NATIONAL HEALTH INVESTORS INC - (NHI)
10-K Filing Date: February 20, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
The Board recognizes the importance of maintaining the trust and confidence of our tenants/borrowers/operators and employees to safeguard sensitive information and the integrity of our information systems. We have systems in place to assess, identify and manage cybersecurity incidents and we invest in technology and third-party support to identify, mitigate, and quickly respond to cybersecurity incidents. We have maintained a strong focus in consistently reviewing our cybersecurity practices. We also conduct periodic information security and awareness training to ensure that employees are aware of information security risks and to enable them to take steps to mitigate those risks. As part of this program, we also take steps designed to provide appropriate guidance regarding security to our executive management and employees, including any employee who may come into possession of confidential financial information.
We have engaged the services of various third-party service providers to, among other things, review and evaluate our processes and procedures designed to control access to our information systems, perform penetration testing on our cybersecurity systems on a biannual basis, and provide regular information technology reviews based upon the NSIT Cybersecurity Framework. In addition, we contracted with a third-party managed detection and response security company in the fourth quarter of 2023 to commence testing for cyber vulnerabilities on a continual basis.
In order to identify and mitigate cybersecurity threats related to our use of material third-party vendors, we conduct periodic reviews of internal controls of certain third-party service providers to assess their procedures to mitigate material security risks.
Board & Management Responsibilities
We have formed an Information Technology Steering Committee comprised of employees from multiple departments within the Company including the Chief Executive Officer (“CEO”); the Chief Financial Officer; the Chief Accounting Officer; the Vice President, Controller; the Vice President, Investor Relations & Finance; and the Vice President of Human Resources and Compliance & Information Security Officer (“ISO”) to more effectively prevent, detect and respond to information security threats. The ISO has served in various roles in corporate compliance for over 20 years and reports directly to the Company’s CEO. To enhance our cybersecurity capabilities, we actively collaborate with third-party vendors. Notably, we engage a Managed Service Provider (“MSP”) and another service provider who specializes in cybersecurity issues. Our MSP plays a critical role in supporting our IT infrastructure, offering expertise and resources that complement our in-house capabilities. The
34
third party cybersecurity specialist provides advanced cybersecurity solutions, including continuous monitoring and threat detection services, which are integral to our cybersecurity program.
The ISO is responsible for overseeing a company-wide information security strategy, including policy, standards, architecture, and processes, and managing many of the security services that run on personal computers and servers. The Audit Committee meets with the ISO at least annually to review and discuss the Company’s cyber risks and threats, incident responses, technology, the status of projects to strengthen the Company’s information security systems, assessments of the Company’s security program and the emerging threat landscape.
The Company periodically conducts cybersecurity “tabletop” exercises administered by an independent third party with respect to breach and other problematic information security scenarios. The administrator poses questions to participants and advises on typical responses to similar situations. Participants include various executives and other officers of the Company as well as the ISO, other information systems and security personnel, and relevant third-party vendors.
To date, no attempted cyber-attack or other attempted intrusion on our information technology networks has resulted in a material adverse impact on our consolidated operations or financial results, or in any penalties or settlements. In the event an attack or other intrusion were to be successful, we have a response team of internal and external resources engaged and prepared to respond. We also maintain cyber liability insurance to help mitigate potential liabilities resulting from cyber issues. However, there can be no assurance that our cyber risk insurance coverage will be sufficient in the event of a cyber-attack.
35