Acadia Healthcare Company, Inc. 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

Acadia Healthcare Company, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 16:05:50 EST.

Filings

10-K filed on 2024-02-28

Acadia Healthcare Company, Inc. filed an 10-K at 2024-02-28 16:05:50 EST
Accession Number: 0000950170-24-022057

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybers ecurity. As part of our Enterprise Risk Management ( ERM ) process, we identify risks and assign responsibility for managing each risk to the appropriate level of management. Cybersecurity is a risk identified in our ERM process. Management has implemented a comprehensive cybersecurity risk management strategy in line with industry standards and regulatory requirements. This strategy includes: conducting an independent cybersecurity maturity assessment to evaluate the health of our overall cyber programs and developing a solid roadmap to continuously improve our defensive posture; performing regular risk assessments, where we identify potential vulnerabilities and evaluate the likelihood of various cyber threats; implementing security controls including email and browser protection, audit log monitoring, malware defenses, controlled use of administrative privileges, encryption protocols, and multi-factor authentication; and implementing progressively challenging employee training and awareness programs, including simulated phishing campaigns, to reduce the risk of human error in the recognition and reporting of potential threats. We continuously monitor our networks and systems and integrate threat intelligence feeds to evaluate evolving cyber threats. We conduct regular testing and simulation exercises, including engaging third-party service providers to perform penetration testing, to identify and address weaknesses in our defenses and engage third-party service providers to perform cybersecurity risk assessments, which are based on the National Institute of Standards and Technology framework. Cyber risks are considered and addressed for those third-party relationships deemed critical to our operations, as well as those with access to or custody of confidential data or customer non-public information, including PHI, and those services or products accessed in a cloud environment or involving generative artificial intelligence or other machine learning technologies. The Audit and Risk Committee of the board of directors has responsibility of oversight for the Company s enterprise risk assessment and risk management systems. Our Chief Information Officer ( CIO ), Senior Director of Information Security and other delegated positions are responsible for assessing and managing our material risks from cybersecurity risks. Our CIO has 15 years of experience in cybersecurity and a degree in management information systems. We also have a Cybersecurity Infrastructure Committee that meets monthly. We have implemented an incident response strategy as an element of our overall risk management approach. Our incident response plan entails clearly-defined roles and responsibilities, established communication protocols and measures to mitigate the impact of any cybersecurity incidents. We have experienced adverse IT events in the past, but to date, we have seen no material impact on our business or operations from these attacks or events. We prioritize the detection, response, and recovery from potential breaches and carry cybersecurity insurance which includes cyber breach response services. The scope and coverage of our cybersecurity insurance is reviewed on an annual basis. Risks and potential threats are identified and measured through these monitoring, testing, and response processes procedures and significant risks, and threats are reported by the CIO to the Audit and Risk Committee. 32

Company Information