CENTENE CORP 10-K Cybersecurity GRC - 2024-02-20

Page last updated on April 11, 2024

CENTENE CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-20 16:34:20 EST.

Filings

10-K filed on 2024-02-20

CENTENE CORP filed an 10-K at 2024-02-20 16:34:20 EST
Accession Number: 0001071739-24-000037

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy Our cybersecurity risk management and privacy programs play a central role in the protection of the confidential information of our members, team members, and business partners, and, as such, are critical to the successful operation of our business. Our cybersecurity risk management program is part of our enterprise-wide risk management practices. Based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework, the program utilizes policies, processes, and technologies to assess, identify, and manage the cybersecurity threats that we face. Specifically, we use these policies, processes and technologies to identify internal and external threats, establish access control, data privacy and security measures, detect unauthorized activity, and respond to and recover from, incidents. For example, we leverage external experts and our internal threat and risk teams to assess potential threats, retain external consultants to conduct penetration tests and health checks on our information systems, conduct cyber security and awareness training to help team members identify and manage common categories of cybersecurity threats, utilize multiple protective and detective tools to identify active threats and have a 24/7 Security Operations Center to manage incident response. Our cybersecurity risk management program also includes processes and controls to assess the cybersecurity risk associated with third-party vendors and partners. Following an initial assessment of the level of enterprise risk potentially posed by use of the third-party, the vendor is then subject to further risk-based assessments, the level of which depends upon the assigned risk value of the service being provided, which may include the completion of security questionnaires and the provision of independent security certifications. On a bi-annual schedule, we use an external firm to assess our cybersecurity risk management program using the Capability Maturity Model Integration (CMMI) process and behavioral model. In addition, elements of the program are subject to Service Organization Control Type 2 (SOC 2) and ISO 27001 audits by a third party. While we have not identified any cybersecurity threats that have materially affected or that we believe are reasonably likely to materially affect our business strategy, results of operations, or financial condition, our cybersecurity risk management program cannot eliminate all risks from cybersecurity threats or provide assurances that we have not experienced an undetected material cybersecurity incident or will not experience a material cybersecurity incident in the future. For more information about these risks, please see “Risk Factors - A failure in or breach of our operational or security systems, networks or infrastructure, or those of third parties with which we do business, including as a result of cyber-attacks and other data security incidents, could have a material adverse effect on our business. " Cybersecurity Risk Governance Role of our Board of Directors Our Board of Directors has primary responsibility for the oversight of our enterprise-wide risk management and exercises its oversight function in respect of cybersecurity risk through two of its committees. Specifically, our Board Audit and Compliance Committee has oversight responsibility for the Company’s enterprise risk management process, including the Company’s programs to identify, manage, respond to and mitigate the Company’s IT risks, including risks related to cybersecurity, artificial intelligence, privacy, critical infrastructure assets and disaster recovery, as well as identifying the potential likelihood, frequency and severity of cyberattacks and breaches. Our Board Quality Committee has oversight responsibility for overall data and technology strategy. Each committee reports to the full Board on a regular basis. 36 T able of Contents The oversight responsibility of our Board of Directors and its committees is facilitated through quarterly management-reporting processes designed to provide visibility to the Board and its committees on the processes for the identification, assessment, prioritization and management of critical risks and management’s risk mitigation strategies. Such reporting includes providing regular updates to the Board Audit and Compliance Committee regarding the evolving cybersecurity threat environment, updates to our cybersecurity risk management program to address and mitigate such threats and providing quarterly reports to the Quality Committee on the Company’s execution of its data and technology strategy. Management also escalates significant cybersecurity events to the Audit and Compliance Committee and the Board on a real time basis, as appropriate. Further, our Board also receives enterprise-wide risk management reports, which include significant cybersecurity risks, from our risk department multiple times per year. In addition, our Board and management have conducted tabletop cybersecurity crisis simulation exercises. Role of Management While our Board of Directors has overall responsibility for the oversight of our enterprise-wide risk management, of which cybersecurity risk management is one component, our management team is responsible for day-to-day risk management, including the implementation of our cybersecurity risk management program. Our enterprise risk management committee, which operates within our risk department and comprises certain of our senior leaders including operations, finance, information technology, government relations, legal, marketing, health plan leadership, health operations, and communications meets at least four times per year to discuss significant risks to the Company identified by our enterprise-wide risk management process, including cybersecurity risks identified by our cybersecurity risk management program. The enterprise risk management committee also discusses the steps management has taken to identify, monitor, assess, and control or avoid such exposures and reviews performance measures against the Company’s risk appetite and tolerance and provides recommendations of corrective action where appropriate. At an operational level, our Chief Security and Privacy Officer (CSPO) and our Chief Information Security Officer (CISO) lead the management of our cybersecurity risk management program. Our CSPO is responsible for overseeing the day-to-day operation of our cybersecurity risk management program, including reporting systemic cybersecurity risk matters to our senior management and, as appropriate, to the Board of Directors. Our CISO oversees our cybersecurity operations, including all identity and access management functions, cybersecurity incident response operations and the effective operation of the suite of security tools we employ. The CISO and CSPO track key cybersecurity metrics across the enterprise, including metrics related to threat and vulnerability management, cybersecurity incidents and asset management and protection. Our CISO reports the status and efficacy of our cybersecurity operations to our senior management and, as appropriate, to the Board of Directors. Using our cybersecurity incident response plan, each incident receives a severity rating using a scale approved by Management. Based on that rating, we employ an escalation matrix that provides appropriate notifications to Management, as well as to our Board of Directors. The cybersecurity incident response plan is integrated into our overall crisis management plan and process, for which our CSPO has ultimate day-to-day responsibility. Our CSPO and CISO share joint responsibility for providing regular cybersecurity updates to our Audit and Compliance Committee, including updates on our key technology initiatives, including those involving cybersecurity, and their status. Our CSPO, CISO and other dedicated cybersecurity risk management personnel are certified and experienced information systems security professionals and information security managers. Our CSPO has over 30 years of experience in information security having 15 years of experience leading information security programs and obtained the Certified Information Systems Security Professional certification ISC2. Our CISO, who has over 33 years of experience in cyber operations, communications, crisis management and command and control, holds multiple graduate degrees, obtained the Certified Information Systems Security Professional certification from ISC2 and holds the Qualified Technical Expert certification from the Digital Director’s Network. 37 T able of Contents

Company Information