Ventas, Inc. 10-K Cybersecurity GRC - 2026-02-06

Page last updated on February 6, 2026

Ventas, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-06 16:04:59 EST.

Filings

10-K filed on 2026-02-06

Ventas, Inc. filed a 10-K at 2026-02-06 16:04:59 EST
Accession Number: 0000740260-26-000006

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity Our business is subject to risk from cybersecurity threats and incidents. Cybersecurity threats and incidents include attempts to gain unauthorized access to our systems and networks to disrupt operations, corrupt data, steal confidential or personal information or take other malicious actions. Additionally, cybersecurity threats and incidents against our managers, tenants, borrowers, investments in unconsolidated entities, vendors, suppliers, service providers or other third parties with whom we do business could impact their operations and have consequences for us. Ventas considers cybersecurity risk a serious threat and has put processes in place designed to mitigate the risk and impact of any such cybersecurity threat or incident. Risk Management and Strategy As part of our cybersecurity risk management process, we: - Periodically review and implement procedures that endeavor to follow the cybersecurity standards set forth by the National Institute of Standards and Technology, including procedures with respect to evaluation and monitoring of cybersecurity threats and incidents; - Implement, maintain and regularly review incident response plans to manage cybersecurity threats and incidents on us or users of our information systems. Such plans are informed by our testing and monitoring activities and set forth actions to be taken in responding to and recovering from cybersecurity incidents which include procedures for assessing the severity of such threats and incidents, escalating and disseminating information and containing, investigating and remediating threats and incidents; - Engage third-party security firms to monitor and respond to cybersecurity threats and incidents, including risks associated with our use of third-party vendors and service providers, and conduct periodic penetration tests with the aim of identifying and remediating vulnerabilities; - Periodically evaluate and assess cybersecurity risks associated with our use of key third-party managers, business partners, vendors and service providers, including their access, if any, to our information systems. However, we do not control the cybersecurity plans and systems put in place by such third parties and we may have limited contractual protections with such third parties, such as indemnification obligations to us, which could cause us to be negatively impacted as a result; - Provide employees with the training, tools and resources designed to protect the Company from cybersecurity threats and incidents and to identify and report such threats and incidents. Our employees receive training and testing on cybersecurity protocols throughout the year, including regular anti-phishing campaigns, periodic live training programs and mandatory annual training and assessments with passing requirements. Each employee periodically acknowledges that they have read, understood and will abide by the Company's cybersecurity policies; and - Seek to minimize the amount of personal information collected to support business needs and use storage and transfer protocols leveraging encryption of critical information, including confidential or personal information. We also seek to restrict information system access to appropriate levels while allowing users to fulfill their business responsibilities. Our processes for assessing, identifying, and managing material risks from cybersecurity threats and incidents are integrated into our multi-disciplinary enterprise risk management ("ERM") process. Our ERM process is managed through our ERM Committee, which we have established to assess, identify and manage enterprise-wide risks to the Company, and is comprised of personnel from our senior leadership team. The ERM Committee is convened at least quarterly to review and update our top risks, including cybersecurity risks. Existing risks are evaluated for changes, and mitigation strategies are discussed as needed. New risks are discussed and evaluated for consideration as a top risk. Results are discussed with our Board of Directors at quarterly Board meetings as needed. As of December 31, 2025, the Company was not aware of any cybersecurity threats or incidents that have materially affected or are reasonably likely to materially affect the Company, including with respect to our business strategy, results of operations or financial condition. While we have implemented measures designed to help mitigate the risk from cybersecurity threats and incidents, we cannot guarantee that we or our managers, tenants, borrowers, investments in unconsolidated entities, vendors, suppliers, service providers or other third parties with whom we do business will be successful in preventing a cybersecurity incident, or mitigating or remediating a cybersecurity threat, which could result in a data center outage, disrupt our systems and operations or the systems and operations of our managers, tenants, borrowers, investments in unconsolidated entities, vendors, suppliers, service providers or other third parties with whom we do business, compromise the confidential or personal information of our employees, partners or the residents in our senior housing communities and damage our business relationships and reputation. Although we have implemented various measures designed to manage risks relating to these types of events, these measures and the systems supporting them could prove to be inadequate and, if compromised, could become inoperable for extended periods of time, cease to function properly or fail to adequately secure confidential or personal information. See "Risk Factors-Risks Relating to Legal, Compliance and Regulatory-Cybersecurity threats and incidents could disrupt our operations or the operations of the third parties with whom we do business, invest in or lend to, result in the loss of or unauthorized access to confidential or personal information or damage our or their business relationships and reputation" included in Part I, Item 1A of this Annual Report. Governance Role of our Board of Directors and the Audit and Compliance Committee As part of our Board of Directors' role in overseeing the Company's ERM program, which includes our cybersecurity risk management, our Board is responsible for overseeing management's identification, assessment and management of material cybersecurity risks which may reasonably be expected to impact the Company. While our Board has overall responsibility for enterprise risk oversight, our Board has delegated to the Audit and Compliance Committee responsibility for overseeing risks from cybersecurity threats and incidents. The Audit and Compliance Committee is responsible for overseeing the effectiveness of the Company's cybersecurity risk management initiatives, taking into account the Company's risk exposures. Management briefs the Audit and Compliance Committee at least once a year and our Board as appropriate on cybersecurity controls, protocols, risk assessments and mitigation measures. Role of our Management Our management has primary responsibility for identifying, assessing and managing our exposure to cybersecurity threats and incidents, subject to oversight by our Board of Directors of the processes we establish to assess, monitor and mitigate that exposure. Our Chief Information Officer oversees our Information Technology Team and is responsible for the development and implementation of strategy for our information systems, networks, infrastructure, cybersecurity and data analytics. She has more than 25 years of experience in the field of information technology and is a member of our senior leadership team. Prior to joining Ventas, she spent approximately 12 years at a multinational hospitality public company where, in her most recent role, she was responsible for application management and support of enterprise-wide systems. This role also had responsibility for global service desk support for more than 100,000 employees. Upon the detection of a potentially material cybersecurity threat or incident, the Company's Information Technology Team notifies our Chief Executive Officer, Chief Financial Officer, General Counsel and other relevant business executives. Our Chief Information Officer then works with the appropriate leaders and employees in any impacted business groups, as well as appropriate personnel in our finance, legal and other departments, to assess the risks to the Company and potential impact while determining appropriate remediation steps. Upon management's determination that a cybersecurity threat or incident could be material to the Company, our management notifies the Audit and Compliance Committee, who may then escalate the risk to our full Board of Directors depending on management's assessment of the risk. As discussed above, management also provides regular reports to the Audit and Compliance Committee and to our Board as appropriate.

Company Information