XML 19 R9.htm IDEA: XBRL DOCUMENT v3.25.1
Cybersecurity Risk Management, Strategy, and Governance
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

ITEM 1C. CYBERSECURITY

We take a comprehensive approach to cybersecurity and prioritize the security and integrity of our data, including those of our residents and other stakeholders, as a top priority. Our board of directors and our management are actively involved in the oversight of our risk management program, of which cybersecurity represents an important component. As described in more detail below, we have established policies, standards, processes and practices for assessing, identifying, and managing material risks from cybersecurity threats. We have devoted significant resources to implement and maintain security measures to meet regulatory requirements and stakeholder expectations, and we intend to continue to make appropriate investments to maintain the security and integrity of our data. There can be no guarantee that our established policies, standards, processes and practices will be properly followed in every instance or that they will be effective at mitigating all cybersecurity threats. Although our risk factors include further detail about the material cybersecurity risks we face, we believe that risks from cybersecurity threats, have not materially affected our business to date. We can provide no assurance that there will not be incidents in the future or that they will not materially affect us, including our business, results of operations, or financial condition.

Risk Management and Strategy

Our policies, standards, processes and practices for assessing, identifying, and managing material risks from cybersecurity threats are integrated into our overall risk management process and are based on frameworks established by the National Institute of Standards and Technology (“NIST”), the International Organization for Standardization and other applicable industry standards and best practices. Our cybersecurity program in particular focuses on the following key areas:

Collaboration

Our cybersecurity risks are identified and addressed through a comprehensive, cross-functional approach. Key security, risk, and compliance stakeholders meet regularly to develop strategies for preserving the confidentiality, integrity and availability of Company and resident information, identifying, preventing and mitigating cybersecurity threats. We maintain controls and procedures that are designed to ensure prompt escalation of certain cybersecurity incidents so that decisions regarding public disclosure and reporting of such incidents can be made by management and our board of directors in a timely manner.

Risk Assessment

At least annually, we conduct a cybersecurity risk assessment that takes into account information from internal stakeholders, known security vulnerabilities, and other external sources (e.g., reported security incidents that have impacted other companies, industry trends, and evaluations by third parties and consultants). The results of the assessment are used to drive alignment on, and prioritization of, initiatives to enhance our security controls, make recommendations to improve processes, and updates are presented to our board of directors and members of management, as appropriate.

Technical Safeguards

We regularly assess and deploy technical safeguards designed to protect our information systems from cybersecurity threats. Such safeguards are regularly evaluated and improved based on vulnerability assessments, cybersecurity threat intelligence and other developing cybersecurity practices.

Incident Response and Recovery Planning

We have established comprehensive incident response and recovery plans and continue to evaluate the effectiveness of those plans. Our incident response and recovery plans address—and guide our response to—a cybersecurity incident.

Third-Party Risk Management

We have implemented processes designed to identify and mitigate cybersecurity threats associated with our use of third-party service providers. Such providers are subject to security risk assessments at the time of onboarding, contract renewal, and upon detection of an increase in risk profile. We use a variety of inputs in our risk assessments, including information supplied by providers and third parties. In addition, we require our providers to meet appropriate security requirements, controls and responsibilities and investigate security incidents that have impacted our third-party providers, as appropriate.

Education and Awareness

We regularly remind employees of the importance of handling and protecting resident and employee data, including through annual certifications of our policies as well as periodic security training to enhance employee awareness of how to detect and respond to cybersecurity threats.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block] Our policies, standards, processes and practices for assessing, identifying, and managing material risks from cybersecurity threats are integrated into our overall risk management process and are based on frameworks established by the National Institute of Standards and Technology (“NIST”), the International Organization for Standardization and other applicable industry standards and best practices.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block] Our board of directors and our management are actively involved in the oversight of our risk management program, of which cybersecurity represents an important component. As described in more detail below, we have established policies, standards, processes and practices for assessing, identifying, and managing material risks from cybersecurity threats. We have devoted significant resources to implement and maintain security measures to meet regulatory requirements and stakeholder expectations, and we intend to continue to make appropriate investments to maintain the security and integrity of our data. There can be no guarantee that our established policies, standards, processes and practices will be properly followed in every instance or that they will be effective at mitigating all cybersecurity threats.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] Our board of directors and our management are actively involved in the oversight of our risk management program, of which cybersecurity represents an important component. As described in more detail below, we have established policies, standards, processes and practices for assessing, identifying, and managing material risks from cybersecurity threats.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] We have devoted significant resources to implement and maintain security measures to meet regulatory requirements and stakeholder expectations, and we intend to continue to make appropriate investments to maintain the security and integrity of our data. There can be no guarantee that our established policies, standards, processes and practices will be properly followed in every instance or that they will be effective at mitigating all cybersecurity threats.
Cybersecurity Risk Role of Management [Text Block]

Risk Management and Strategy

Our policies, standards, processes and practices for assessing, identifying, and managing material risks from cybersecurity threats are integrated into our overall risk management process and are based on frameworks established by the National Institute of Standards and Technology (“NIST”), the International Organization for Standardization and other applicable industry standards and best practices. Our cybersecurity program in particular focuses on the following key areas:

Collaboration

Our cybersecurity risks are identified and addressed through a comprehensive, cross-functional approach. Key security, risk, and compliance stakeholders meet regularly to develop strategies for preserving the confidentiality, integrity and availability of Company and resident information, identifying, preventing and mitigating cybersecurity threats. We maintain controls and procedures that are designed to ensure prompt escalation of certain cybersecurity incidents so that decisions regarding public disclosure and reporting of such incidents can be made by management and our board of directors in a timely manner.

Risk Assessment

At least annually, we conduct a cybersecurity risk assessment that takes into account information from internal stakeholders, known security vulnerabilities, and other external sources (e.g., reported security incidents that have impacted other companies, industry trends, and evaluations by third parties and consultants). The results of the assessment are used to drive alignment on, and prioritization of, initiatives to enhance our security controls, make recommendations to improve processes, and updates are presented to our board of directors and members of management, as appropriate.

Technical Safeguards

We regularly assess and deploy technical safeguards designed to protect our information systems from cybersecurity threats. Such safeguards are regularly evaluated and improved based on vulnerability assessments, cybersecurity threat intelligence and other developing cybersecurity practices.

Incident Response and Recovery Planning

We have established comprehensive incident response and recovery plans and continue to evaluate the effectiveness of those plans. Our incident response and recovery plans address—and guide our response to—a cybersecurity incident.

Third-Party Risk Management

We have implemented processes designed to identify and mitigate cybersecurity threats associated with our use of third-party service providers. Such providers are subject to security risk assessments at the time of onboarding, contract renewal, and upon detection of an increase in risk profile. We use a variety of inputs in our risk assessments, including information supplied by providers and third parties. In addition, we require our providers to meet appropriate security requirements, controls and responsibilities and investigate security incidents that have impacted our third-party providers, as appropriate.

Education and Awareness

We regularly remind employees of the importance of handling and protecting resident and employee data, including through annual certifications of our policies as well as periodic security training to enhance employee awareness of how to detect and respond to cybersecurity threats.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] we conduct a cybersecurity risk assessment that takes into account information from internal stakeholders, known security vulnerabilities, and other external sources (e.g., reported security incidents that have impacted other companies, industry trends, and evaluations by third parties and consultants). The results of the assessment are used to drive alignment on, and prioritization of, initiatives to enhance our security controls, make recommendations to improve processes, and updates are presented to our board of directors and members of management, as appropriate.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] We regularly assess and deploy technical safeguards designed to protect our information systems from cybersecurity threats.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] Our cybersecurity risks are identified and addressed through a comprehensive, cross-functional approach. Key security, risk, and compliance stakeholders meet regularly to develop strategies for preserving the confidentiality, integrity and availability of Company and resident information, identifying, preventing and mitigating cybersecurity threats.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true