Pennant Group, Inc. 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

Pennant Group, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 16:08:32 EST.

Filings

10-K filed on 2025-02-27

Pennant Group, Inc. filed a 10-K at 2025-02-27 16:08:32 EST
Accession Number: 0001766400-25-000024

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We leverage information technology to enable our teams to share best practices, stay informed, adapt to challenges and opportunities promptly, improve the quality of care, mitigate risks, and enhance both clinical outcomes and financial performance. Additionally, we have invested in specialized healthcare technology systems to support our nursing and support staff. Our software and technology in each operation allows our clinical staff to monitor and deliver patient care and record patient information more efficiently, but the use of information systems also introduces cybersecurity risks, including system disruption, security breaches, ransomware, theft, espionage, and inadvertent release of information. Risk Management and Strategy Risk Management We assess and identify security risks to the organization by: - Conducting regular risk assessments to determine the likelihood and magnitude of an attack from unauthorized access, use, disclosure, disruption, modification, or destruction of information systems and related information processes, stored, or transmitted; - Performing annual security assessments and producing security assessment reports for review by Information Technology (“IT”) senior leadership, including the service center’s Chief Information Officer (“CIO”) and Chief Information Security Officer (“CISO”); - Regularly assessing security controls for effectiveness, proper functioning, and satisfactory results; and - Continuously monitoring and addressing vulnerabilities. Monitoring We have established a monitoring strategy and program, which includes: - Active, automated threat detection and screening; - Clearly defined security metrics to be monitored; - Regular security control assessments; - Regular communication about security issues with the executive team and board of directors; - Monitoring information systems to detect attacks and indicators of potential attacks or compromises; - Identifying unauthorized use of information system resources; and - Deploying monitoring systems and agents strategically within the information system environment. Data Protection We have implemented policies and programs to secure sensitive data. These include: - Data security policies for the Company and its subsidiaries; - Frequent security training; - Establishing controls over network devices, actively tracking, monitoring, and evaluating them for new, missing, or updated software needed to strengthen security, patch known vulnerabilities, or stabilize software or operating system issues; - Protecting sensitive data through encryption techniques; and - Utilizing systems with backup and recoverability principles, such as periodic data backups and safeguards in case of a disaster. Incident Management Our cybersecurity incident management plan includes the following five-step process: 1. The service center’s CIO and CISO lead the Information Security (“IS”) team in developing, documenting, reviewing, and testing security and incident management procedures; 2. The IS team works with the executive team to identify, assess, verify, and classify incidents to determine affected stakeholders and appropriate parties for contact; 3. In the event of a security incident, the service center’s CIO and CISO are responsible for launching an Incident Response Team (“IRT”) if necessary and notifying the executive team, who will contact the board of directors and the Audit Committee to validate the response; 4. The IRT, in consultation with outside experts if needed, is responsible for initial containment, analysis, incident containment, incident eradication, and recovery. The IS team also coordinates with our legal and compliance teams as needed; and 5. After each significant incident, analyses are conducted to improve prevention and make incident response processes more efficient and effective. We have not experienced a material cybersecurity breach as an organization in the past five years. Moreover, cybersecurity threats have not materially affected our business strategy, results of operations, or financial condition. While we have implemented processes and procedures to address and mitigate cybersecurity threats, there can be no assurances that such an incident will not occur despite our efforts, as described in Item 1A. Risk Factors . Governance Our Audit Committee receives quarterly reports on our information security and cyber fraud prevention programs from the s ervice center’s CIO and CISO , each of whom has over 15 years of experience in IT, including various leadership roles at other large corporations. Directors Scott E. Lamb, Gregory K. Morris M.D., and John G. Nackel, Ph.D. provide key oversight on cybersecurity matters. Our executive team is also regularly briefed on any significant security risks during monthly leadership meetings. The IS team, established by the service center’s CIO and CISO, has dedicated cybersecurity staff focusing on security monitoring, vulnerability management, incident response, risk assessments, employee training, security engineering, and management of cybersecurity policies, standards, and regulatory compliance. The Company implements security standards that include SOC 1 and SOC 2 compliance. We align with a Cyber Security Framework and take a risk-based approach during control assessment and implementation, following the National Institute of Standards and Technology (“NIST”) framework. We are committed to protecting our data, systems, and network and continually invest in enhancements to mitigate or reduce the impact of cybersecurity threats. We conduct periodic tests to maintain readiness and resiliency while regularly reviewing policies to protect data security. External companies or agencies may provide consulting, guidance, assistance, or support in response to a cybersecurity incident. Employees receive regular training, at least annually, on cybersecurity threats and best practices to maintain information security.

Company Information