Phreesia, Inc. 10-K Cybersecurity GRC - 2024-03-15

Page last updated on April 11, 2024

Phreesia, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-15 16:04:08 EDT.

Filings

10-K filed on 2024-03-15

Phreesia, Inc. filed an 10-K at 2024-03-15 16:04:08 EDT
Accession Number: 0001412408-24-000043

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity 50 As a healthcare-focused company, we understand the importance of managing cybersecurity risks that we face and have established a cybersecurity risk management program as part of our enterprise risk management program. Cyber Risk Management and Strategy Our cybersecurity risk management program is informed by recognized industry standards and frameworks and incorporates elements of the same, including elements of the National Institute of Standards and Technology Cybersecurity Framework and The Health Information Trust Alliance (HITRUST) Common Security Framework. Additionally, we are certified as a PCI-DSS Level 1 Service Provider. The Company s cybersecurity program utilizes a cross functional, multilayered approach designed to: (i) identify, prevent and mitigate cybersecurity threats to the Company (ii) preserve the confidentiality, security and availability of the information that we collect and store (iii) protect the Company s intellectual property (iv) maintain the confidence of our customers, clients and business partners and (v) provide appropriate public disclosure and required notices of cybersecurity risks and incidents when required. Our cybersecurity program includes safeguards that are designed to protect the Company s information systems from cybersecurity threats. Such safeguards include firewalls, automated intrusion detection systems, anti-malware functionality and access controls, which are evaluated and improved through periodic vulnerability assessments and ongoing cybersecurity threat intelligence. We have established and maintain an incident response plan that addresses the Company s response to and recovery from a cybersecurity incident. The incident response plan is tested and evaluated on an annual basis. The Company s cybersecurity program is supported by engagement of third-party service providers who help identify, assess and respond to cybersecurity risks. For example, the Company regularly engages third parties to perform and facilitate assessments on our cybersecurity measures, including information security maturity assessments, audits, tabletop exercises, threat modeling and independent reviews of our information security control environment and operating effectiveness. The results of such assessments, audits and reviews are reported to leadership, the Audit Committee, and/or the Board, as appropriate, and the Company adjusts its cybersecurity policies, standards, processes and practices as appropriate based on the information provided by the assessments, audits and reviews. As part of our cybersecurity risk management program, we maintain a risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of the Company s systems, as well as the systems of third parties that could adversely impact our business. Further, all personnel are required to undergo cybersecurity training during onboarding and, thereafter, on an annual basis to reinforce the Company s information security policies, standards and practices. We have not identified any cybersecurity incidents or threats that have materially affected us or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. However, like other companies in our industry, we and our third-party vendors may from time to time experience threats and security incidents that could affect our information or systems. See Item 1A Risk Factors in this Annual Report on Form 10-K for more information. Governance Phreesia takes a cross-functional approach to address the risks from cybersecurity threats. The Company s Board of Directors (the Board ) holds oversight responsibility over the Company s enterprise risk management ( ERM ) program, which incorporates the Company s cybersecurity risk management program. The Board s oversight of cybersecurity risk management is supported by the Audit Committee of the Board (the Audit Committee ), which regularly interacts with the Company s ERM function, the Company s Chief Technology Officer, who serves as the Company s Security Officer, along with other members of management including the Senior Director of Security Engineering, the Chief Privacy Officer, and the compliance, audit, and risk teams. The Company s Chief Technology Officer is principally responsible for day-to-day management of the Company s cybersecurity risk management program. The Chief Technology Officer reports directly to the Chief Executive Officer and works in coordination with the other members of the leadership team, which includes our General Counsel, Chief Operating Officer, and Chief Financial Officer. The Chief Technology Officer oversees a team of security professionals, which is led by the Senior Director of Security Engineering. The security team includes approximately 40 security professionals, 25 of whom are security engineers. Other members of the team oversee and manage identity, risk, compliance and audit functions. The Board and the Audit Committee each receive regular presentations and reports from the Company s Chief Technology Officer and/or General Counsel on cybersecurity risks, which address a wide range of topics including, among others, recent developments, evolving standards, vulnerability assessments, third-party and independent 51 reviews, the threat environment, technological trends and information security considerations arising with respect to the Company s peers and third party service providers. The Board and the Audit Committee also receive prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds under the Company s incident response plan.

Company Information