GoHealth, Inc. 10-K Cybersecurity GRC - 2024-03-14

Page last updated on April 11, 2024

GoHealth, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-14 16:52:22 EDT.

Filings

10-K filed on 2024-03-14

GoHealth, Inc. filed an 10-K at 2024-03-14 16:52:22 EDT
Accession Number: 0001808220-24-000017

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY GoHealth s services involve the collection, processing, use, storage and transmission of confidential and personal information of consumers and employees. Maintaining the integrity, confidentiality and availability of this information as well as the information technology systems in which the information resides is critical to the Company s operations and business strategy. The Company takes a comprehensive, cross-functional approach to developing strategies for identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents. The Company maintains a business continuity and disaster recovery plan as well as a cybersecurity insurance policy. Risk Management and Strategy Cybersecurity risk management is integrated into the Company s broader enterprise risk management ( ERM ) program. The ERM program, led by the Company s Internal Audit and Legal teams, consolidates the collective input of executive management to prioritize enterprise-level risks, develop risk mitigation initiatives and establish monitoring functions. The Internal Audit and Legal teams perform an enterprise risk assessment annually and present the results to the Audit Committee of the Board of Directors. Further, our Chief Technology Officer ( CTO ) and Chief Information Security Officer ( CISO ) actively participate in the ERM program, including through diligence conducted as part of the broader ERM program. Our CISO, who reports to our CTO, leads the cybersecurity program, strategy, policy, standards and processes. Our CISO has over a decade of experience working in information technology and security and earned a Certified Information Security Manager (CISM) certification. Our CTO has over twenty-five years of experience working in engineering and technology. The CISO is supported by a cybersecurity team comprised of experienced information security professionals. The CISO provides the CTO with bi-weekly updates on security and compliance risks and initiatives. Each quarter, the CTO presents a cyber risk and incident review to GoHealth s internal Compliance Committee, comprised of cross-functional senior leadership members including C-suite level executives and personnel from the Legal, Compliance and Internal Audit teams. The Company s cybersecurity risk management program is based on industry standards and best practices and aligns with the Center for Internet Security and National Institute of Standards and Technology ( NIST ) cybersecurity frameworks. On an annual basis, GoHealth engages a third-party vendor to assess the maturity of its cybersecurity processes, which assigns the Company an NIST Cyber-Security Framework implementation tier score upon completion of the assessment. A third-party vendor is also currently conducting a qualitative assessment of GoHealth s cybersecurity controls, policies and programs, the output of which will be a comprehensive report issued to the Company. GoHealth engages with a range of additional third-party cybersecurity service providers, assessors and auditors to evaluate and enhance the effectiveness of its cybersecurity program. Services provided by these third parties include endpoint and network monitoring, vulnerability scanning, penetration testing and security and compliance posture assessments. To mitigate risks associated with third-party sources, the Company requires third parties with access to personal, confidential or proprietary information to implement and maintain cybersecurity practices consistent with applicable legal standards and industry best practices and to enter into business associate agreements containing contractual provisions with respect to the handling of such information. GoHealth also conducts information security assessments of these third parties prior to engaging with them. The Company has established cybersecurity and information security awareness training programs. Formal training on topics relating to the Company s cybersecurity, data privacy and information security policies and procedures is mandatory at least annually for all employees and contractors with access to the Company s network. In addition to the annual security training requirement, employees participate in monthly phishing tests, and where appropriate, additional security awareness follow-up training in response to such tests. Training is supplemented through periodic Company communications encouraging all employees and contractors to promptly report security events, incidents and abnormal system behavior. As of the date of this 2023 Annual Report on Form 10-K, the Company is not aware of any material risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected the Company, its business strategy, results of operations or financial condition however, we cannot provide assurance that these threats will not result in such an impact in the future, as discussed in the risk factors entitled Risks Related to Our Business and Risks Related to Our Intellectual Property and Technology in Part I, Item 1A. of this 2023 Annual Report on Form 10-K. Governance The Board of Directors recognizes the importance of cybersecurity in safeguarding the Company s sensitive data. The Board of Directors is responsible for overseeing overall risk management for the Company, including review and approval of the ERM approach and processes implemented by management to identify, assess, manage and mitigate risk. The Audit Committee is central to the Board of Director s oversight of cybersecurity risks and bears the primary responsibility for assessing and managing the Company s material risks from cybersecurity threats. Cybersecurity risk oversight is also a key area of focus for management. As discussed above, the CISO is the primary management team member responsible for the cybersecurity program, strategy, policy, standards and processes. On a quarterly GoHealth, Inc. 2023 Form 10-K 40 basis, or more frequently if a need arises, the CTO and CISO present a briefing to the Audit Committee regarding the Company s cybersecurity program. The presented topics include, but are not limited to, the status of ongoing cybersecurity initiatives, incident reports and compliance with industry standards. Potentially material cybersecurity matters are escalated to the Audit Committee and/or the full Board of Directors, as appropriate, for risk oversight.

Company Information