Privia Health Group, Inc. 10-K Cybersecurity GRC - 2024-02-27

Page last updated on April 11, 2024

Privia Health Group, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-27 16:16:36 EST.

Filings

10-K filed on 2024-02-27

Privia Health Group, Inc. filed an 10-K at 2024-02-27 16:16:36 EST
Accession Number: 0001759655-24-000022

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Item 106(b) Cybersecurity Risk Management and Strategy Information Security Risk Management and Strategy Our approach to risk management is designed to identify, assess, prioritize and manage major risk exposures that could affect our ability to execute our corporate strategy and fulfill our business objectives. As part of our comprehensive Enterprise Risk Management ( ERM ) program, we perform risk assessments in which we map and prioritize information security risks identified through the processes described below, including risks associated with our use of third-party vendors, Medical Groups, Privia Providers and Affiliated Practices, based on probability, immediacy and potential magnitude. These assessments inform our ERM strategies and oversight processes, and we view cybersecurity risks as one of the key risk categories we face. For example, our information technology and infrastructure may be vulnerable to cyberattacks (including ransomware attacks) or security incidents, and unauthorized third parties may be able to access our sensitive information, which includes protected health information, personal information, payment information, financial information and other data that is subject to laws and regulations, including without limitation the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA), the Payment Card Industry Data Security Standard and the Sarbanes-Oxley Act of 2002, as amended, and other types of personal information, relating to our employees, our Privia Providers patients and others. For more information regarding the information security-related risks we face, see the information in Item 1A - Risk Factors under the caption Security breaches, loss of data and other disruptions could compromise sensitive information related to our business or our patients, or prevent us from accessing critical information and expose us to liability, which could adversely affect our business, operations and our reputation. of this Annual Report on Form 10-K. Our processes for assessing, identifying and managing information security risks and vulnerabilities are embedded across our business as part of our ERM program. Among other things, we regularly engage with internal and external cybersecurity assessors, consultants and auditors to enhance our cybersecurity risk management strategies, review compliance with evolving standards and evaluate the effectiveness and maturity of our controls and perform regular internal and external risk assessments including those required by HIPAA; provide annual mandatory privacy and security training program for all employees; perform technical testing and penetration testing to validate the effectiveness of our cybersecurity program; perform simulated breach testing and tabletop exercises to simulate responses to information security incidents. We have established processes to oversee and manage risks associated with our third-party service providers, including regular security assessments and compliance reviews. We use the findings from these and other processes to improve our information security practices, procedures and technologies. Our Cybersecurity Incident Response Plan ( CSIRP ) includes processes to detect triage, assess severity for, escalate, contain, investigate and resolve information security incidents, as well as to comply with applicable legal obligations and mitigate brand and reputational damage. In addition, we maintain cyber liability insurance to protect against potential losses arising from an information security incident. We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. Information Security Governance and Oversight Our Board of Directors ( Board ) is responsible for overseeing risk management at Privia and, as part of this responsibility, the Board, assisted by its committees, exercises oversight over our ERM program which is designed and implemented by management. As part of its broader risk oversight activities, the Board oversees risks from information security threats, both directly and through the Audit Committee of the Board (Audit Committee) and Compliance Committee of the Board (Compliance Committee). As reflected in its charter, the Compliance Committee is responsible for reviewing data security programs, including cybersecurity and procedures regarding disaster recovery and critical business continuity. The Compliance Committee is also responsible for reviewing Privia s programs and plans established by management to monitor compliance with data security compliance programs and test preparedness. The Audit Committee also assists our Board in fulfilling its oversight responsibilities with respect to risk management in the areas of internal control over financial reporting, disclosure controls and procedures, and legal and regulatory compliance, and discusses with management policies and practices with respect to risk assessment and risk management. As an element of its ERM oversight activities, the Compliance Committee regularly reviews the significant risk exposures or potential compliance violations and the steps that have been taken to monitor, correct and mitigate such potential violations or risks. The Compliance Committee reports to the Audit Committee at each regularly scheduled meeting of the Audit Committee on the substance of these reviews and discussions. The Audit Committee also reviews the Company s policies and practices with respect to risk assessment and risk management. Both committees report to the full Board at every regularly scheduled Board meeting. Our Board meets with our Chief Executive Officer and President and other members of the senior management team at quarterly meetings of our Board, where, among other topics, they discuss strategy and risks facing the Company, as well as at such other times as they deem appropriate. In addition, each year the Compliance Committee receives quarterly reports from the CISO and Privacy Officer on information security risks, including cybersecurity or privacy events, relevant information about the cybersecurity threat landscape, and updates on 63 Table of Contents our cybersecurity risk management strategy and any potential issues . In addition, the full Board receives briefings on information security risks at a minimum annually from the CISO . Our CISO, who leads our information security team, is responsible for day-to-day identification, assessment and management of the information security risks we face. The CISO provides monthly information security updates to a cross-functional team of executive leaders, who together prioritize risks and risk mitigation activities and develop a culture of risk-aware practices. The CISO has held executive technology leadership roles within health systems and physician groups for over 15 years, including Chief Technology Officer, Chief Information Officer, and Chief Information Security Officer. The information security team works in conjunction with our IT leadership team to align operations and technology developments with cybersecurity program objectives. We believe the IT leadership team is sufficiently experienced and qualified in its role of assessing and managing information security risks across the business. In addition, we have established a Cybersecurity Incident Response Team ( CSIRT ), which is responsible for responding to cybersecurity incidents and maintaining a CSIRP that is regularly updated in response to organizational changes, technical changes, changes to the threat landscape or in response to active or previous cybersecurity incidents. The CSIRT is responsible for responding to cybersecurity incidents and maintaining a CSIRP that is regularly updated in response to organizational changes, technical changes, changes to the threat landscape or in response to active or previous cybersecurity incidents, including monitoring the prevention, detection, mitigation, and remediation of cybersecurity incidents. The CSIRT is comprised of the CISO and other key members of management, including the Privacy Officer, Chief Technology Officer, Chief Audit and Compliance Officer, General Counsel and other members of management and our technical response teams as necessary to appropriately respond to an incident, including mitigation and remediation of an incident. We maintain processes for managing incident assessment and internal escalation. In addition to the ordinary-course Board and Compliance Committee reporting and oversight described above, we also maintain disclosure controls and procedures designed for prompt reporting to the Board and timely public disclosure, as appropriate, of material events covered by our risk management framework, including information security risks.

Company Information