National Healthcare Properties, Inc. 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

National Healthcare Properties, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 16:50:27 EST.

Filings

10-K filed on 2025-02-27

National Healthcare Properties, Inc. filed a 10-K at 2025-02-27 16:50:27 EST
Accession Number: 0001561032-25-000006

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We understand the importance of preventing, assessing, identifying and managing material risks associated with cybersecurity threats. Cybersecurity processes to assess, identify and manage risks from cybersecurity threats have been incorporated as a part of our overall risk assessment process. On a regular basis we implement into our operations these cybersecurity processes, technologies and controls to assess, identify and manage material risks. Specifically, we engage a third-party information technology and cybersecurity firm to assist with network and endpoint monitoring, cloud system monitoring and assessment of our incident response procedures. Further, we employ periodic penetration testing and tabletop exercises to inform our risk identification and assessment of material cybersecurity threats. To manage our material risks from cybersecurity threats and to protect against, detect and prepare to respond to cybersecurity incidents, we undertake the below listed activities: - monitor emerging data protection laws and implement changes to our processes to comply; - conduct periodic data handling and use requirement training for our employees; - conduct annual cybersecurity management and incident training for employees involved in our systems and processes that handle sensitive data; and - conduct regular phishing email simulations for all employees. Our incident response plan coordinates the activities that we and our third-party information technology and cybersecurity providers take to prepare to respond and recover from cybersecurity incidents, which include processes to triage, assess severity, investigate, escalate, contain and remediate an incident, as well as to comply with potentially applicable legal obligations. As part of the above processes, we engage with third party providers to review our cybersecurity program and help identify areas for continued focus, improvement and compliance. Our processes also include assessing cybersecurity threat risks associated with our use of third-party services providers in normal course of business use, including those in our supply chain or who have access to our tenant and employee data or our systems. Third-party risks are included within our cybersecurity risk management processes discussed above. In addition, we assess cybersecurity considerations in the selection and oversight of our third-party services providers, including due diligence on the third parties that have access to our systems and facilities that house systems and data. Our Audit Committee of the Board is responsible for oversight of our risk assessment, risk management, disaster recovery procedures and cybersecurity risks. Members of the Board regularly engage in discussions with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. Our management is responsible for assessing and managing our material risks from cybersecurity threats. Management has primary responsibility for our overall cybersecurity risk management program and supervises both our internal information technology and cybersecurity personnel and our third-party vendors. Our management team supervises efforts to prevent, detect and mitigate cybersecurity risks and incidents through various means, which may include briefings from both internal and external information technology and cybersecurity personnel, threat intelligence and other information obtained from governmental, public or private sources as well as alerts and reports produced by security tools deployed in our information technology environment. As of the date of this Annual Report on Form 10-K, we have not encountered risks from cybersecurity threats that have materially affected us, or are reasonably likely to materially affect, our business strategy, results of operations or financial position.

Company Information