HEALTHCARE SERVICES GROUP INC 10-K Cybersecurity GRC - 2024-02-16

Page last updated on April 11, 2024

HEALTHCARE SERVICES GROUP INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-16 16:27:27 EST.

Filings

10-K filed on 2024-02-16

HEALTHCARE SERVICES GROUP INC filed an 10-K at 2024-02-16 16:27:27 EST
Accession Number: 0000731012-24-000025

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity Risk Management and Strategy The Company adopted an Information Security Policy which governs the Company s management of information technology ( IT ) systems, network, information, data and assets. HCSG s Information Security Policy is periodically reviewed based on the NIST Cybersecurity Framework. HCSG regularly monitors and measures the performance of its IT System and Assets and its Information Security Policy. HCSG has procedures to ensure that any of its vendors and suppliers that create, utilize, or process HCSG s data take a similar, risk-based approach to information security. Management maintains the cybersecurity risk prevention program which includes ongoing employee education and procedures for cybersecurity incident prevention, detection and response. The Company retains third parties, including IT professionals and legal counsel, specializing in cybersecurity risk management to assist in implementing cybersecurity controls. The Company oversees and identifies material risks from cybersecurity threats associated with its use of third-party service providers by reviewing SOC 1 or SOC 2 reports (whichever is more applicable) for key outsourced systems, including all systems which house protected health information or personally identifiable information. The cybersecurity risk prevention program is part of the Company’s overall risk management program. Please refer to the risk factor titled Cyber-attacks and breaches could cause operational disruptions, fraud or theft of sensitive information in Risk Factors in Part I, Item 1A of this Form 10-K for more information on risks posed by cybersecurity threats to the Company. Management’s Role in Assessing and Managing Materials Risks from Cybersecurity Threats The Company s day-to-day risk management is under the direction of Jason J. Bundick, the Company s Executive Vice President, Chief Compliance Officer, General Counsel and Secretary. Jason Osbeck, the Company’s Senior Vice President of Information and Technology, is responsible for day-to-day cybersecurity risk management under the direction of Mr. Bundick. Mr. Osbeck has served in this role at the Company since 2012. The Company has a Cyber Incident Response Plan ( IRP ) which details the Company s policies and procedures in the event of a cyber incident. The Company s IT department, led by Mr. Osbeck, logs all potential cybersecurity incidents reported which are then reviewed by an Incident Response Team ( IRT ), a cross-functional internal team including IT, risk management, legal and other departmental representation as necessary to identify the potential impact of the cybersecurity incident. As needed, the IRT will consult with third party legal counsel and IT advisory firms to appropriately respond to existing cyber threats. In the event a material incident is identified, the Company will report such incidents in compliance with applicable law. Material cyber events, if any, are reported to the Board of Directors as they occur. Additionally, the Chief Compliance Officer provides quarterly updates to the Audit Committee on all cybersecurity matters during the quarter. Board of Directors’ Oversight of Cybersecurity Risks Our Board is responsible for overseeing the Company s risk management process. The Board focuses on the Company s general risk management strategy, including the most significant risks facing the Company, and ensures that appropriate risk mitigation strategies are implemented by management. The Audit Committee oversees the Company’s cybersecurity risk mitigation efforts. The Audit Committee reports to the full Board as appropriate, including when a matter rises to the level of a material risk. 14 Table of Contents

Company Information