OMEGA HEALTHCARE INVESTORS INC 10-K Cybersecurity GRC - 2026-02-09

Page last updated on February 9, 2026

OMEGA HEALTHCARE INVESTORS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-09 10:58:21 EST.

Filings

10-K filed on 2026-02-09

OMEGA HEALTHCARE INVESTORS INC filed a 10-K at 2026-02-09 10:58:21 EST
Accession Number: 0000888491-26-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C - Cybersecurity Our Board and management exercise oversight over the Company's cybersecurity program, which represents an important component of the Company's overall approach to enterprise risk management. Governance Omega's Vice President of Information Technology (" VP of IT ") manages a team responsible for leading enterprise-wide strategy, policy, standards, architecture, processes and risk assessment related to information security and data protection, including data privacy and network security (our "Cybersecurity Program") and chairs a management-level AI Committee, responsible for AI governance, including technology, legal and financial risks associated with AI initiatives, within the Company. The VP of IT has served in various roles in information technology and information security for over 30 years and, along with other members of our IT department, holds relevant and applicable certifications. The VP of IT reports directly to the Company's Chief Financial Officer and provides periodic reporting on our Cybersecurity Program to our senior management team, our Board and the Audit Committee of our Board. Our Board, in coordination with our Audit Committee, oversees our management of cybersecurity risk, with the Audit Committee reviewing and discussing with management matters related to our Cybersecurity Program as related to financial reporting on at least a quarterly basis. The Board and Audit Committee receive periodic reports about the prevention, detection, mitigation and remediation of cybersecurity incidents, including material security risks and information security vulnerabilities. Additionally, risks associated with the Cybersecurity Program and AI initiatives are integrated into the Company's enterprise risk management assessment and reported to our Board at least twice per year. We also share the key results of third-party assessments with our Board and Audit Committee. Risk Management and Strategy Technical Safeguards As part of our Cybersecurity Program, the Company deploys technical safeguards that are designed to protect our information systems from cybersecurity threats, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence. Risk Assessment Our Cybersecurity Program also includes a regular risk assessment which is generally based on frameworks established by the National Institute of Standards and Technology ("NIST"), the results of which are reported to our Audit Committee. Third-Party Risk Management We also maintain policies and procedures designed to identify and mitigate cybersecurity risks related to our use of material third-party vendors. This includes reviewing the internal controls of certain third-party service providers to assess their procedures to mitigate material security risks. Incident Response and Recovery Planning We maintain an Information Security Incident Response Plan (the "Response Plan") governing detection, mitigation and remediation of cybersecurity incidents and threats. The Response Plan includes controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding public disclosure and reporting of such incidents can be made by management in a timely manner, with appropriate involvement by our Board. We regularly test the effectiveness of the Response Plan. External Assessments We obtain periodic assessments by third party experts to assess our vulnerability management and security controls and to assist us in identifying and mitigating security risks. These assessments include annual penetration testing and comprehensive independent cybersecurity assessments conducted every other year, which are generally based on the NIST cybersecurity frameworks and may also incorporate other established cybersecurity best practices and standards. Education and Awareness We provide cybersecurity training for all directors, officers and employees and periodic additional training for senior management through our cyber insurance carrier. As of the date of this report, we are not aware of any risks from cybersecurity threats that have materially affected the Company, including our business strategy, results of operations or financial condition. For information regarding cybersecurity risks that may materially affect our Company, see the risk factor titled " We rely on information technology in our operations, and any material failure, inadequacy, interruption or security failure of that technology, including related to artificial intelligence, could harm our business. Privacy and security laws and regulations may also increase costs for our business. " under "Risk Factors" in Part I, Item 1A to this Annual Report on Form 10-K.

Company Information