Acadia Healthcare Company, Inc. 10-K Cybersecurity GRC - 2026-02-27

Page last updated on February 27, 2026

Acadia Healthcare Company, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-27 19:52:13 EST.

Filings

10-K filed on 2026-02-27

Acadia Healthcare Company, Inc. filed a 10-K at 2026-02-27 19:52:13 EST
Accession Number: 0001193125-26-078266

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybers ecurity. Cybersecurity risk is addressed as part of our Enterprise Risk Management ( "ERM") program. Through this process, we identify key enterprise risks, including cybersecurity, and assign responsibility for managing those risks to appropriate levels of management. Cybersecurity is integrated into our overall risk assessment, governance, and oversight structure. Management has implemented a comprehensive cybersecurity risk management program designed to identify, assess, manage, and mitigate cybersecurity risks to our information systems, data, and operations. This program is informed by recognized industry standards and regulatory requirements and includes, among other things: 33 - conducting independent cybersecurity maturity and risk assessments to evaluate the effectiveness of our cybersecurity program and to inform a multi-year roadmap for continuous improvement; - performing regular cybersecurity risk assessments to identify potential threats and vulnerabilities and to evaluate their potential impact and likelihood; - implementing layered technical and administrative security controls, including email and web security, audit logging and monitoring, malware protection, encryption, network segmentation, controlled use of administrative privileges, and multi-factor authentication; and - maintaining an enterprise-wide cybersecurity awareness and training program, including simulated phishing exercises, designed to reduce the risk of human error and improve the timely recognition and reporting of potential security incidents. We continuously monitor our information systems and networks and leverage internal and external threat intelligence sources to identify and evaluate evolving cybersecurity threats. We also conduct periodic testing and simulation activities, including vulnerability assessments and penetration testing performed by third-party service providers, to identify and remediate weaknesses in our security controls. Our cybersecurity risk assessments and testing activities are informed by the National Institute of Standards and Technology ("NIST") cybersecurity framework. Cybersecurity risks associated with third-party relationships are evaluated as part of our risk management processes, particularly for vendors deemed critical to our operations or those with access to sensitive or confidential information, including PHI. These assessments also consider risks associated with cloud-based services and emerging technologies, including generative artificial intelligence and other machine learning technologies. The Audit and Risk Committee of our Board of Directors provides oversight of our ERM program, including cybersecurity risk. Our Chief Information Security Officer ("CISO"), in coordination with the Chief Information Officer ("CIO") and other members of management, is responsible for the day-to-day management of our cybersecurity program and for assessing and managing material cybersecurity risks. The CISO has significant experience leading enterprise cybersecurity programs within regulated environments. We have established a cross-functional cybersecurity governance structure, including regular management-level forums, to support coordination across information technology, legal, compliance, risk management, and business operations. As part of our overall risk management approach, we maintain an incident response program designed to detect, respond to, and recover from cybersecurity incidents. This program includes defined roles and responsibilities, escalation and communication protocols, and procedures to mitigate the potential impact of a cybersecurity incident. We also maintain cybersecurity insurance coverage, including access to incident response services, and review the scope and adequacy of this coverage on an annual basis. While we have experienced cybersecurity incidents and other adverse information technology events in the past, none have had a material impact on our business, financial condition, or results of operations . We continue to evolve our cybersecurity program to address emerging threats and risks, recognizing that cybersecurity risks cannot be entirely eliminated. Material cybersecurity risks and significant developments are reported by management to the Audit and Risk Committee as part of our ongoing risk oversight processes. 34

Company Information