Community Healthcare Trust Inc 10-K Cybersecurity GRC - 2024-02-13

Page last updated on April 11, 2024

Community Healthcare Trust Inc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-13 17:02:07 EST.

Filings

10-K filed on 2024-02-13

Community Healthcare Trust Inc filed an 10-K at 2024-02-13 17:02:07 EST
Accession Number: 0001631569-24-000024

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk management and strategy The Company recognizes the critical importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data. Our policies, standards, processes and practices for assessing, identifying, and managing material risks from cybersecurity threats are integrated into our overall risk management program and are based on the Center for Internet Security (CIS) benchmarks. CIS controls map to many established standards and regulatory frameworks, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and NIST SP 800-53, the ISO 27000 series of standards, PCI DSS, HIPAA, and others. Managing Material Risks & Integrated Overall Risk Management The Company has strategically integrated cybersecurity risk management into our broader risk management framework to promote a company-wide culture of cybersecurity risk management. This integration ensures that cybersecurity considerations are an integral part of our decision-making processes at every level. Our risk management team works closely with our IT department to continuously evaluate and address cybersecurity risks in alignment with our business objectives and operational needs. Engage Third-parties on Risk Management Recognizing the complexity and evolving nature of cybersecurity threats, the Company engages with a range of external experts, including cybersecurity assessors, consultants, and auditors in evaluating and testing our risk management systems. These partnerships enable us to leverage specialized knowledge and insights, ensuring our cybersecurity strategies and processes remain at the forefront of industry best practices. Our collaboration with these third-parties includes real-time Company endpoint scanning, detection, prevention, and remediation; regular audits; threat assessments; and consultation on security enhancements. 48 Oversee Third-party Risk Because we are aware of the risks associated with third-party service providers, the Company implements stringent processes to oversee and manage these risks. We conduct thorough security assessments of all third-party providers before engagement and maintain ongoing review to ensure compliance with our cybersecurity standards. This approach is designed to mitigate risks related to data breaches or other security incidents originating from third-parties. Risks from Cybersecurity Threats We have not encountered cybersecurity challenges that have materially impaired our operations or financial standing. Governance The Board of Directors is acutely aware of the critical nature of managing risks associated with cybersecurity threats. The Board has established robust oversight mechanisms to ensure effective governance in managing risks associated with cybersecurity threats because we recognize the significance of these threats to our operational integrity and stakeholder confidence. Board of Directors Oversight As mentioned above, management has formed an IT Committee consisting of the Chief Executive Officer, Chief Financial Officer, and the Vice President of Information Technology to review and discuss information security matters and cyber security risks. The committee meets at least twice a year and reports to the Board of Directors as needed. Management s Role Managing Risk The Chief Executive Officer and Chief Financial Officer play a pivotal role in serving on the IT Committee, which meets at least twice a year and discusses a broad range of topics, including: Current cybersecurity landscape and emerging threats; Status of ongoing cybersecurity initiatives and strategies; Incident reports and learnings from any cybersecurity events; and Compliance with regulatory requirements and industry standards. In addition, the IT Committee and the Board maintain an ongoing dialogue regarding emerging or potential cybersecurity risks, ensuring the Board s oversight is proactive and responsive. The IT Committee actively participates in strategic decisions related to cybersecurity, offering guidance and approval for major initiatives. This involvement ensures that cybersecurity considerations are integrated into the broader strategic objectives of the Company. Risk Management Personnel Primary responsibility for assessing, monitoring and managing our cybersecurity risks rests with the Vice President of Information Technology. Our Vice President of Information Technology has over 25 years of experience in the information technology field and has been a member of and led numerous teams responsible for cybersecurity operations. In addition, all Company employees are required to complete mandatory cybersecurity training each year. Monitor Cybersecurity Incidents The Vice President of Information Technology is continually informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. This ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. The Vice President of Information Technology implements and oversees processes for the regular monitoring of our information systems. This includes the deployment of advanced security measures and regular system audits to 49 identify potential vulnerabilities. In the event of a cybersecurity incident, the Vice President of Information Technology is equipped with a well-defined incident response plan. This plan includes immediate actions to mitigate the impact and long-term strategies for remediation and prevention of future incidents. Reporting to Board of Directors The Vice President of Information Technology, in his capacity, regularly informs the Chief Executive Officer and Chief Financial Officer of all aspects related to cybersecurity risks and incidents. This ensures that the highest levels of management are kept abreast of the cybersecurity posture and potential risks facing the Company. Furthermore, significant cybersecurity matters, and strategic risk management decisions are escalated to the Board of Directors, ensuring that they have comprehensive oversight and can provide guidance on critical cybersecurity issues.

Company Information