NATIONAL HEALTH INVESTORS INC 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

NATIONAL HEALTH INVESTORS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 16:11:40 EST.

Filings

10-K filed on 2026-02-26

NATIONAL HEALTH INVESTORS INC filed a 10-K at 2026-02-26 16:11:40 EST
Accession Number: 0000877860-26-000053

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy The Board of Directors recognizes the importance of maintaining the trust and confidence of our tenants, managers, borrowers and employees to safeguard sensitive information and the integrity of our information systems. We have systems in place to assess, identify and manage cybersecurity incidents and we invest in technology and third-party support to identify, mitigate, and quickly respond to cybersecurity incidents. We have maintained a strong focus on consistently reviewing our cybersecurity practices. We also conduct periodic information security and awareness training to ensure that employees are aware of information security risks and to enable them to take steps to mitigate those risks. As part of this program, we also take steps designed to provide appropriate guidance regarding security to our executive management and employees, including any employee who may come into possession of confidential financial information. We have engaged the services of various third-party service providers to, among other things, review and evaluate our processes and procedures designed to control access to our information systems, perform penetration testing on our cybersecurity systems on a biannual basis, and perform regular information technology reviews based upon the National Institute of Standards and Technology ("NIST") Cybersecurity Framework. In addition, we contracted with a third-party managed detection and response security company ("MDR") to test for cyber vulnerabilities on a continual basis. In order to identify and mitigate cybersecurity threats related to our use of material third-party vendors, we conduct periodic reviews of internal controls of certain third-party service providers to assess their procedures to mitigate material security risks. Board of Directors and Management Responsibilities We formed an Information Technology Steering Committee which is comprised of employees across multiple departments in our business, including our Chief Executive Officer ("CEO"), Chief Financial Officer, Chief Accounting Officer, the Vice President and Controller, the Vice President of Finance and Investor Relations, the Vice President of Portfolio Management, and the Vice President of Human Resources, Benefits and Compliance and our Information Security Officer ("ISO") , to more effectively prevent, detect and respond to information security threats. The ISO has served in various roles in corporate compliance for over 20 years and reports directly to our CEO. To enhance our cybersecurity capabilities, we actively collaborate with third-party vendors. Notably, we engage a Managed Service Provider ("MSP") and an MDR provider who specializes in cybersecurity issues. Our MSP plays a critical role in supporting our IT infrastructure, offering expertise and resources that complement our in-house capabilities. The MDR provides advanced cybersecurity solutions, including continuous monitoring and threat detection services, which are integral to our cybersecurity program. The ISO is responsible for overseeing a company-wide information security strategy, including policy, standards, architecture, and processes, and managing many of the security services that run on personal computers and servers. The Audit Committee of our Board of Directors meets with the ISO at least annually to review and discuss our cyber risks and threats, incident responses, technology, the status of projects to strengthen our information security systems, assessments of our security program and the emerging threat landscape. In the event of an incident that jeopardizes the confidentiality, integrity, or availability of the information technology systems we use, we utilize a regularly updated information security incident response plan ("IRP"). The IRP is overseen by the Information Technology Steering Committee and sets forth the processes for containment, review, escalation, recovery from and remediation of any cybersecurity incidents identified by us. Pursuant to our IRP and its escalation protocols, designated personnel are responsible for assessing the severity of the incident and associated threat, containing the threat, remediating the threat, including recovery of data and access to systems, analyzing the reporting obligations associated with the incident, and performing post-incident analysis and program improvements. The IRP also specifies the approach to reporting findings and keeping senior management and other key stakeholders, including the Audit Committee and the Board of Directors for certain incidents, informed and involved as appropriate and specifies the use of third-party experts for legal advice, consulting and cyber incident response. We periodically conducts cybersecurity "tabletop" exercises administered by an independent third-party in which members of a cross-functional team and relevant third-party vendors engage in simulated cybersecurity incident scenarios. These exercises are intended to provide hands-on training for the participants and assist us in assessing our processes and capabilities in addressing cybersecurity threats. As of December 31, 2025, we have not had any known instances of material cybersecurity incidents, including third-party incidents, during any of the prior three fiscal years. We also maintain cyber liability insurance to help mitigate potential liabilities resulting from cyber issues. However, there can be no assurance that our cyber risk insurance coverage will be sufficient to cover incurred losses in the event of a cyber attack.

Company Information