SELECT MEDICAL HOLDINGS CORP 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

SELECT MEDICAL HOLDINGS CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 16:33:43 EST.

Filings

10-K filed on 2024-02-22

SELECT MEDICAL HOLDINGS CORP filed an 10-K at 2024-02-22 16:33:43 EST
Accession Number: 0001628280-24-006385

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. The proper confidentiality, integrity, and availability of the Company s information systems are critical to the business. Securing the Company s business information, customer, patient and employee data, and technology systems is essential for the continuity of its businesses, meeting applicable regulatory requirements, and maintaining the trust of its stakeholders. As part of its enterprise risk management program, the Company has processes in place to assess, identify, and manage material business, operational and legal risks from cybersecurity threats. Such risks include business disruption, fraud, extortion, reputational harm, violations of laws and regulations, litigation, and harm to employees, patients, customers and business partners. Cybersecurity Program Overview The Company s cybersecurity program is structured around the cybersecurity framework ( Cybersecurity Framework ) of the National Institute of Standards and Technology ( NIST ), an agency of the U.S. Department of Commerce. The Cybersecurity Framework provides best practices to prevent, detect, identify, respond to, and recover from cyber-attacks. The Company s cybersecurity program involves establishing information security policies, procedures and standards, investing in and implementing information protection processes, security measures and technologies, ongoing monitoring of systems and networks on which the Company relies, assessing cybersecurity risk profiles of key third-parties, implementing cybersecurity training and collaborating with public and private organizations on cyber threat information and best practices. The Company actively monitors the current threat landscape in an effort to identify material risks arising from new and evolving cybersecurity threats. The Company engages an external third-party cybersecurity assessor to perform an annual assessment or validation of the cybersecurity program in accordance with the Cybersecurity Framework and the HIPAA Security Risk Assessment Tool of the U.S. Health and Human Services Office for Civil Rights. Board Oversight of Cybersecurity Risks The Board of Directors of the Company provides strategic oversight on cybersecurity matters, including risks associated with cybersecurity threats. The Company s Chief Information Officer ( CIO ) and Chief Information Security Officer ( CISO ) provide annual written reports and quarterly briefings on the Company s cybersecurity program to the Board of Directors. They also provide quarterly cybersecurity updates to the Audit and Compliance Committee. The reports to the Board of Directors include details and metrics on, among other things, the Company s quarterly Cybersecurity Framework assessment updates, internal and external threat intelligence, quarterly information security program progress, business associate risk assessments and ongoing monitoring, company-wide awareness training, device security compliance, routine resilience efforts including disaster recovery exercises, tabletop security incident response exercises, and cyber penetration tests. Management’s Role in Cybersecurity Risk Management The Company s management, including the Company s CIO and CISO, is responsible for assessing and managing material risks from cybersecurity threats. The Company s CIO and CISO each have more than 20 years of experience in cybersecurity. The Company provides formalized cybersecurity training for newly-hired employees and annually for existing employees. In addition, the Company provides cybersecurity awareness training and education throughout the year. The annual cybersecurity training curriculum includes modules on information security, the employee s role in protecting Company information, recognizing different cybersecurity incidents, identifying phishing emails, understanding the appropriate personnel to approach with information or questions, and acceptance of the Company s Information Security Policy. The Company s management is informed of cybersecurity incidents through ongoing monitoring and, in some cases, through receipt of notifications from third-party service providers. The CISO maintains and annually updates a Cybersecurity Incident Response Plan, which is a guide for the Company s cybersecurity team to respond effectively to cybersecurity incidents in a coordinated manner in the interest of minimizing the risk of harm. The team works with colleagues in various departments throughout the Company, including Information Technology, Legal, Risk Management and Compliance, to prevent, mitigate and remediate cybersecurity incidents impacting the Company. 48 Table of Contents Assessment of Cybersecurity Risk Management continuously assesses the potential impact of risks from cybersecurity threats on the Company, and regularly evaluates how such risks could materially affect the Company s business strategy, operational results, and financial condition. As noted above, an assessment of the cybersecurity program leveraging the Cybersecurity Framework is completed annually by an independent and qualified external third-party cybersecurity assessor. Additionally, Concentra receives a certified System and Organization Controls 2, Type 1 assessment, a voluntary compliance standard for ensuring that the Company properly manages and protects the sensitive data in its care, conducted by an independent and qualified external third-party assessor. The Company has not experienced a cybersecurity breach or information security breach during the past three fiscal years. The Company, from time to time, has been notified of third-party information cybersecurity breaches, but none of them has had a material impact on the Company’s operations or financial results. The Company annually purchases a cybersecurity risk insurance policy to help defray the costs associated with any covered cybersecurity incident. Although the Company did not experience a material cybersecurity incident during the year ended December 31, 2023, the scope and impact of any future incident cannot be predicted. 49 Table of Contents

Company Information