OMEGA HEALTHCARE INVESTORS INC - (OHI)
10-K Filing Date: February 12, 2024
Item 1C – Cybersecurity
Our Board and management exercise oversight over the Company’s cybersecurity program, which represents an important component of the Company’s overall approach to enterprise risk management.
30
Governance
Omega’s Vice President of Information Technology (“VP of IT”) manages a team responsible for leading enterprise-wide strategy, policy, standards, architecture, processes and risk assessment related to information security and data protection, including data privacy and network security (our “Cybersecurity Program”). The VP of IT has served in various roles in information technology and information security for over 30 years and, along with other members of the IT department, holds relevant and applicable certifications. The VP of IT reports directly to the Company’s Chief Financial Officer and provides periodic reporting on our Cybersecurity Program to our senior management team, our Board and the Audit Committee of our Board.
Our Board, in coordination with our Audit Committee, oversees our management of cybersecurity risk, with the Audit Committee reviewing and discussing with management quarterly matters related to our Cybersecurity Program as related to financial reporting. The Board and Audit Committee receive periodic reports about the prevention, detection, mitigation and remediation of cybersecurity incidents, including material security risks and information security vulnerabilities. Additionally, risks associated with the Cybersecurity Program are integrated into the Company’s enterprise risk management assessment and reported to our Board at least twice per year. We also share the key results of third-party assessments with our Board and Audit Committee.
Risk Management and Strategy
Technical Safeguards
As part of our Cybersecurity Program, the Company deploys technical safeguards that are designed to protect our information systems from cybersecurity threats, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence.
Risk Assessment
Our Cybersecurity Program also includes an annual risk assessment which is generally based on frameworks established by the National Institute of Standards and Technology (“NIST”).
Third-Party Risk Management
We also maintain policies and procedures designed to identify and mitigate cybersecurity threats related to our use of material third-party vendors. This includes reviewing the internal controls of certain third-party service providers to assess their procedures to mitigate material security risks.
Incident Response and Recovery Planning
We maintain an Information Security Incident Response Plan (the “Response Plan”) governing prevention, detection, mitigation and remediation of cybersecurity incidents and threats. The Response Plan includes controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding public disclosure and reporting of such incidents can be made by management in a timely manner, with appropriate involvement by our Board. We regularly test the effectiveness of the Response Plan.
External Assessments
We obtain periodic assessments by third party experts to assess our vulnerability management and security controls and to assist us in identifying and mitigating security risks.
Education and Awareness
We provide cybersecurity training for all directors, officers and employees and periodic additional training of senior management through our cyber insurance carrier.
As of the date of this report, we are not aware of any risks from cybersecurity threats that have materially affected the Company, including our business strategy, results of operations, or financial condition. For information regarding cybersecurity risks that may materially affect our Company, see the risk factor titled “We rely on information technology in our operations, and any material failure, inadequacy, interruption or security failure of that technology could harm our business. Privacy and security laws and regulations may also increase costs for our business.” under “Risk Factors” in Part I, Item 1A to this Annual Report on Form 10-K.
31