NorthStar Healthcare Income, Inc. 10-K Cybersecurity GRC - 2025-03-14

Page last updated on March 14, 2025

NorthStar Healthcare Income, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-14 12:31:57 EDT.

Filings

10-K filed on 2025-03-14

NorthStar Healthcare Income, Inc. filed a 10-K at 2025-03-14 12:31:57 EDT
Accession Number: 0001503707-25-000019

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We have developed and implemented a cybersecurity framework intended to assess, identify and manage risks from threats to the security of our information, systems, products and network using a risk-based approach. The framework is informed in part by the National Institute of Standards and Technology, or NIST, Cybersecurity Framework, NIST 800-53 and International Organization for Standardization 27001, or ISO 27001, Framework, although we do not comply with all technical standards, specifications or requirements under NIST or ISO 27001. Our key cybersecurity processes include the following: - Risk-based controls for information systems and information on our networks. We seek to maintain an information technology infrastructure that implements physical, administrative and technical controls that are calibrated based on risk and designed to protect the confidentiality, integrity and availability of our information systems and information stored on our networks, including personal information, intellectual property and proprietary information. - Cybersecurity incident responses plan and testing. We have a cybersecurity incident response plan and dedicated team to respond to cybersecurity incidents. When a cybersecurity incident occurs or we identify a vulnerability, we have a Managed Security Service Provider, or MSSP, that is responsible for leading the initial assessment of priority and severity. Our cybersecurity team assists in responding to incidents depending on severity levels and seeks to improve our cybersecurity incident management plan through periodic tabletops or simulations at the enterprise level. - Trainin g. We provide security awareness training to help our employees understand their information protection and cybersecurity responsibilities. We also provide additional role-based training to some employees based on customer requirements, regulatory obligations and industry risks. - Supplier risk assessments. We have implemented a third-party risk management process that includes expectations regarding information and cybersecurity. That process, among other things, provides for us to perform cybersecurity assessments on certain suppliers based on an assessment of their risk profile and a related rating process. We also seek contractual commitments from key suppliers to appropriately secure and maintain their information technology systems and protect our information that is processed on their systems. - Our third-party assessments. We have third-party cybersecurity companies engaged to periodically assess our cybersecurity posture and to assist in identifying and remediating risks from cybersecurity threats. We also consider cybersecurity, along with other top risks, within our enterprise risk management framework. The enterprise risk management framework includes internal reporting at the enterprise level, with consideration of key risk indicators, trends and countermeasures for cybersecurity and other types of significant risks. In the last fiscal year, we have not identified risks from known cybersecurity threats, including any prior cybersecurity incidents, which have materially affected us, including our operations, business strategy, results of operations, cash flow or financial condition. We have not identified cybersecurity threats or incidents that have materially affected or are reasonably likely to materially affect us, including with respect to our business strategy, results of operations or financial position. Governance Our Audit Committee is responsible for board-level oversight of cybersecurity risk and reports back to our Board about this and other areas within its responsibility. As part of its oversight role, our Audit Committee receives reporting about our practices, programs, notable threats or incidents and other developments related to cybersecurity throughout the year, including through periodic updates from our Chief Financial Officer, and through our MSSP. Our Chief Financial Officer is principally responsible for overseeing our cybersecurity risk management program and incident reporting. In the event there is a material cybersecurity breach or incident, our Chief Financial Officer works in coordination with our MSSP to assess and respond, including by reporting the breach or incident to our Board and/or applicable regulatory authorities, as necessary or required. Our Chief Financial Officer has a high level of exposure to cybersecurity oversight through his current work overseeing our cybersecurity risk management and MSSP and has over 10 years of experience with managing risks in environments similar to ours, including risks arising from cybersecurity threats.

Company Information