Definitive Healthcare Corp. 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

Definitive Healthcare Corp. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 16:24:41 EST.

Filings

10-K filed on 2024-02-28

Definitive Healthcare Corp. filed an 10-K at 2024-02-28 16:24:41 EST
Accession Number: 0000950170-24-022134

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, strategic or competitive in nature, and data of our customers and employees ( Information Systems and Data ). Our Information Security function is overseen by our Chief Technology Officer ( CTO ), our information security team, security management, engineering operations, legal, risk management, and various third-party service providers, including our virtual Chief Information Security Officer ( vCISO ). In doing so, they identify, assess and manage the Company s cybersecurity threats and risks, using various methods including, for example, manual and automated tools, subscribing to reports and services that identify cybersecurity threats, analyzing reports of threats and actors, conducting scans of the threat environment, evaluating our and our industry s risk profile, evaluating threats reported to us, coordinating with law enforcement concerning threats, conducting internal and/or external audits and threat assessments for internal and external threats, utilizing third-party threat assessments, conducting threat and vulnerability assessments, using external intelligence feeds, and using third parties to conduct tabletop incident response exercises and other tests. Depending on the environment, we implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example: an incident response plan and incident response policy, incident detection and response capabilities, a vulnerability management policy, disaster recovery/business continuity plans, risk assessments, implementation of security standards and certifications for certain platforms, encryption of certain data, network security controls and data segregation for certain environments, access controls for certain systems, physical security, asset management, tracking and disposal, systems monitoring, incident response table-top exercises, vendor risk management program, employee training, penetration testing, cybersecurity insurance, and dedicated cybersecurity staff. Our assessment and management of material risks from cybersecurity threats are integrated into the Company s overall risk management processes. Cyber risk is addressed as a critical component of the company’s enterprise risk management program and is based upon entity-level controls found in our SOC2 compliance program, addressing all five trust service criteria: security, availability, confidentiality, privacy, and processing integrity. The Company recently received an unqualified opinion from an industry-recognized audit firm attesting to our SOC2 Type II compliance as of the date of such report. We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including, for example, professional services firms (such as outside legal counsel), penetration testing firms, threat intelligence service providers, dark web monitoring services, forensic investigators, cybersecurity software providers, managed cybersecurity service providers, and cybersecurity consultants. We use third-party service providers to perform a variety of functions throughout our business, such as application providers, hosting companies, and supply chain resources. We have a vendor management program to manage cybersecurity risks associated with our use of these providers. The program includes security questionnaires, risk assessments for each vendor, reviewing certain vendors security assessments and written information security programs, the imposition of information contractual obligations, and, in certain instances, security assessment calls with select vendors security personnel. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider, including providing third-party attestations of compliance with certain cybersecurity frameworks, such as SOC2 or ISO 27001. For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see our Risks Related to Data Privacy and Cybersecurity under Part 1. Item 1A. Risk Factors in this Annual Report. 46 Governance Our audit committee of the board of directors addresses the Company s cybersecurity risk management as part of its general oversight function. The audit committee is responsible for overseeing Company s cybersecurity risk management processes, including oversight of risks from cybersecurity threats. Our cybersecurity risk assessment and management processes are implemented and maintained by certain Company management, including our Senior Principal Security and Infrastructure Architect with over 20 years managing large scale enterprise security systems and programs. The CTO is responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Company s overall risk management strategy, and communicating key priorities to relevant personnel. The CTO is also responsible for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports. Our cybersecurity incident response and vulnerability management policies are designed to escalate certain cybersecurity incidents to members of management depending on the circumstances, including the Chief Financial Officer, Chief Legal Officer and Chief Executive Officer in their role as executive leadership for the Incident Response Team. The executive leadership team will work with the Company s incident response team to help the Company mitigate and remediate cybersecurity incidents of which they are notified. In addition, the Company s incident response and vulnerability management policy include reporting to the audit committee for certain cybersecurity incidents. The audit committee receives quarterly reports from the CTO concerning the Company s significant cybersecurity threats and risk and the processes the Company has implemented to address them. The audit committee also receives various reports, summaries or presentations related to cybersecurity threats, risk and mitigation.

Company Information