Hims & Hers Health, Inc. 10-K Cybersecurity GRC - 2024-02-26

Page last updated on April 11, 2024

Hims & Hers Health, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-26 16:39:55 EST.

Filings

10-K filed on 2024-02-26

Hims & Hers Health, Inc. filed an 10-K at 2024-02-26 16:39:55 EST
Accession Number: 0001773751-24-000025

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Customers, Providers, and vendors trust Hims & Hers to maintain a secure environment in which they can transact healthcare-related activities. This is addressed through a comprehensive set of policies, processes and controls focused on maintaining the confidentiality, integrity, and availability of our sensitive data and intellectual property. We have aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework as our adopted security framework and utilize vendor-specific guidance and industry insights to supplement our approach. Cybersecurity risk management is a critical component of our overall enterprise risk management (ERM) program. We have implemented a comprehensive set of processes for assessing, identifying, and managing material risks from cybersecurity threats. We conduct continuous vulnerability scanning and periodic penetration tests and evaluate key infrastructure and applications for general IT controls through SOX testing and other required regulatory practices. Any observations are ranked by severity and prioritized for response and remediation. Our cybersecurity risk management extends to risks associated with our use of third-party service providers. We evaluate vendor security through an integrated process with our legal team to assess security and privacy risks to the business. This integrated process helps ensure appropriate contract provisions and complementary controls are in place to protect our and our customers data. We execute this review process as we onboard a new vendor or renew a contract with an existing vendor, or when there are significant changes in the scope of services provided by the vendor. Key vendors are reassessed on a periodic basis to confirm their control environment remains secure and meets our expectations. Furthermore, starting in 2024, we have enhanced this process to perform annual reviews of key vendors with elevated risks. Our platform is continuously probed and attacked by malicious actors, and accordingly, the controls and practices utilized by our cybersecurity and technology teams have continued to evolve. We utilize a Security Information and Event Management (SIEM) tool and Security Operations Center (SOC) provider to actively support our ability to monitor, alert, and remediate issues on a continuous basis and to protect the Company from material security breaches or unauthorized access to our environment. Additionally, we employ a dedicated cybersecurity team to closely work with the SOC, key vendors, and internal stakeholders to maintain familiarity with our operations and configure systems to alert on risks to the organization using industry and business insights. We closely monitor vendor and industry alerts to identify potential vulnerabilities and risks. These various threat and vulnerability alerts allow our cybersecurity team and trusted partners, such as hosting vendors and other critical service providers, to quickly respond to identified risks. Additionally, a periodic NIST-based risk assessment is performed by an independent third party to assist our cybersecurity team in confirming our cybersecurity control environment is in compliance with recognized cybersecurity industry frameworks and standards, as well as identifying any opportunities for enhancement. We also regularly train our employees on cybersecurity awareness, confidential information protection, and phishing attacks. While we have not experienced any material cybersecurity threats or incidents in recent years, there can be no guarantee that we will not be the subject of future threats or incidents. For a discussion of whether and how any risk from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, see Part I, Item 1A: Risk Factors, which should be read in conjunction with Part I, Item 1C. Governance Our Board of Directors maintains overall oversight of our risk management. The Audit Committee is specifically tasked with reviewing cybersecurity and other information technology risks, controls, and procedures, including our plans to mitigate 46 Table of Contents cybersecurity risks and to respond to data breaches. The Audit Committee also reviews with management any specific cybersecurity issues that could affect the adequacy of our internal controls. Our Head of Information Security reports to the Audit Committee on a quarterly basis on any relevant cybersecurity issues or risks, related controls, procedures and programming, material cybersecurity and data privacy incidents (if any), any material updates to our cybersecurity risk management and strategy, broader cybersecurity trends, and relevant educational information. We employ a cybersecurity team of seasoned professionals with direct experience in securing both large and small enterprises. The team is led by our Head of Information Security, who reports to the Chief Operating Officer (COO). The Head of Information Security has 18 years of experience in various technology leadership roles. Of these, the last 10 years have specifically focused on building, managing, and supporting robust security programs across highly regulated industries. The Head of Information Security holds relevant credentials through leading organizations including CISSP (ISC2), CCSP (ISC2), CRISC (ISACA), CCISO (EC-Council), and QTE (DDN). Other members of the cybersecurity leadership team have several years of direct experience in the security industry and hold relevant credentials from ISC2, ISACA, EC-Council, and CompTIA. Moreover, cybersecurity team members keep themselves current through continuing professional education. These individuals are informed about, and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, which include escalation to the CCO and the Audit Committee, as appropriate.
Item 1C. Governance Our Board of Directors maintains overall oversight of our risk management. The Audit Committee is specifically tasked with reviewing cybersecurity and other information technology risks, controls, and procedures, including our plans to mitigate 46 Table of Contents cybersecurity risks and to respond to data breaches. The Audit Committee also reviews with management any specific cybersecurity issues that could affect the adequacy of our internal controls. Our Head of Information Security reports to the Audit Committee on a quarterly basis on any relevant cybersecurity issues or risks, related controls, procedures and programming, material cybersecurity and data privacy incidents (if any), any material updates to our cybersecurity risk management and strategy, broader cybersecurity trends, and relevant educational information. We employ a cybersecurity team of seasoned professionals with direct experience in securing both large and small enterprises. The team is led by our Head of Information Security, who reports to the Chief Operating Officer (COO). The Head of Information Security has 18 years of experience in various technology leadership roles. Of these, the last 10 years have specifically focused on building, managing, and supporting robust security programs across highly regulated industries. The Head of Information Security holds relevant credentials through leading organizations including CISSP (ISC2), CCSP (ISC2), CRISC (ISACA), CCISO (EC-Council), and QTE (DDN). Other members of the cybersecurity leadership team have several years of direct experience in the security industry and hold relevant credentials from ISC2, ISACA, EC-Council, and CompTIA. Moreover, cybersecurity team members keep themselves current through continuing professional education. These individuals are informed about, and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, which include escalation to the CCO and the Audit Committee, as appropriate.

Company Information