NATIONAL HEALTH INVESTORS INC 10-K Cybersecurity GRC - 2025-02-25

Page last updated on February 25, 2025

NATIONAL HEALTH INVESTORS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-25 16:11:06 EST.

Filings

10-K filed on 2025-02-25

NATIONAL HEALTH INVESTORS INC filed a 10-K at 2025-02-25 16:11:06 EST
Accession Number: 0000877860-25-000027

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy The Board of Directors recognizes the importance of maintaining the trust and confidence of our tenants/borrowers/operators and employees to safeguard sensitive information and the integrity of our information systems. We have systems in place to assess, identify and manage cybersecurity incidents and we invest in technology and third-party support to identify, mitigate, and quickly respond to cybersecurity incidents. We have maintained a strong focus on consistently reviewing our cybersecurity practices. We also conduct periodic information security and awareness training to ensure that employees are aware of information security risks and to enable them to take steps to mitigate those risks. As part of this program, we also take steps designed to provide appropriate guidance regarding security to our executive management and employees, including any employee who may come into possession of confidential financial information. We have engaged the services of various third-party service providers to, among other things, review and evaluate our processes and procedures designed to control access to our information systems, perform penetration testing on our cybersecurity systems on a biannual basis, and provide regular information technology reviews based upon the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. In addition, we contracted with a third-party managed detection and response security company (“MDR”) in the fourth quarter of 2023 to commence testing for cyber vulnerabilities on a continual basis. In order to identify and mitigate cybersecurity threats related to our use of material third-party vendors, we conduct periodic reviews of internal controls of certain third-party service providers to assess their procedures to mitigate material security risks. Board & Management Responsibilities We have formed an Information Technology Steering Committee comprised of employees from multiple departments within the Company including the Chief Executive Officer (“CEO”); the Chief Financial Officer; the Chief Accounting Officer; the Vice President, Controller; the Vice President, Investor Relations & Finance; and the Vice President of Human Resources and Compliance & Information Security Officer (“ISO”) to more effectively prevent, detect and respond to information security 35 Ta ble of Contents threats. The ISO has served in various roles in corporate compliance for over 20 years and reports directly to the Company’s CEO. To enhance our cybersecurity capabilities, we actively collaborate with third-party vendors. Notably, we engage a Managed Service Provider (“MSP”) and an MDR provider who specializes in cybersecurity issues. Our MSP plays a critical role in supporting our IT infrastructure, offering expertise and resources that complement our in-house capabilities. The MDR provides advanced cybersecurity solutions, including continuous monitoring and threat detection services, which are integral to our cybersecurity program. The ISO is responsible for overseeing a company-wide information security strategy, including policy, standards, architecture, and processes, and managing many of the security services that run on personal computers and servers. The Audit Committee meets with the ISO at least annually to review and discuss the Company’s cyber risks and threats, incident responses, technology, the status of projects to strengthen the Company’s information security systems, assessments of the Company’s security program and the emerging threat landscape. In the event of an incident that jeopardizes the confidentiality, integrity, or availability of the information technology systems we use, we utilize a regularly updated information security incident response plan (“IRP”). The IRP is overseen by the Information Technology Steering Committee and sets forth the processes for containment, review, escalation, recovery from and remediation of any cybersecurity incidents identified by the Company. Pursuant to our IRP and its escalation protocols, designated personnel are responsible for assessing the severity of the incident and associated threat, containing the threat, remediating the threat, including recovery of data and access to systems, analyzing the reporting obligations associated with the incident, and performing post-incident analysis and program improvements. The IRP also specifies the approach to reporting findings and keeping senior management and other key stakeholders (including the Audit Committee and the Board of Directors for certain incidents) informed and involved as appropriate and specifies the use of third-party experts for legal advice, consulting and cyber incident response. The Company periodically conducts cybersecurity “tabletop” exercises administered by an independent third-party in which members of a cross-functional team and relevant third-party vendors engage in simulated cybersecurity incident scenarios. These exercises are intended to provide hand-on training for the participants and assists the Company with assessing its processes and capabilities in addressing cybersecurity threats. As of December 31, 2024, we have not experienced any material risks from cybersecurity threats, including as a result of any previous cybersecurity incidents or threats, that have materially affected the business strategy, results of operations or financial condition of the Company or are reasonably likely to have such a material effect. We also maintain cyber liability insurance to help mitigate potential liabilities resulting from cyber issues. However, there can be no assurance that our cyber risk insurance coverage will be sufficient to cover incurred losses in the event of a cyber-attack. 36 Ta ble of Contents

Company Information