CROSS COUNTRY HEALTHCARE INC 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

CROSS COUNTRY HEALTHCARE INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 18:05:52 EST.

Filings

10-K filed on 2024-02-22

CROSS COUNTRY HEALTHCARE INC filed an 10-K at 2024-02-22 18:05:52 EST
Accession Number: 0001628280-24-006454

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We acknowledge the evolving nature of cyber threats to our business and industry. The Board oversees management s processes for identifying and mitigating cybersecurity risks to help align our risk exposure with our strategic objectives. To that end, cybersecurity risk management is integrated into the Company’s overall enterprise risk management function. The Company utilizes a combination of processes and systems designed to assess, monitor, and respond to organizational cybersecurity risks in an effective manner across our operations. The cybersecurity risk management program includes regular assessments, providing a holistic view of our risk posture; this contributes to the ongoing improvement of our process, cybersecurity program, and security position. A. Governance Understanding the importance of cybersecurity, the Board maintains oversight of the cybersecurity risks and threats within the organization. Specifically, Board has delegated authority to the Audit Committee to oversee risk management relating to cybersecurity. The Audit Committee is composed of members with various expertise including risk management, technology, and finance. The Company s information security program is managed by a dedicated Vice President (VP) of Security Compliance and Risk Management (VP of Security), whose team is responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture, and processes, and who reports directly to the Chief Information Officer (CIO). The Company s Security and Privacy Steering Committee, which meets on a regular basis, also provides oversight of our security and privacy programs inclusive of defining the security strategy, reviewing risks and risk management strategies, and program performance. The committee (chaired by the VP of Security) comprises a broad selection of Senior Management 21 leaders within the organization. This facilitates enterprise-wide collaboration in aligning cybersecurity objectives with organizational goals. The VP of Security reports regularly to the CIO and the Security and Privacy Steering Committee. Further, the CIO provides regular reports to the Audit Committee and to the full Board. Reports include updates on our cyber risks and threats, projects to strengthen our information security systems, assessments of the information security program, and the emerging threat landscape. B. Key Program Components Standards Based Program We use our best efforts to align our cybersecurity risk management with industry best practices, including processes to prevent, identify, assess, treat, monitor, and report on organizational risks. We design and assess our program utilizing tools such as the National Institute of Standards and Technology Cybersecurity Framework. This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use these tools as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. This covers Company owned and managed systems and technologies, along with those supplied to the organization by third parties. Evolving Threats The program utilizes various resources, inclusive of third-party partners, to support an awareness and understanding of evolving cybersecurity threats, allowing the organization to be actively engaged in understanding and staying abreast of risks, and thereby supporting informed decision-making. Incident Response Our strategy includes a formal Incident Response Plan, designed to help the organization prepare for, respond to, and recover from confirmed or suspected cybersecurity or privacy incidents. Further, it evaluates and validates the effectiveness of our incident response capabilities, and allows for improvements as needed. Data Privacy During the course of normal business operations, the Company collects, stores, and processes personal data. Being cognizant of the importance of protecting personal data and respecting the rights of individuals to have control over their personal information, the organization implements a data privacy program designed to comply with U.S. data privacy regulations and incorporates data privacy into its risk management program. Training and Education Our enterprise-wide awareness and training program is utilized to mitigate risks by educating users on their role in combating security breaches, following good security practices, and maintaining awareness of security risks associated with their actions. This program includes mandatory and optional activities inclusive of online training, presentations, newsletters, blog posts, and simulation exercises. Use of Third Parties Being cognizant of the complexity and dynamic nature of cybersecurity threats, the Company engages the services of various third-party experts, inclusive of Managed Security Service Providers, application and infrastructure cybersecurity assessors, consultants, and advisors. These engagements allow for the supplementing of our internal capabilities with specialized knowledge and expertise in the execution of cybersecurity strategic functions. Third-Party Risks Given that risks associated with third parties can adversely impact an organization s overall security and risk posture, the Company implements a third-party risk management program to assess the security posture of third-party service providers. This includes security assessments prior to service engagement and ongoing monitoring. Benchmarking The Company understand that the effective management of cybersecurity risks requires continuous assessment and improvement. Security benchmarking is a critical component to assess how well our security investments and processes compare with internal and external standards and objectives. C. Management s Role and Expertise Primary responsibility for assessing, monitoring, and managing the Company s cybersecurity risks rests with the VP of Security, Compliance, and Risk Management, who has over 15 years of dedicated experience in the field of cybersecurity across multiple industries. Their background includes extensive experience in cybersecurity program development, leadership, and risk management, which is instrumental in the execution of our cybersecurity strategies. Some specific responsibilities include overseeing our governance and compliance, risk management (identification, assessments, and treatment), and security and privacy awareness programs. 22 The Company’s Chief Information Officer (CIO) possesses a wealth of information technology expertise and has served in various technology leadership roles across multiple industries. They are responsible for all technology systems, services, and solutions. The cybersecurity function reports directly into the office of the CIO. Notwithstanding the extensive approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While we maintain cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. See Item 1A. Risk Factors for a discussion of cybersecurity risks. 23

Company Information