Ventas, Inc. - (VTR)

10-K Filing Date: February 15, 2024
ITEM 1C. Cybersecurity

Our business is subject to risk from cybersecurity threats and incidents, including attempts to gain unauthorized access to our systems and networks, or those of our managers, venture partners and third-party vendors and service providers, to disrupt operations, corrupt data or steal confidential or personal information and other cybersecurity breaches. Ventas considers cybersecurity risk a serious threat to our assets and our people and has put processes in place designed to mitigate the risk and impact of any such cybersecurity threat or incident.

Risk Management and Strategy

As part of our cybersecurity risk management process, we:

Periodically review and implement procedures that endeavor to follow the cybersecurity standards set forth by the National Institute of Standards and Technology, including procedures with respect to evaluation and monitoring of cybersecurity threats and incidents;

Engage third-party security firms to monitor and respond to cybersecurity threats and incidents, including those associated with our use of third-party vendors and service providers, and conduct periodic penetration tests with the aim of identifying and remediating vulnerabilities.

Periodically evaluate and assess cybersecurity risks associated with our use of key third-party business partners, vendors and service providers. However, we do not control the cybersecurity plans and systems put in place by such third parties and we may have limited contractual protections with such third parties, such as indemnification obligations to us, which could cause us to be negatively impacted as a result;

Provide employees with the training, tools and resources designed to protect the Company from cybersecurity threats and incidents and to identify and report such threats and incidents. Our employees receive training and testing on cybersecurity protocols throughout the year, including monthly anti-phishing campaigns, periodic live training programs and mandatory annual training and assessments with passing requirements. Each employee periodically acknowledges that they have read, understood and will abide by the Company’s cybersecurity policies; and

Seek to minimize the amount of personal information collected to support business needs and use storage and transfer protocols leveraging encryption of critical information, including confidential or personal information.

Our processes for assessing, identifying, and managing material risks from cybersecurity threats and incidents are integrated into our multi-disciplinary enterprise risk management (“ERM”) process. Our ERM process is managed through our ERM Committee, which we have established to assess, identify and manage enterprise-wide risks to our Company, and is comprised of personnel from our senior leadership team. The ERM Committee is convened at least quarterly to review and update our top risks, including cybersecurity risks. Existing risks are evaluated for changes, and mitigation strategies are discussed as needed. New risks are discussed and evaluated for consideration as a top risk. Results are discussed with our Board of Directors at quarterly Board meetings as needed.

The Company has not identified any cybersecurity threats or incidents that have materially affected or are reasonably likely to materially affect the Company, including with respect to our business strategy, results of operations, or financial condition. While we have implemented measures designed to help mitigate the risk from cybersecurity threats and incidents, we cannot guarantee that we or our tenants, managers or business partners will be successful in preventing a cybersecurity incident, which could result in a data center outage, disrupt our systems and operations or the systems and operations of our tenants, managers or business partners, compromise the confidential or personal information of our employees, partners or the residents
39


in our senior housing communities and damage our business relationships and reputation. For example, in November 2023, Ardent became aware of a cybersecurity incident, which Ardent determined to be a ransomware attack and which resulted in disruptions to certain aspects of Ardent’s clinical and financial operations. Although we have implemented various measures designed to manage risks relating to these types of events, these measures and the systems supporting them could prove to be inadequate and, if compromised, could become inoperable for extended periods of time, cease to function properly or fail to adequately secure confidential or personal information. See “Risk Factors—Our Legal, Compliance and Regulatory Risks—The occurrence of cybersecurity incidents could disrupt our operations or the operations of the third parties with whom we do business, invest in or lend to, result in the loss of confidential or personal information or damage our or their business relationships and reputation. included in Part I, Item 1A of this Annual Report.

Governance

Our Board of Directors, directly and through its committees, routinely discusses significant enterprise risks with management and reviews the procedures we have in place designed to manage those risks. At Board and committee meetings, directors engage in analyses and dialogue regarding specific areas of cybersecurity risk, including those identified through our ERM process. In addition to the overall risk oversight function administered directly by our Board, the Audit and Compliance Committee of our Board also exercises oversight over managing the Company’s cybersecurity risks. Management briefs the Audit and Compliance Committee at least once a year on cybersecurity controls, protocols, risk assessments and mitigation measures.

Our management has primary responsibility for identifying, assessing and managing our exposure to cybersecurity threats and incidents, subject to oversight by our Board of Directors of the processes we establish to assess, monitor and mitigate that exposure.

Our Chief Information Officer oversees our Information Technology Team and is responsible for the development and implementation of strategy for our information systems, networks, infrastructure, cybersecurity and data analytics. She has more than 25 years of experience in the field of information technology and is a member of our senior leadership team.

If a potentially material cybersecurity threat or incident is identified or discovered, the Company’s Information Technology Team will notify our Chief Executive Officer, Chief Financial Officer, General Counsel and other relevant business executives. Our Chief Information Officer will work with the appropriate leaders and employees in any impacted business groups, as well as appropriate personnel in our finance, legal and other impacted departments, to assess the risks to the Company and potential impact while determining appropriate remediation steps.

If management determines that a cybersecurity threat or incident could be material to the Company, our management will notify the Audit and Compliance Committee, who will then escalate the risk to our full Board of Directors, depending on management’s assessment of the risk.