Pennant Group, Inc. 10-K Cybersecurity GRC - 2024-02-28

Page last updated on July 16, 2024

Pennant Group, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 16:16:35 EST.


10-K filed on 2024-02-28

Pennant Group, Inc. filed a 10-K at 2024-02-28 16:16:35 EST
Accession Number: 0001766400-24-000022

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity As a health care provider, we regularly process and store patient and resident information. We are committed to the protection of the personal information of our and our independent operating subsidiaries’ patients, residents, and employees. We have robust security tools, practices, and policies in place to help ensure the confidentiality, integrity, and accessibility of the data with which we are entrusted. Certain of the numerous tools and processes that we use to assess, identify and manage material risks include, without limitation: - Automated third-party tools to screen and block malicious content - Dedicated IT security staff who review threats in real time and escalate issues as needed - Regular security tests and audits performed by internal and external parties - Ongoing security training for all employees Our Chief Information Officer (“CIO”), Bryant Saxon, oversees our cybersecurity program and dedicated security resources. Mr. Saxon has over 15 years of direct cybersecurity experience in Chief Information Officer and other key leadership roles in the healthcare industry. His experience includes HIPAA compliance, systems design, security audits, and incident response. Our Board of Directors is also committed to data security and is regularly updated by the CIO on cybersecurity and other relevant technology risks facing the Company. Each quarter, the Audit Committee receives an IT risk update from the CIO, and discusses emerging technology and cybersecurity risks. This risk update includes an overview and discussion of our cybersecurity and risk management programs. In addition, technology risk is a key component of our overall enterprise risk assessment, which is conducted annually and presented to the Board of Directors. Through these processes, the Board of Directors is apprised of, and given the opportunity to discuss at length, any meaningful cybersecurity risks we face. Directors Scott E. Lamb, Gregory K. Morris, and John G. Nackel, Ph.D. provide key oversight on cybersecurity matters. Our executive team is also briefed on any significant security risks during monthly leadership meetings. We emphasize that everyone has a role to play in data security. All employees are provided with data security and privacy training upon hire and as part of annual refresher training. All employees are required to complete this training, and we also provide periodic updates and guidance related to cybersecurity. In addition, we regularly conduct phishing simulations or other tests to identify cyber threats. To address and mitigate cybersecurity risks from third-party systems, the Company implements a stringent process that includes SOC 1 and SOC 2 compliance. These standards help ensure that our third-party vendors maintain appropriate security controls and processes. Additionally, we enter into Business Associate Agreements (BAAs) with relevant third-party vendors. These agreements are critical for reinforcing our cybersecurity framework, as they require vendors to maintain the confidentiality, integrity, and availability of protected health information according to our standards and federal regulations. Additionally, through third-party risk assessments, regular audits, and the enforcement of security requirements, we seek to ensure that all vendors adhere to our standards of data security and privacy. This layered security approach, incorporating both technical compliance and legal agreements, helps to create a defense against external cyber threats. We did not experience any material cybersecurity incidents in 2023. Although we incur numerous costs in the ordinary course of business to address the risks and implement the policies described above, risks from cybersecurity threats did not materially affect our strategy, results of operations, or financial condition in 2023. Although we are deeply committed to cybersecurity, we cannot fully mitigate all technology risks. Cybersecurity threats, including data breaches, ransomware, and similar threats, could materially impact our future results in the future. For further discussion of how any risks from cybersecurity threats may materially affect the Company, including our business strategy, results of operations or financial condition, see Part 1, Item 1A. Risk Factors , which is incorporated by reference into this Part 1, Item 1C. Cybersecurity ..
Item 1C. Cybersecurity ..

Company Information

NamePennant Group, Inc.
SIC DescriptionServices-Health Services
TickerPNTG - Nasdaq
CategoryAccelerated filer
Fiscal Year EndDecember 30