PACS Group, Inc. 10-K Cybersecurity GRC - 2025-11-19

Page last updated on November 19, 2025

PACS Group, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-11-19 16:02:20 EST.

Filings

10-K filed on 2025-11-19

PACS Group, Inc. filed a 10-K at 2025-11-19 16:02:20 EST
Accession Number: 0002001184-25-000068

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information. We design and assess our program based on the National Institute of Standards and Technology Cybersecurity Framework, or NIST CSF. This means that we use the NIST CSF as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. It does not, however, mean that we meet any technical standards, specifications, or requirements. Our cybersecurity risk management program is part of our overall risk management program and shares similar governance processes and reporting channels that apply across the risk management program to financial, legal, compliance, and other operational risk areas. Key elements of our cybersecurity risk management program and strategy include but are not limited to the following: - Adhering to principles of Security by Design and Security by Default - Conducting third-party vulnerability scans, and penetration testing - Access controls enforcing principles of Least Privilege, Zero Trust, and Role-Based Access Controls with MFA requirements for critical systems and accounts - Cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents - A third-party risk management evaluation process for key service providers based on our assessment of their criticality to our operations and respective risk profile, suppliers, and vendors with access to our information systems or data - An employee cybersecurity awareness training program including awareness training and simulated attacks - A dedicated team responsible for incident identification, management, and remediation - Implementation of cybersecurity controls with ongoing monitoring and improvement internally, with assistance from external auditors - Third-party security vendors and auditors, where appropriate, to assess, test otherwise assist with aspects of our security processes. We have not identified cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, or financial condition. We face risks from cybersecurity threats that, if realized are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See "Risk Factors - Security breaches, cybersecurity incidents, or our inability to effectively integrate, manage and keep our information systems secure and operatio nal could violate security laws, disrupt our operations, and subject us to significant liability ." Cybersecurity Governance Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee (the Committee) oversight of cybersecurity risks, including oversight of management's implementation of our cybersecurity risk management program. The Committee receives quarterly reports from management on our cybersecurity risks. In addition, management updates the Committee, where it deems appropriate, regarding cybersecurity incidents it considers to be significant or potentially significant. The Committee reports to the full Board regarding its activities, including those related to cybersecurity. The full Board also regularly receives briefings from management on our cyber risk management program, as well as presentations on cybersecurity topics from our Vice President of Technology Support, internal security staff, or external experts as part of the Board's continuing education on topics that impact public companies. Our management team , including the Vice President of Technology Support and Director of IT Service Management, is primarily responsible for assessing and managing our material risks from cybersecurity threats. The team has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our internal information technology management team has over 15 years of tenure with the Company and over 45 years of experience in the information technology space. We also leverage a third party cybersecurity team from FIT Solutions to assist with cybersecurity governance and operations. Our third party team has over 65 years of experience across cybersecurity leadership, information technology engineering, and operations. Further, both our internal and retained consultants have obtained industry certifications, including Certified Information Systems Security Professional (CISSP), Rapid7 Certified Security Analyst, GIAC Security Operation Center Analyst (GSOC), GIAC Certified Incident Handler (GCIH), GIAC Penetration Tester (GPEN), Microsoft Security Certifications, and AWS Practitioner, among others. Our management team takes steps to stay informed about and monitor efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include: briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in our IT environment.

Company Information