecurity capabilities, we also periodically engage assessors, consultants, auditors or other third parties to provide consultation and advice to assist with assessing, identifying and managing cybersecurity risks. Our management team identifies and assesses information security risks using industry practices, including those informed by the National Institute of Standards and Technology.
To ensure that cybersecurity is an organization-wide effort, we provide mandatory cybersecurity training at least annually for all employees with network access, including training designed to simulate and help prevent phishing and other social engineering attacks. We also employ systems and processes designed to oversee, identify and reduce the potential impact of a security incident at a third-party vendor, service provider or otherwise implicating the third-party technology and systems we use. Additionally, we maintain cybersecurity insurance providing coverage for certain costs related to cybersecurity-related incidents that impact our cybersecurity and information technology infrastructure.
Incident Response
The Cybersecurity Incident Management Team maintains and oversees an incident response plan that applies in the event of a cybersecurity threat or incident to provide a standardized framework for responding to cybersecurity incidents. The incident response plan sets out a coordinated approach to investigating, containing, documenting and mitigating incidents, including reporting findings and keeping senior management and other key stakeholders informed and involved as appropriate. The objectives of the incident response plan are to reduce the number of systems and users affected by security incidents, reduce the time a threat actor spends within our network, reduce the damage caused by the breach and reduce the time required to restore normal operations. The incident response plan also specifies the use of third-party experts for legal advice, consulting and cyber incident response.
Material Cybersecurity Risks, Threats and Incidents
While we employ several measures to prevent, detect and mitigate cybersecurity threats, there is no guarantee such efforts will be successful. We also rely on information technology and other third-party vendors to support our business, including securely processing personal, confidential, financial, sensitive or proprietary and other types of information. Despite our efforts to improve our ability, and the ability of relevant third parties', to protect against cyber threats, we may not be able to protect all information, systems, products and services. While we are not aware of any cybersecurity incidents that have materially affected us to date, there can be no guarantee that we will not be the subject of future attacks, threats or incidents that may have a material impact on our business strategy, results of operations or financial condition. Additional information on cybersecurity risks we face can be found in Part I, Item 1A "Risk Factors" of this Annual Report on Form 10-K under the heading "A breach of information technology systems on which we rely could materially and adversely impact us," which should be read in conjunction with the foregoing information.
49