CareMax, Inc. 10-K Cybersecurity GRC - 2024-03-18

Page last updated on April 11, 2024

CareMax, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-18 06:51:14 EDT.

Filings

10-K filed on 2024-03-18

CareMax, Inc. filed an 10-K at 2024-03-18 06:51:14 EDT
Accession Number: 0000950170-24-032506

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cyber Risk Management and Strategy We have a process in place for assessing, identifying, and managing material risks from cybersecurity threats. This process is integrated into the Company s overall risk management framework, as overseen by the Company s Board of Directors. We design and assess our program based on various cybersecurity frameworks, such as the National Institute of Standards & Technology. Our process includes overseeing and identifying risks from cybersecurity threats associated with the use of third-party service providers. The Company conducts security assessments of third-party providers before engagement and has established monitoring procedures in its effort to mitigate risks related to data breaches or other security incidents originating from third parties. The Company from time to time engages third-party consultants and legal advisors in evaluating and testing the Company s risk management framework and assessing and remediating certain potential cybersecurity incidents as appropriate. 63 For information regarding cybersecurity risks that may materially affect our Company, see Risk Factors Risks Related to Our Business and Industry We are dependent on information technology and our systems and infrastructure face certain risks, including from cybersecurity breaches and data leakage and Security breaches, loss of data and other disruptions could compromise sensitive information related to our business or our patients or prevent us from accessing critical information and expose us to liability, which could adversely affect our business and our reputation. To date we have not identified any breaches from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. Given the increasing cybersecurity threats in the healthcare industry, there can be no assurance we will not experience business interruptions data loss, ransom, misappropriation or corruption, theft, or misuse of proprietary data, patient or other personally identifiable information or litigation, investigation, or regulatory action related to any of those, any of which could have a material adverse effect on our patient care, ability to admit patients and to bill and collect for services provided on a timely basis, financial position, and results of operations and could harm our business reputation. Accordingly, no matter how well our program is designed or implemented, we will not be able to anticipate all security breaches, and we may not be able to implement effective preventive measures against such security breaches in a timely manner. Governance Related to Cybersecurity Risks Management is responsible for the day-to-day management of cybersecurity risks we face, while our Board of Directors has responsibility for the oversight of risk management. The Audit Committee of our Board of Directors oversees the management of our risks from cybersecurity threats. In addition, the Board of Directors discusses with management our major risk exposures, their potential impact on us, and the steps we take to manage them. Our Vice President of Information Technology is responsible for developing, implementing, and maintaining our cybersecurity risk management policies and procedures. The Vice President of Information Technology has over twenty years of information technology management experience. The Vice President of Information Technology and his team hold regular meetings focused on prevention and detection of cybersecurity threats, business continuity and identity protection. The Vice President of Information Technology reports to our Chief Digital Officer and provides semi-annual cybersecurity updates to the Audit Committee of our Board of Directors. In the event of the detection of an actual or suspected cybersecurity incident, a designated management committee is engaged to investigate the incident, manage response, and report the incident to securities counsel to assist with assessment of materiality. A member of the executive team would inform our Board of Directors as warranted.

Company Information