American Healthcare REIT, Inc. 10-K Cybersecurity GRC - 2025-02-28

Page last updated on March 3, 2025

American Healthcare REIT, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-28 16:57:55 EST.

Filings

10-K filed on 2025-02-28

American Healthcare REIT, Inc. filed a 10-K at 2025-02-28 16:57:55 EST
Accession Number: 0001632970-25-000018

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C, Cybersecurity, below for a further discussion. Healthcare Licensure and Certification Generally, certain properties in our portfolio are subject to licensure, may require a certificate of need, or CON, or other certification through regulatory agencies in order to operate and participate in Medicare and Medicaid programs. Requirements pertaining to such licensure and certification relate to the quality of care provided by the operator, qualifications of the operator’s staff and continuing compliance with applicable laws and regulations. In addition, CON laws and regulations may place restrictions on certain activities such as the addition of beds/units at our facilities and changes in ownership. Failure to obtain a license, CON or other certification, or revocation, suspension or restriction of such required license, CON or other certification, could adversely impact our properties’ operations and their ability to generate revenue from services provided. State CON laws are not uniform throughout the United States and are subject to change. We cannot predict the impact of state CON laws on our facilities or the operations of our tenants. Compliance with the Americans with Disabilities Act Under the Americans with Disabilities Act of 1990, as amended, or the ADA, all public accommodations must meet federal requirements for access and use by disabled persons. Additional federal, state and local laws also may require modifications to our properties or restrict our ability to renovate our properties. We cannot predict the cost of compliance with the ADA or other legislation. We may incur substantial costs to comply with the ADA or any other legislation. Government Environmental Regulation and Private Litigation Environmental laws and regulations hold us liable for the costs of removal or remediation of certain hazardous or toxic substances which may be on our properties. These laws could impose liability without regard to whether we are responsible for the presence or release of the hazardous materials. Government investigations and remediation actions may have substantial costs, and the presence of hazardous substances on a property could result in personal injury or similar claims by private plaintiffs. Various laws also impose liability on a person who arranges for the disposal or treatment of hazardous or toxic substances, and such person often must incur the cost of removal or remediation of hazardous substances at the disposal or treatment facility. These laws often impose liability whether or not the person arranging for the disposal ever owned or operated the disposal facility. As the owner of our properties, we may be deemed to have arranged for the disposal or treatment of hazardous or toxic substances. Geographic Concentration For a discussion of our geographic information, see
Item 1C. Cybersecurity. Risk Management and Strategy We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats. Our risk management strategy begins with identifying areas of risk through risk assessment and an annual review of our practices and policies against the National Institute of Standards and Technology, or NIST, Cybersecurity Framework. This framework encompasses six major focus areas and 106 subcategories. The results of each assessment are thoroughly analyzed to strengthen our security posture and maintain a comprehensive cybersecurity program. In connection with these focus areas, we have implemented a variety of technical, physical and administrative controls to proactively prevent, detect and mitigate cybersecurity threats. These measures are designed to limit the impact of potential breaches by employing advanced logging and monitoring, robust access controls, multifactor authentication, firewalls, anti-malware and antivirus solutions, endpoint detection and response systems, network inspection tools, intrusion prevention mechanisms, content filtering and comprehensive patch and vulnerability management. Endpoints are routinely reviewed and scanned, with our Information Technology team addressing any identified issues to ensure ongoing protection. We also engage external vendors to conduct external vulnerability scanning and assess our policies and practices. To safeguard critical systems, we maintain encrypted, immutable backups and conduct regular testing to confirm their confidentiality, integrity and availability. These efforts are reinforced by routine disaster recovery tabletop exercises and restore testing, ensuring that our organization is prepared for any potential disruptions. In addition to our internal cybersecurity capabilities, we also periodically engage assessors, consultants, auditors and other third parties to provide consultation and advice to assist with assessing, identifying and managing cybersecurity risks. For instance, we engage third-party consultants to perform annual walkthroughs and design testing of information technology, or IT, general controls on behalf of our Internal Audit team, as well as to test IT control effectiveness throughout the year. We have developed processes to identify and manage cybersecurity risks from our service providers . We assess our operators and managers through due diligence surveys, interviews and risk evaluations. We take cybersecurity and data privacy considerations into account when we source, select and engage with our third-party service providers. Moreover, we document our third-party vendors and suppliers in a centralized registry and review their cybersecurity practices through diligence meetings and SOC2 report evaluations for security, availability of data, processing integrity, confidentiality and privacy controls. These measures help ensure that our partners adhere to best practices and maintain safeguards for our data. We also employ systems and processes designed to oversee, identify and reduce the potential impact of a security incident at a third-party vendor, service provider or otherwise implicating the third-party technology and systems we use. Lastly, we maintain cybersecurity insurance providing coverage for certain costs related to cybersecurity-related incidents that impact our cybersecurity and information technology infrastructure. As of December 31, 2024, we are not aware of any cybersecurity threats or incidents that have materially affected us; however, there can be no guarantee that we will not be the subject of future attacks, threats or incidents that may have a material impact on our business strategy, results of operations or financial condition. Additional information on cybersecurity risks we face can be found in Part I, Item 1A, Risk Factors, of this Annual Report on Form 10-K under the heading “A breach of, or failure in, information technology systems on which we rely could materially and adversely impact us,” which should be read in conjunction with the foregoing information. Governance Reporting to the Chief Operating Officer, our Vice President of Information Technology , who has extensive cybersecurity knowledge and skills from over 16 years of relevant work experience at our company and elsewhere, leads our Information Technology team, which is responsible for developing and implementing our information security program across our business. The Information Technology team comprises individuals with relevant educational and technical experience, including a dedicated IT Systems & Security Administrator. It works closely with the Legal department to oversee compliance and regulatory and contractual security requirements. Our Chief Operating Officer leads the Cybersecurity Incident Management Team, a cross-functional team that comprises Internal Audit, Legal, Information Technology, Risk Management and Accounting leaders. These individuals meet regularly and receive reports of, and monitor, the prevention, mitigation, detection and remediation of cybersecurity incidents. Our Chief Operating Officer is also responsible for reporting on cybersecurity and information technology to the Audit Committee. We maintain and periodically review and update an incident response plan that applies in the event of a cybersecurity threat or incident to provide a standardized framework for responding to cybersecurity incidents. The incident response plan sets out a coordinated approach to investigating, containing, documenting and mitigating incidents, including reporting findings and keeping senior management and other key stakeholders informed and involved as appropriate. The objectives of the incident response plan are to reduce the number of systems and users affected by security incidents, reduce the time a threat actor spends within our network, reduce the damage caused by the breach and reduce the time required to restore normal operations. The incident response plan also specifies the use of third-party experts for legal advice, consulting and cyber incident response. Our board has the ultimate oversight of cybersecurity risk, which it manages through our enterprise risk management program. Our board has delegated primary responsibility of overseeing cybersecurity risks to the Audit Committee. The Audit Committee’s responsibilities include reviewing cybersecurity strategies with management, assessing processes and controls pertaining to the management of our information technology operations and their effectiveness and making sure that management’s response to potential cybersecurity incidents is timely and effective. At least annually, the Audit Committee reviews with the management team our cybersecurity risk exposures and the steps that management has taken to monitor and control such exposures. This review may cover a variety of relevant topics, potentially including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations related to our operators, managers and other third-party partners. The scope and focus of each review are determined based on current priorities and emerging issues in cybersecurity. In addition, we engage third-party consultants to test our IT control effectiveness throughout the year, and any known exceptions and test results are communicated to management and the Audit Committee on a quarterly basis.

Company Information