Brookdale Senior Living Inc. - (BKD)

10-K Filing Date: February 21, 2024
Item 1C. Cybersecurity

The business of the Company is managed with the oversight of the Board of Directors. The Board of Directors has delegated to the Audit Committee the responsibility to discuss guidelines and policies governing the process by which our senior management and the relevant departments and functions of the Company assess and manage our exposure to risk. As part of that responsibility, the Audit Committee regularly reviews our exposure to cybersecurity risk, the effectiveness of our cybersecurity, and the knowledge, experience and capabilities of the Audit Committee and management with respect to cybersecurity and cybersecurity risk. The Company's Chief Information Officer ("CIO") and Chief Information Security Officer ("CISO") provide regular briefings to the Audit Committee, including on current and emerging cybersecurity threats, ongoing priorities and strategies to mitigate cybersecurity risk, and compliance with various regulations. In addition, our CIO and CISO periodically update the Board of Directors regarding the Company's cybersecurity efforts.

The CISO who reports to the CIO has primary responsibility for assessing, monitoring, and managing our cybersecurity risks. The CIO, in turn, reports directly to our President and Chief Executive Officer. Our CISO oversees our cybersecurity governance programs, tests our compliance with standards, takes action to mitigate known risks, and leads our cybersecurity associate training program. Our CISO has over 10 years’ experience leading large complex healthcare cybersecurity programs and holds Certified Information Systems Security Professional ("CISSP") and Certified Information Systems Auditor ("CISA") certifications in good standing. Our CIO is a member of our executive leadership team, having overall responsibility for all aspects of our information systems, including technology, data, and security. The focus of the CIO includes strategic use of technology to support execution on our strategic priorities and our longer-term growth plans, while also balancing risk. Our CIO has over 25 years' experience leading large complex healthcare organizations through successful transformation while developing and strengthening an effective cybersecurity program.
The CISO is continually informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques, including through attending educational programs and monitoring alerts from third-party vendors and government agencies. The CISO implements and oversees processes for the regular monitoring of our information systems. In the event of a cybersecurity incident, the CISO is equipped with a written incident response plan.

Failure to maintain the security and functionality of our information systems and data, to prevent a cybersecurity attack or breach, or to comply with applicable privacy and consumer protection laws, including HIPAA, could adversely affect our business, reputation, and relationships with our residents, associates, and referral sources and subject us to remediation costs, government inquiries, and liabilities, any of which could materially and adversely impact our revenues, results of operations, and cash flow. Further information is discussed in "Item 1A. Risk Factors." To date, the aforementioned cybersecurity risks and any incidents that we, or our third-party vendors, have experienced have not materially affected us, including our business, strategy, results of operations, or financial condition.

34


Recognizing the complexity and evolving nature of cybersecurity threats, we have engaged external experts and rely on software support from third-party vendors to assist with evaluating, monitoring, and testing our information technology systems. These relationships enable us to leverage specialized knowledge and insights, to help ensure our cybersecurity strategies and processes remain effective. Our collaboration with these third parties includes regular audits, routine system monitoring, threat assessments, and consultation on potential security enhancements. We require third-party service providers with access to personal, confidential, or proprietary information to implement and maintain comprehensive cybersecurity practices consistent with applicable legal standards and industry best practices.