Sabra Health Care REIT, Inc. - (SBRA)

10-K Filing Date: February 27, 2024
ITEM 1C. CYBERSECURITY
We recognize the importance of assessing, identifying and managing material risks associated with cybersecurity threats. To assess and identify material risks from cybersecurity threats, our enterprise risk management (“ERM”) program considers cybersecurity threat risks alongside other Company risks as part of our overall risk assessment process. Our cybersecurity policies, standards, processes and practices are fully integrated into Sabra’s ERM program and are evaluated annually against recognized frameworks established by the National Institute of Standards and Technology, the International Organization for Standardization and other applicable industry standards.
Our approach is focused on preserving the confidentiality, security and availability of our data and systems. We have implemented several cybersecurity processes, technologies and controls to aid in our efforts to assess, identify and manage such risks.
Risk Management and Strategy
Our cybersecurity program includes the following key elements:
Continuous monitoring of our networks for any unusual activity by a dedicated, outsourced IT team.
Regular review by senior management of monitoring and logging across predefined metrics to identify suspicious activity.
Employment of technical safeguards including firewalls, switches and access controls, as well as full encryption of our server in transit and at rest, which is only accessible through our internal Virtual Private Network (VPN).
Use of preventative security measures for cloud and network security and end-user protection, including Multi-Factor Authentication (MFA), Intrusion Detection System (IDS), Intrusion Prevention System (IPS) and Advanced Threat Protection (ATP) functionality to protect against viruses, malware, ransomware and phishing attempts.
Review of applications from third-party service providers to ensure they meet the criteria of our security policies before implementation, and encryption of data that is transmitted over secured channels and ports from our application programming interfaces.
Education and awareness for Sabra teammates through communication of security and technology policies via the employee handbook, phishing campaigns and annual training on protecting data, phishing threats, cyber trends and other security measures.
Maintenance of cyber insurance and crime insurance policies for Sabra and requirements for certain of our tenants and operators to carry a specified dollar amount of cyber insurance coverage, including coverage for third parties.
Careful monitoring of emerging cybersecurity trends and developments.
Establishment and maintenance of a comprehensive incident response plan that guides our response to a cybersecurity incident based on established reporting categories and that is tested and evaluated on a periodic basis.
We periodically engage third parties to perform internal and external penetration testing. Additionally, our outsourced IT team conducts periodic internal vulnerability assessments. These tests and assessments of our information security control environment and operating effectiveness are performed with the intent of identifying areas for continued focus, improvement and/or compliance. The results are reported to our board of directors, and our cybersecurity policies, standards, processes and practices are adjusted as necessary based on the information provided by these audits, testing and assessments.
To date, cybersecurity incidents have not materially affected and are not reasonably likely to materially affect our Company. However, because cybersecurity incidents are sometimes difficult to detect and can remain disguised for an extended period of time or until a triggering event has occurred, we can give no assurance that we have detected all cybersecurity incidents. We describe how risks from such incidents may affect us, including our business, financial condition and results of operations in “Regulatory Risks” in Item 1A, “Risk Factors.”
Governance
Our board of directors, through direction of the Audit Committee, oversees our ERM process, including the management of risks arising from cybersecurity threats. At least annually, our board of directors receives a report on cybersecurity risks which addresses topics including current and emerging threat risks and our ability to mitigate such risks, recent developments, evolving standards, vulnerability assessments and third-party reviews.
28


Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our Chief Executive Officer and Chief Financial Officer in conjunction with our dedicated, outsourced IT team led by our virtual Chief Information Officer who brings over 10 years of experience serving in various roles under information technology and holds a degree in computer science. These members of management are responsible for the operation of our incident response plan and, through ongoing communication with our IT team, are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents. Prompt and timely information regarding any cybersecurity incident that meets established reporting category designation criteria is reported to the applicable parties as identified in our incident response plan. As discussed above, these members of management provide a report on cybersecurity risks at least annually and report incidents when appropriate to the board of directors.