VIEMED HEALTHCARE, INC. 10-K Cybersecurity GRC - 2024-03-06

Page last updated on April 11, 2024

VIEMED HEALTHCARE, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-06 17:09:29 EST.

Filings

10-K filed on 2024-03-06

VIEMED HEALTHCARE, INC. filed an 10-K at 2024-03-06 17:09:29 EST
Accession Number: 0001729149-24-000077

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We have implemented robust processes and policies dedicated to assessing, identifying, and effectively managing material risks associated with cybersecurity threats. Our cybersecurity program is designed and evaluated based on recognized frameworks such as the National Institute of Standards and Technology and the Center for Internet Security. These frameworks guide our focus on: (i) cultivating organizational understanding to manage cybersecurity risks, (ii) implementing safeguards to fortify our systems, (iii) promptly detecting cybersecurity incidents, (iv) responding effectively to incidents, and (v) ensuring a swift recovery from any cybersecurity event. Where appropriate, these processes and policies are seamlessly integrated into our overarching risk management systems. We strive to continually improve our information technology systems, and we prioritize enhancing our defenses through employee awareness training, specifically targeting areas such as phishing, malware, and other cyber risks. To reinforce our cybersecurity posture, we enlist independent consultants and third-party experts to assist in the establishment and enhancement of our cybersecurity program. Regular tabletop exercises, conducted at least annually, test the effectiveness of our processes, with senior management actively participating. Valuable insights gained from these exercises are incorporated to refine and bolster our cybersecurity measures. Identification of critical third-party relationships vulnerable to cybersecurity threats is an integral part of our risk management program. Upon identification, we conduct thorough due diligence to fortify these relationships. Our comprehensive insurance portfolio includes cybersecurity insurance to provide an additional layer of protection. For further insights into the cybersecurity risks we confront, please refer to Item 1A. Risk Factors “We rely significantly on information technology and any failure, inadequacy, interruption or security lapse of that technology, including any cybersecurity incidents, could harm our ability to operate our business effectively”. Governance The Board oversees our risk management process, including cybersecurity risks, directly and through its committees. The Corporate Governance and Nominating Committee of the Board is responsible for the oversight of cybersecurity-related risks and regularly receives quarterly reports from management on our cybersecurity threat risk management and strategy processes. The Corporate Governance and Nominating Committee reviews issues concerning our data security posture, results from third-party assessments, progress towards pre-determined risk-mitigation-related goals, incident response plans, and cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to these risks. Our information systems management team, comprising the Chief Information Officer (CIO), Chief Technology Officer (CTO), and Director of Information Security, collectively possesses over 50 years of extensive experience in Information Technology and cybersecurity. Prior to their current roles with the Company, our CIO, CTO, and Director of Information Security held various information technology and cybersecurity positions with other healthcare services and healthcare technology companies. They have collectively obtained various industry-recognized certifications, including the Certified Security Compliance Specialist, Certified Cyber Security Architect, and Certified HIPAA Professional designations. The Director of Information Security holds the position of the Information Security Officer and directs cybersecurity operations. To enhance governance and oversight, we have established a Security Oversight Committee, chaired by the Information Security Officer and joined by key stakeholders such as our Chief Information Officer and General Counsel. This committee convenes regularly, typically on a weekly basis, to foster alignment and cooperation on security-related issues. We have adopted a comprehensive Cybersecurity Incident Response Plan to direct our responses to cybersecurity events in a prompt, effective, and well-coordinated manner. The plan designates a primary manager for each incident and outlines the communication processes, containment strategies, eradication measures, and recovery protocols. Depending on the severity of a cybersecurity incident, senior management and the Board are promptly notified and kept informed of mitigation and remediation efforts. We have not identified any risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect our operations, business strategy, regulatory compliance, results of operations, or financial condition. Page 27 VIEMED HEALTHCARE, INC. (Tabular amounts expressed in thousands of U.S. Dollars, except per share amounts) December 31, 2023 and 2022

Company Information