HEALTHPEAK PROPERTIES, INC. 10-K Cybersecurity GRC - 2024-02-09

Page last updated on April 11, 2024

HEALTHPEAK PROPERTIES, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-09 16:17:40 EST.

Filings

10-K filed on 2024-02-09

HEALTHPEAK PROPERTIES, INC. filed an 10-K at 2024-02-09 16:17:40 EST
Accession Number: 0001628280-24-004094

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity Cybersecurity Risk Management and Strategy In our business operations, we use information technology, enterprise applications, communications tools, cloud network solutions, and related systems to manage our operations, including to manage our building systems, tenant and vendor relationships, accounting and recordkeeping, and communications, among other aspects of our business. We have developed and implemented a cybersecurity risk management program intended to protect our properties, confidential and proprietary data, and information technology and systems, from cybersecurity threats, including unauthorized access or attack. We leverage the National Institute of Standards and Technology ( NIST ) Cybersecurity Framework as a guide to help us identify, assess, and manage cybersecurity risks relevant to the business. This does not imply that we meet any particular technical standards, specifications, or requirements. Our processes for assessing, identifying, and managing risks from cybersecurity threats, including operational risks, financial reporting risks, reputational risks, personal data theft, fraud, and other potential risks, are integrated into our overall enterprise risk management process, and share common methodologies, reporting channels, and governance processes that apply across the enterprise risk management process to other legal, compliance, strategic, operational, and financial risk areas. Our cybersecurity risk management program includes the following: a multidisciplinary team comprised of personnel from information technology ( IT ), internal audit, accounting, and legal, as well as third-party cybersecurity experts principally responsible for directing (i) our cybersecurity risk assessment processes, (ii) our security processes, and (iii) our response to cybersecurity incidents; risk assessments designed to help identify material cybersecurity risks to our critical systems, information, services, and our broader enterprise IT environment; internal and third-party security tools to monitor our systems, identify cybersecurity risks, and test our IT environment; the use of third-party cybersecurity experts, where appropriate, to assess, test or otherwise assist with aspects of our security processes; a cybersecurity incident response plan and business continuity plan; cybersecurity training for employees and key business partners with access to our systems; a third-party cybersecurity risk management process for service providers and vendors who access our systems; requiring employees, as well as third parties who have access to our systems, to treat confidential and private information and data with care, including performing controls relating to such data; and cybersecurity risk insurance. We also seek to engage reputable service providers that maintain cybersecurity programs or controls. We have not identified risks from known cybersecurity threats within the prior fiscal year, including as a result of any prior cybersecurity incident, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. Please refer to Item 1A, Risk Factors in this report for additional information about certain ongoing risks related to our information technology that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. Cybersecurity Governance Cybersecurity is an important part of our overall risk management processes and an area of focus for our Board of Directors and management. The Board, in coordination with the Audit Committee, oversees the Company s enterprise risk management process, including the management of material risks arising from cybersecurity threats. The Audit Committee regularly receives updates from management and third-party cybersecurity experts about major cybersecurity risks, their potential impact on our business operations, and management s processes to identify, monitor, and mitigate such risks, including, as relevant, the results of assessments or audits of our processes. The Audit Committee periodically provides updates on these matters to the Board of Directors. 41 Table of Contents Our enterprise risk team consists of cross-functional professionals who collaborate with subject matter specialists, as necessary, including an independent third-party expert we have retained to functionally serve as a virtual chief information security officer ( CISO ), to identify and assess material risks from cybersecurity threats, their severity, and potential mitigation steps. The CISO is primarily responsible for leading our cybersecurity risk assessment and management processes. This expert has experience having served as the chief information security officer for an international commercial real estate services company and currently serves as chief executive officer of a cybersecurity firm focused on commercial real estate. He is supported by an internal cross-functional management team of IT and internal audit personnel who regularly review and assess cybersecurity initiatives, including our incident response plan, as well as cybersecurity compliance, training and risk management efforts.

Company Information