Ventas, Inc. 10-K Cybersecurity GRC - 2025-02-13

Page last updated on February 14, 2025

Ventas, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-13 16:37:17 EST.

Filings

10-K filed on 2025-02-13

Ventas, Inc. filed a 10-K at 2025-02-13 16:37:17 EST
Accession Number: 0000740260-25-000052

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity Our business is subject to risk from cybersecurity threats and incidents. Cybersecurity threats and incidents include attempts to gain unauthorized access to our systems and networks, or those of our managers, tenants, borrowers, investments in unconsolidated entities, vendors, suppliers, service providers or other third parties with whom we do business, to disrupt operations, corrupt data or steal confidential or personal information and other cybersecurity breaches. Ventas considers cybersecurity risk a serious threat to our assets and our people and has put processes in place designed to mitigate the risk and impact of any such cybersecurity threat or incident. Risk Management and Strategy As part of our cybersecurity risk management process, we: - Periodically review and implement procedures that endeavor to follow the cybersecurity standards set forth by the National Institute of Standards and Technology, including procedures with respect to evaluation and monitoring of cybersecurity threats and incidents; - Implement, maintain and regularly review incident response plans to manage cybersecurity threats and incidents and further improve our preparedness and response infrastructure. Such plans are informed by our testing and monitoring activities and set forth actions to be taken in responding to and recovering from cybersecurity incidents which include procedures for assessing the severity of such threats and incidents, escalating and disseminating information and containing, investigating and remediating threats and incidents; - Engage third-party security firms to monitor and respond to cybersecurity threats and incidents, including those associated with our use of third-party vendors and service providers, and conduct periodic penetration tests with the aim of identifying and remediating vulnerabilities; - Periodically evaluate and assess cybersecurity risks associated with our use of key third-party business partners, vendors and service providers. However, we do not control the cybersecurity plans and systems put in place by such third parties and we may have limited contractual protections with such third parties, such as indemnification obligations to us, which could cause us to be negatively impacted as a result; - Provide employees with the training, tools and resources designed to protect the Company from cybersecurity threats and incidents and to identify and report such threats and incidents. Our employees receive training and testing on cybersecurity protocols throughout the year, including regular anti-phishing campaigns, periodic live training programs and mandatory annual training and assessments with passing requirements. Each employee periodically acknowledges that they have read, understood and will abide by the Company’s cybersecurity policies; and - Seek to minimize the amount of personal information collected to support business needs and use storage and transfer protocols leveraging encryption of critical information, including confidential or personal information. Our processes for assessing, identifying, and managing material risks from cybersecurity threats and incidents are integrated into our multi-disciplinary enterprise risk management (“ERM”) process. Our ERM process is managed through our ERM Committee, which we have established to assess, identify and manage enterprise-wide risks to the Company, and is comprised of personnel from our senior leadership team. The ERM Committee is convened at least quarterly to review and update our top risks, including cybersecurity risks. Existing risks are evaluated for changes, and mitigation strategies are discussed as needed. New risks are discussed and evaluated for consideration as a top risk. Results are discussed with our Board of Directors at quarterly Board meetings as needed. As of December 31, 2024, the Company is not aware of any cybersecurity threats or incidents that have materially affected or are reasonably likely to materially affect the Company, including with respect to our business strategy, results of operations or financial condition. While we have implemented measures designed to help mitigate the risk from cybersecurity threats and incidents, we cannot guarantee that we or our managers, tenants, borrowers, investments in unconsolidated entities, vendors, suppliers, service providers or other third parties with whom we do business will be successful in preventing a cybersecurity incident, or mitigating or remediating a cybersecurity threat, which could result in a data center outage, disrupt our systems and operations or the systems and operations of our managers, tenants, borrowers, investments in unconsolidated entities, vendors, suppliers, service providers or other third parties with whom we do business, compromise the confidential or personal information of our employees, partners or the residents in our senior housing communities and damage our business relationships and reputation. Although we have implemented various measures designed to manage risks relating to these types 36 of events, these measures and the systems supporting them could prove to be inadequate and, if compromised, could become inoperable for extended periods of time, cease to function properly or fail to adequately secure confidential or personal information. See “Risk Factors-Our Legal, Compliance and Regulatory Risks-Cybersecurity threats and incidents could disrupt our operations or the operations of the third parties with whom we do business, invest in or lend to, result in the loss of or unauthorized access to confidential or personal information or damage our or their business relationships and reputation” included in Part I, Item 1A of this Annual Report. Governance Role of our Board of Directors and the Audit and Compliance Committee As part of our Board of Directors’ role in overseeing the Company’s ERM program, which includes our cybersecurity risk management, our Board is responsible for overseeing management’s identification, assessment and management of material cybersecurity risks which may reasonably be expected to impact the Company. While our Board has overall responsibility for enterprise risk oversight, our Board has delegated to the Audit and Compliance Committee responsibility for overseeing risks from cybersecurity threats and incidents. The Audit and Compliance Committee is responsible for overseeing the effectiveness of the Company’s cybersecurity risk management initiatives, taking into account the Company’s risk exposures. Management briefs the Audit and Compliance Committee at least once a year and our Board as appropriate on cybersecurity controls, protocols, risk assessments and mitigation measures. Role of our Management Our management has primary responsibility for identifying, assessing and managing our exposure to cybersecurity threats and incidents, subject to oversight by our Board of Directors of the processes we establish to assess, monitor and mitigate that exposure. Our Chief Information Officer oversees our Information Technology Team and is responsible for the development and implementation of strategy for our information systems, networks, infrastructure, cybersecurity and data analytics. She has more than 25 years of experience in the field of information technology and is a member of our senior leadership team. Prior to joining Ventas, she spent approximately 12 years at a multinational hospitality public company where, in her most recent role, she was responsible for application management and support of enterprise-wide systems. This role also had responsibility for global service desk support for more than 100,000 employees. If a potentially material cybersecurity threat or incident is identified or discovered, the Company’s Information Technology Team will notify our Chief Executive Officer, Chief Financial Officer, General Counsel and other relevant business executives. Our Chief Information Officer will work with the appropriate leaders and employees in any impacted business groups, as well as appropriate personnel in our finance, legal and other departments, to assess the risks to the Company and potential impact while determining appropriate remediation steps. If management determines that a cybersecurity threat or incident could be material to the Company, our management will notify the Audit and Compliance Committee, who will then escalate the risk to our full Board of Directors, depending on management’s assessment of the risk. As discussed above, management also provides regular reports to the Audit and Compliance Committee and to our Board as appropriate.

Company Information