American Healthcare REIT, Inc. 10-K Cybersecurity GRC - 2024-03-22

Page last updated on April 11, 2024

American Healthcare REIT, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-22 13:34:46 EDT.

Filings

10-K filed on 2024-03-22

American Healthcare REIT, Inc. filed an 10-K at 2024-03-22 13:34:46 EDT
Accession Number: 0001632970-24-000039

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C, Cybersecurity, below for a further discussion. Healthcare Licensure and Certification Generally, certain properties in our portfolio are subject to licensure, may require a certificate of need, or CON, or other certification through regulatory agencies in order to operate and participate in Medicare and Medicaid programs. Requirements pertaining to such licensure and certification relate to the quality of care provided by the operator, qualifications of the operator s staff and continuing compliance with applicable laws and regulations. In addition, CON laws and regulations may place restrictions on certain activities such as the addition of beds/units at our facilities and changes in ownership. Failure to obtain a license, CON or other certification, or revocation, suspension or restriction of such required license, CON or other certification, could adversely impact our properties operations and their ability to generate revenue from services provided. State CON laws are not uniform throughout the United States and are subject to change. We cannot predict the impact of state CON laws on our facilities or the operations of our tenants. Compliance with the Americans with Disabilities Act Under the Americans with Disabilities Act of 1990, as amended, or the ADA, all public accommodations must meet federal requirements for access and use by disabled persons. Additional federal, state and local laws also may require modifications to our properties or restrict our ability to renovate our properties. We cannot predict the cost of compliance with the ADA or other legislation. We may incur substantial costs to comply with the ADA or any other legislation. Government Environmental Regulation and Private Litigation Environmental laws and regulations hold us liable for the costs of removal or remediation of certain hazardous or toxic substances which may be on our properties. These laws could impose liability without regard to whether we are responsible for the presence or release of the hazardous materials. Government investigations and remediation actions may have substantial costs, and the presence of hazardous substances on a property could result in personal injury or similar claims by private plaintiffs. Various laws also impose liability on a person who arranges for the disposal or treatment of hazardous or toxic substances, and such person often must incur the cost of removal or remediation of hazardous substances at the disposal or treatment facility. These laws often impose liability whether or not the person arranging for the disposal ever owned or operated the disposal facility. As the owner of our properties, we may be deemed to have arranged for the disposal or treatment of hazardous or toxic substances. Geographic Concentration For a discussion of our geographic information, see
Item 1C. Cybersecurity. Our information technology networks, those of our operators and managers and those of third parties on whom we rely are important enablers to our ability to perform day-to-day operations of our business. Our business operations depend on the secure collection, storage, transmission and other processing of proprietary, confidential or sensitive data. We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats. Our cybersecurity program includes several safeguards such as access controls, multi-factor authentication, continuous monitoring and alerting systems for internal and external threats and external vulnerability testing. Additionally, we conduct regular evaluation of our cybersecurity program, encompassing internal reviews and third-party assessments to ensure its effectiveness and resilience. Governance Our board retains ultimate oversight of cybersecurity risk, which it manages through our enterprise risk management program. Our board has delegated primary responsibility of overseeing cybersecurity risks to the Audit Committee. The Audit Committee’s responsibilities include reviewing cybersecurity strategies with management, assessing processes and controls pertaining to the management of our information technology operations and their effectiveness and seeking to confirm that management’s response to potential cybersecurity incidents is timely and effective. At least annually, the Audit Committee reviews with the management team our cybersecurity risk exposures and the steps that management has taken to monitor and control such exposures. This review may cover a variety of relevant topics, potentially including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations related to our operators, managers and third parties. The scope and focus of each review are determined based on current priorities and emerging issues in cybersecurity. 48 Table of Contents Management and Cybersecurity Working Group Reporting to the Chief Operating Officer, our Vice President of Information Technology, with extensive cybersecurity knowledge and skills from over 15 years of relevant work experience at our company and elsewhere, leads the team responsible for developing and implementing our information security program across our business. This team comprises individuals with relevant educational and technical experience, including a dedicated IT Systems & Security Administrator, with responsibility for various aspects of cybersecurity within our organizations. This team works closely with the Legal department to oversee compliance and regulatory and contractual security requirements. Our Chief Operating Officer also leads our Cybersecurity Incident Management Team, which is comprised of a cross-functional team including Internal Audit, Legal, Information Technology, Risk Management and Accounting leaders. These individuals meet regularly and are informed about and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents. Our Chief Operating Officer is responsible for reporting on cybersecurity and information technology to the Audit Committee. Information Security Program Our Vice President of Information Technology and his information security team provide regular reports to the Chief Operating Officer and other relevant teams on various cybersecurity threats, assessments and findings. In addition to our internal cybersecurity capabilities, we also periodically engage assessors, consultants, auditors or other third parties to provide consultation and advice to assist with assessing, identifying and managing cybersecurity risks. Our management team identifies and assesses information security risks using industry practices, including those informed by the National Institute of Standards and Technology. To ensure that cybersecurity is an organization-wide effort, we provide mandatory cybersecurity training at least annually for all employees with network access, including training designed to simulate and help prevent phishing and other social engineering attacks. We also employ systems and processes designed to oversee, identify and reduce the potential impact of a security incident at a third-party vendor, service provider or otherwise implicating the third-party technology and systems we use. Additionally, we maintain cybersecurity insurance providing coverage for certain costs related to cybersecurity-related incidents that impact our cybersecurity and information technology infrastructure. Incident Response The Cybersecurity Incident Management Team maintains and oversees an incident response plan that applies in the event of a cybersecurity threat or incident to provide a standardized framework for responding to cybersecurity incidents. The incident response plan sets out a coordinated approach to investigating, containing, documenting and mitigating incidents, including reporting findings and keeping senior management and other key stakeholders informed and involved as appropriate. The objectives of the incident response plan are to reduce the number of systems and users affected by security incidents, reduce the time a threat actor spends within our network, reduce the damage caused by the breach and reduce the time required to restore normal operations. The incident response plan also specifies the use of third-party experts for legal advice, consulting and cyber incident response. Material Cybersecurity Risks, Threats and Incidents While we employ several measures to prevent, detect and mitigate cybersecurity threats, there is no guarantee such efforts will be successful. We also rely on information technology and other third-party vendors to support our business, including securely processing personal, confidential, financial, sensitive or proprietary and other types of information. Despite our efforts to improve our ability, and the ability of relevant third parties’, to protect against cyber threats, we may not be able to protect all information, systems, products and services. While we are not aware of any cybersecurity incidents that have materially affected us to date, there can be no guarantee that we will not be the subject of future attacks, threats or incidents that may have a material impact on our business strategy, results of operations or financial condition. Additional information on cybersecurity risks we face can be found in Part I, Item 1A “Risk Factors” of this Annual Report on Form 10-K under the heading “A breach of information technology systems on which we rely could materially and adversely impact us,” which should be read in conjunction with the foregoing information. 49 Table of Contents

Company Information