CareTrust REIT, Inc. - (CTRE)
10-K Filing Date: February 08, 2024
ITEM 1C. Cybersecurity
Cybersecurity Risk Management and Strategy
We have implemented several cybersecurity processes and controls to aid in our efforts to assess, identify, and manage material risks from cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. We have engaged a third-party cybersecurity firm who serves as our dedicated information technology (IT) and cybersecurity team and helps us oversee, implement and manage these processes and controls.
To identify and assess material risks from cybersecurity threats, we consider cybersecurity threat risks individually and alongside other company risks as part of our overall risk assessment process. Management determines and prioritizes appropriate risk responses for each identified enterprise risk. In doing so, management coordinates with relevant subject matter specialists as appropriate for each relevant risk area, including our third-party IT and cybersecurity team with respect to information technology and security risks.
Management is accountable for our day to day risk management activities. With the assistance of our third-party IT and cybersecurity team, we employ a range of tools and services, including a governance, risk and compliance platform to inform our managements’ risk identification and assessment relating to our technology program. With this platform, we map our cybersecurity and risk management program to the Center for Internet Security (“CIS”) framework.
Processes and controls we have implemented with the assistance of our third-party IT and cybersecurity team to assess, identify, manage and protect against material risks from cybersecurity threats include the following:
•perform 24/7 security monitoring through an automated detection software managed by our third party cybersecurity firm;
•conduct annual cybersecurity management and incident training for employees involved in our systems and processes that handle sensitive data;
•conduct regular phishing email training for all employees with access to corporate email and other systems to enhance awareness and responsiveness to such possible threats;
•leverage the CIS Controls incident handling framework to help us identify, protect, detect, respond, and recover when there is an actual or potential cybersecurity incident.
At least annually, our third-party IT and cybersecurity firm conducts a cybersecurity risk assessment. We periodically review reporting on these risks and our cybersecurity threats, the status of our security infrastructure, our risk management activities and the status of, and our responses to, any cybersecurity incidents.
Through our incident response policy, we have designated an incident response team composed of representatives of management and other employees as well as representatives from our outsourced cybersecurity firm that has responsibility for overseeing cybersecurity incidents. Led by management, our third-party IT and cybersecurity team is responsible for the day-to-day investigation of and response to potential information security-related incidents. Pursuant to our incident response policy, incidents meeting specified severity levels are required to be escalated to the incident response team for review and response. The goal of the policy is to prevent, detect and react to information security incidents, determine their scope and risk, respond appropriately to the incident, communicate the results and risk to relevant stakeholders, and reduce the likelihood of the incident from reoccurring.
Pursuant to our incident response policy, if we are notified of a cybersecurity incident impacting a third-party service provider that affects our information systems or data, we will respond on the same basis as any other incident. We are implementing a business use case review process and vendor risk assessment for all third-party service providers that will
35
access or implicate our materially significant technology or data. If we deem the cybersecurity risk of a particular service provider too great, such service provider will not be approved or access will be terminated.
Based on information known to us, we also do not believe any risks from cybersecurity threats, including as a result of previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. We can give no assurance that we have detected or protected against all cybersecurity threats or incidents. Please refer to “Cybersecurity incidents or other damage to the information systems and technology of us or our tenants could harm our business” and “If we or our tenants fail to adhere to applicable privacy and data security laws, this could have a material adverse effect on us or on our tenants’ ability to meet their obligations to us” included “Item 1A, Risk Factors” of this Annual Report on Form 10-K for additional information about material risks related to cybersecurity threats.
Cybersecurity Governance
As described above, we have engaged a third-party IT and cybersecurity firm to whom we have outsourced primary responsibility to oversee, implement and manage our processes and controls to assess, identify, and manage material risks from cybersecurity threats. Members of this dedicated third-party IT and cybersecurity team include a virtual chief information security officer (vCISO) who is responsible for the overall development and implementation of our cybersecurity strategy and responses as well as individuals having the position of cybersecurity analyst, cybersecurity engineer, and director of information security. Our management, including our Chief Executive Officer, oversees the work of our third-party IT and cybersecurity team and regularly communicates with members of the team. Through the policies and controls described above, including our incident response policy, representatives of the third-party IT and cybersecurity team as well as members of our management, including our Chief Executive Officer, are informed about cybersecurity threats and incidents affecting our information systems and direct our efforts to prevent, detect, mitigate and remediate cybersecurity threats and incidents. The representatives of our third-party IT and cybersecurity team who lead our cybersecurity risk management and risk assessment process have collectively over 30 years of prior work experience in various roles managing information systems, developing cybersecurity strategy, implementing information security and cybersecurity programs, identifying and assessing cybersecurity risks and establishing incident response plans. The members of the cybersecurity team hold degrees in computer engineering and cybersecurity as well as advanced cybersecurity certifications, including a Certified Information Systems Security Professional (CISSP) certification, a Certified Information Systems Auditor (CISA) credential and a Certified Information Security Manager (CISM) certification. Other members of our third-party cybersecurity team have also obtained various professional certifications and advanced training in the areas of information security and cybersecurity.
Our audit committee is responsible for overseeing our overall risk assessment and risk management program as well as our policies and practices related to our information technology systems, information security and cybersecurity risks. The audit committee reviews at least annually our enterprise risks and related risk management program. In addition, on a quarterly basis, the audit committee receives a report from management on our cybersecurity threat risk management and strategic processes covering topics such as cybersecurity incidents and any remedial actions, if needed, data security posture, the results of third-party risk assessments as well as our cybersecurity risk management processes and strategies. Outside of quarterly presentations, the chair of the audit committee would be notified following any cybersecurity incident meeting specified severity levels, and the audit committee would also be expected to review management’s materiality assessment regarding any cybersecurity incident requiring disclosure to the Securities and Exchange Commission. Through their participation in meetings of the audit committee, other members of the Board are also kept apprised of material risks from cybersecurity threats and our related risk management activities.
36