OMEGA HEALTHCARE INVESTORS INC 10-K Cybersecurity GRC - 2024-02-12

Page last updated on April 11, 2024

OMEGA HEALTHCARE INVESTORS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-12 10:07:25 EST.

Filings

10-K filed on 2024-02-12

OMEGA HEALTHCARE INVESTORS INC filed an 10-K at 2024-02-12 10:07:25 EST
Accession Number: 0000888491-24-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C Cybersecurity Our Board and management exercise oversight over the Company s cybersecurity program, which represents an important component of the Company s overall approach to enterprise risk management. 30 Table of Contents Governance Omega s Vice President of Information Technology ( VP of IT ) manages a team responsible for leading enterprise-wide strategy, policy, standards, architecture, processes and risk assessment related to information security and data protection, including data privacy and network security (our Cybersecurity Program ). The VP of IT has served in various roles in information technology and information security for over 30 years and, along with other members of the IT department, holds relevant and applicable certifications. The VP of IT reports directly to the Company s Chief Financial Officer and provides periodic reporting on our Cybersecurity Program to our senior management team, our Board and the Audit Committee of our Board. Our Board, in coordination with our Audit Committee, oversees our management of cybersecurity risk, with the Audit Committee reviewing and discussing with management quarterly matters related to our Cybersecurity Program as related to financial reporting. The Board and Audit Committee receive periodic reports about the prevention, detection, mitigation and remediation of cybersecurity incidents, including material security risks and information security vulnerabilities. Additionally, risks associated with the Cybersecurity Program are integrated into the Company s enterprise risk management assessment and reported to our Board at least twice per year. We also share the key results of third-party assessments with our Board and Audit Committee. Risk Management and Strategy Technical Safeguards As part of our Cybersecurity Program, the Company deploys technical safeguards that are designed to protect our information systems from cybersecurity threats, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence. Risk Assessment Our Cybersecurity Program also includes an annual risk assessment which is generally based on frameworks established by the National Institute of Standards and Technology ( NIST ). Third-Party Risk Management We also maintain policies and procedures designed to identify and mitigate cybersecurity threats related to our use of material third-party vendors. This includes reviewing the internal controls of certain third-party service providers to assess their procedures to mitigate material security risks. Incident Response and Recovery Planning We maintain an Information Security Incident Response Plan (the Response Plan ) governing prevention, detection, mitigation and remediation of cybersecurity incidents and threats. The Response Plan includes controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding public disclosure and reporting of such incidents can be made by management in a timely manner, with appropriate involvement by our Board. We regularly test the effectiveness of the Response Plan. External Assessments We obtain periodic assessments by third party experts to assess our vulnerability management and security controls and to assist us in identifying and mitigating security risks. Education and Awareness We provide cybersecurity training for all directors, officers and employees and periodic additional training of senior management through our cyber insurance carrier. As of the date of this report, we are not aware of any risks from cybersecurity threats that have materially affected the Company, including our business strategy, results of operations, or financial condition. For information regarding cybersecurity risks that may materially affect our Company, see the risk factor titled We rely on information technology in our operations, and any material failure, inadequacy, interruption or security failure of that technology could harm our business. Privacy and security laws and regulations may also increase costs for our business. under Risk Factors in Part I, Item 1A to this Annual Report on Form 10-K. 31 Table of Contents

Company Information