REGIONAL HEALTH PROPERTIES, INC - (RHE)

10-K Filing Date: April 01, 2024
Item 1C. Cybersecurity

Risk Management and Strategy

 

We have developed and implemented cybersecurity risk management processes intended to protect the confidentiality, integrity and availability of our critical systems and information.

 

While everyone at the Company plays a part in managing cybersecurity risks, primary cybersecurity oversight responsibility is shared by the Board, the audit committee of the Board of Directors (“Audit Committee”) and senior management. Our cybersecurity risk management program is integrated into our overall enterprise risk management program.

 

Our cybersecurity risk management program includes:

 

physical, technological and administrative controls intended to support our cybersecurity and data governance framework, including controls designed to protect the confidentiality, integrity and availability of our key information systems and tenant, employee and other third-party information stored on those systems, such as access controls, encryption, data handling requirements and other
cyberersecurity safeguards, and internal policies that govern our cybersecurity risk management and data protection practices;

 

a defined procedure for timely incident detection, containment, response and remediation, including a written security incident response plan that includes procedures for responding to cybersecurity incidents;

 

cybersecurity risk assessment processes designed to help identify material cybersecurity risks to our critical systems, information, products, services and broader enterprise Information Technology (“IT”) environment;

 

a security team responsible for managing our cybersecurity risk assessment processes and security controls;

 

the use of external consultants or other third-party experts and service providers, where considered appropriate, to assess, test or otherwise assist with aspects of our cybersecurity controls;

 

annual cybersecurity and privacy training of employees, including incident response personnel and senior management, and specialized training for certain teams depending on their role and/or access to certain types of information; and

 

a third-party risk management process that includes internal vetting of certain third-party vendors and service providers with whom we may share data.

 

Additionally, we engage third-party providers to augment our cybersecurity capabilities. These partnerships entail ongoing assistance for threat monitoring and mitigation, as well as targeted support for specialized security expertise.

 

As of December 31, 2023, we have not identified risks from known cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us,

42

 

including our business strategy, results of operations or financial condition. For an examination of cybersecurity threats that could potentially have a material impact on us, please refer to Part I, Item 1A., “Risk Factors” –“Cybersecurity incidents or other damage to the information systems and technology of us or our tenants could harm our business” in this Annual Report.”

Governance

 

With oversight from the Board, the Audit Committee is primarily responsible for assisting the Board in fulfilling its ultimate oversight responsibilities relating to risk assessment and management, including relating to cybersecurity and other information technology risks. The Audit Committee oversees management’s implementation of our cybersecurity risk management program, including processes and policies for determining risk tolerance, and reviews management’s strategies for adequately mitigating and managing identified risks, including risks relating to cybersecurity threats.

 

Our management team is responsible for assessing and managing our material risks from cybersecurity threats and for our overall cybersecurity risk management program on a day-to-day basis, and supervises both our internal cybersecurity personnel and the relationship with our retained external cybersecurity consultants. Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, including briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the IT environment.

43

 

Back SEC Filing