NorthStar Healthcare Income, Inc. 10-K Cybersecurity GRC - 2024-03-22

Page last updated on April 11, 2024

NorthStar Healthcare Income, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-22 15:53:29 EDT.

Filings

10-K filed on 2024-03-22

NorthStar Healthcare Income, Inc. filed an 10-K at 2024-03-22 15:53:29 EDT
Accession Number: 0001503707-24-000005

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We have developed and implemented a cybersecurity framework intended to assess, identify and manage risks from threats to the security of our information, systems, products and network using a risk-based approach. The framework is informed in part by the National Institute of Standards and Technology, or NIST, Cybersecurity Framework, NIST 800-53 and International Organization for Standardization 27001, or ISO 27001, Framework, although we do not comply with all technical standards, specifications or requirements under NIST or ISO 27001. Our key cybersecurity processes include the following: Risk-based controls for information systems and information on our networks. We seek to maintain an information technology infrastructure that implements physical, administrative and technical controls that are calibrated based on risk and designed to protect the confidentiality, integrity and availability of our information systems and information stored on our networks, including personal information, intellectual property and proprietary information. Cybersecurity incident responses plan and testing. We have a cybersecurity incident response plan and dedicated team to respond to cybersecurity incidents. When a cybersecurity incident occurs or we identify a vulnerability, we have a Managed Security Service Provider, or MSSP, that is responsible for leading the initial assessment of priority and severity. Our cybersecurity team assists in responding to incidents depending on severity levels and seeks to improve our cybersecurity incident management plan through periodic tabletops or simulations at the enterprise level. Trainin g. We provide security awareness training to help our employees understand their information protection and cybersecurity responsibilities. We also provide additional role-based training to some employees based on customer requirements, regulatory obligations and industry risks. Supplier risk assessments. We have implemented a third-party risk management process that includes expectations regarding information and cybersecurity. That process, among other things, provides for us to perform cybersecurity assessments on certain suppliers based on an assessment of their risk profile and a related rating process. We also seek contractual commitments from key suppliers to appropriately secure and maintain their information technology systems and protect our information that is processed on their systems. Our third-party assessments. We have third-party cybersecurity companies engaged to periodically assess our cybersecurity posture and to assist in identifying and remediating risks from cybersecurity threats. We also consider cybersecurity, along with other top risks, within our enterprise risk management framework. The enterprise risk management framework includes internal reporting at the enterprise level, with consideration of key risk indicators, trends and countermeasures for cybersecurity and other types of significant risks. In the last fiscal year, we have not identified risks from known cybersecurity threats, including any prior cybersecurity incidents, which have materially affected us, including our operations, business strategy, results of operations, cash flow or financial condition. We have not identified cybersecurity threats 30 Table of Contents or incidents that have materially affected or are reasonably likely to materially affect us, including with respect to our business strategy, results of operations or financial position. Governance The audit committee of the board of directors is responsible for board-level oversight of cybersecurity risk, and the audit committee reports back to the board of directors about this and other areas within its responsibility. As part of its oversight role, the audit committee receives reporting about our practices, programs, notable threats or incidents and other developments related to cybersecurity throughout the year, including through periodic updates from our CFO and through our MSSP.

Company Information