WELLTOWER INC. - (WELL)
10-K Filing Date: February 15, 2024
Item 1C. Cybersecurity
Our information technology networks, those of our operators and managers, and those of third parties on whom we rely, are important enablers to our ability to perform day-to-day operations of our business. Our business operations depend on the secure collection, storage, transmission and other processing of proprietary, confidential or sensitive data.
We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats. Our cybersecurity program includes several safeguards such as access controls, multi-factor authentication, continuous monitoring and alerting systems for internal and external threats and penetration testing. Additionally, we conduct regular evaluation of our cybersecurity program, encompassing internal reviews and third-party assessments to ensure its effectiveness and resilience.
Governance
The Board of Directors (the "Board") retains ultimate oversight of cybersecurity risk, which it manages through our enterprise risk management program. The Board has delegated primary responsibility of overseeing cybersecurity risks to the Audit Committee. The Audit Committee's responsibilities include reviewing cybersecurity strategies with management, assessing processes and controls pertaining to the management of our information technology operations and their effectiveness, and seeking to confirm that management's response to potential cybersecurity incidents is timely and effective. At least annually, the Audit Committee receives a cybersecurity report from management. This report may cover a variety of relevant topics, potentially including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations related to our
45
operators, managers and third parties. The scope and focus of each report are determined based on current priorities and emerging issues in cybersecurity. The Audit Committee and management also report to the Board at least annually on data protection and cybersecurity matters.
Management and Cybersecurity Working Group
Reporting to the Chief Operating Officer, our Chief Technology Officer, with extensive cybersecurity knowledge and skills from over 20 years of relevant work experience at Welltower and elsewhere, leads the team responsible for developing and implementing our information security program across our business. This team comprises individuals with relevant educational and technical experience, many having held similar positions with responsibility for various aspects of cybersecurity at large organizations. This team works closely with the Legal department to oversee compliance and regulatory and contractual security requirements. The Chief Technology Officer also leads our Cyber Security Working Group, which is comprised of a cross-functional team including Internal Audit, Legal, Information Technology, Risk Management and Accounting leaders. These individuals meet regularly and are informed about and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents. The Chief Technology Officer is responsible for reporting on cybersecurity and information technology to the Audit Committee.
Information Security Program
The information security team provides regular reports to the Chief Technology Officer and other relevant teams on various cybersecurity threats, assessments and findings. In addition to our internal cybersecurity capabilities, we also periodically engage assessors, consultants, auditors or other third parties to provide consultation and advice to assist with assessing, identifying and managing cybersecurity risks. Our management team identifies and assesses information security risks using industry practices informed by the National Institute of Standards and Technology ("NIST"), including the NIST Cybersecurity Framework.
To ensure that cybersecurity is an organization-wide effort, we provide mandatory cybersecurity training at least annually for all employees with network access, including training designed to simulate and help prevent phishing and other social engineering attacks. We also employ systems and processes designed to oversee, identify and reduce the potential impact of a security incident at a third-party vendor, service provider or otherwise implicating the third-party technology and systems we use. Additionally, we maintain cybersecurity insurance providing coverage for certain costs related to cybersecurity-related incidents that impact our cybersecurity and information technology infrastructure.
Incident Response
The Cybersecurity Working Group maintains and oversees an incident response plan that applies in the event of a cybersecurity threat or incident to provide a standardized framework for responding to cybersecurity incidents. The incident response plan sets out a coordinated approach to investigating, containing, documenting and mitigating incidents, including reporting findings and keeping senior management and other key stakeholders informed and involved as appropriate. The objectives of the incident response plan are to reduce the number of systems and users affected by security incidents, reduce the time a threat actor spends within our network, reduce the damage caused by the breach and reduce the time required to restore normal operations. The incident response plan also specifies the use of third-party experts for legal advice, consulting and cyber incident response.
Material Cybersecurity Risks, Threats and Incidents
While we employ several measures to prevent, detect and mitigate cybersecurity threats, there is no guarantee such efforts will be successful. We also rely on information technology and other third-party vendors to support our business, including securely processing personal, confidential, financial, sensitive or proprietary and other types of information. Despite our efforts to improve our ability, and the ability of relevant third parties', to protect against cyber threats, we may not be able to protect all information, systems, products and services. While we are not aware of any cybersecurity incidents that have materially affected us to date, there can be no guarantee that we will not be the subject of future attacks, threats or incidents, that may have a material impact on our business strategy, results of operations or financial condition. Additional information on cybersecurity risks we face can be found in Part I, Item 1A "Risk Factors" of this Form 10-K under the heading "Cybersecurity incidents could disrupt our business and result in the loss of confidential information and legal liability," which should be read in conjunction with the foregoing information.
46