CNL Healthcare Properties, Inc. - (CHTH)

10-K Filing Date: March 12, 2024
Item 1C. CYBERSECURITY
Cybersecurity Risk Management and Strategy
We have no employees and are externally managed by our Advisor, an affiliate of our Sponsor. Our Advisor has responsibility for our day-to-day operations, serving as a consultant in connection with policy decisions to be made by the board of directors.
We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things: operational risks, intellectual property theft, fraud, extortion, harm to customers, reputational damage adversely affecting customer or investor confidence and violation of data privacy or security laws. Our Sponsor maintains an enterprise-wide cybersecurity program to protect and defend against and manage foreseeable cybersecurity risks and threats, including for the Company. The cybersecurity program is administered by the Sponsor’s Chief Technology Officer (“CTO”), who has adopted the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. Based on the NIST standards, our cybersecurity program breaks down its efforts to manage cybersecurity risk into five (5) pillars: identify, protect, detect, respond and recover.
Identifying and assessing cybersecurity risk as well as protecting us from such risk is integrated into our overall risk management systems and processes as well as specifically addressed in our enterprise-wide cybersecurity program. Cybersecurity risks related to our business, technical operations, privacy and compliance issues are identified and addressed through a multi-faceted approach including threat intelligence collaboration and advisory mediums, third-party due diligence and risk assessments when determining the selection, oversight and engagement of third-party service providers, application security evaluations and annual penetration tests as well as management risk and compliance reviews. The foregoing combines with periodic review and analysis of third-party service provider system and organizational controls, internal network intrusion prevention systems, vulnerability assessments, access management, data loss prevention, remote access control, mandatory cybersecurity awareness training and random phishing campaigns with additional requisite training, if applicable, to identify and protect against cybersecurity risk.
Any potential cybersecurity compromise, whether direct or indirect, is analyzed and documented by the securities operations team (the “SO Team”) and escalated to the cybersecurity incident response team (“CSIRT”) as necessary. The SO Team is comprised of cybersecurity professionals and the CSIRT is comprised of certain of the Sponsor’s and Company’s executives from legal, corporate communications, IT, compliance, finance, and risk management.
Security events and data incidents are evaluated, ranked by severity and prioritized for response and remediation. Incidents are evaluated to determine materiality as well as operational and business impact and reviewed for privacy impact. Materiality is determined by considering qualitative and quantitative factors. The CSIRT team also conducts tabletop exercises to simulate responses to cybersecurity incidents. Our team of cybersecurity professionals then collaborate with technical and business stakeholders across our business units to further analyze the risk to the company, and form detection, mitigation and remediation strategies.
Recovery and restoration from a cybersecurity incident can vary depending on type of attack and materiality of assets and information affected.
As of the date of this filing, we do not believe that our business strategy, results of operations or financial conditions have been materially affected by any risks from cybersecurity threats for the reporting period covered by this report. However, institutions like us, and our service providers, have experienced cybersecurity events and data incidents in the past and will likely continue to be the target of cyberattacks and intrusions. For additional information on the cybersecurity risks we face, see “Part 1, Item 1A. Risk Factors–Cyber security risks and cyber incidents could adversely affect the Company’s business and disrupt operations.”
Cybersecurity Governance
Cybersecurity is an important part of our risk management processes and an area of focus for our board of directors and management. Our Audit Committee is responsible for the oversight of risks from cybersecurity threats. Members of the Audit Committee receive updates at least annually from senior management, including leaders from the CTO, internal audit and legal teams regarding matters of cybersecurity. This includes existing and new cybersecurity risks, status on how management is addressing and/or mitigating those risks, cybersecurity and data privacy incidents (if any) and status on key information security initiatives. Our board of directors also engages in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs.
36

The cybersecurity risk management and strategy processes are overseen by the Sponsor’s cybersecurity committee which consists of the Company’s chief financial officer and general counsel, and the CTO, legal, risk management, and compliance teams Such individuals have an average of over 15 years of prior work experience in various roles involving information technology, including security, auditing, and compliance. These individuals are informed about, and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan, and report to the Audit Committee on any appropriate items.
37