CareCloud, Inc. 10-K Cybersecurity GRC - 2024-03-21

Page last updated on April 11, 2024

CareCloud, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-21 16:55:39 EDT.

Filings

10-K filed on 2024-03-21

CareCloud, Inc. filed an 10-K at 2024-03-21 16:55:39 EDT
Accession Number: 0001493152-24-010800

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include internal and external threats, data loss, phishing attacks, distributed denial of service attacks, third party risks, unpatched systems, weak authentications and zero-day vulnerabilities. 34 Identifying and assessing cybersecurity risk is integrated into our overall risk management systems and processes. Cybersecurity risks related to our business, technical operations, privacy and compliance issues are identified and addressed through a multi-faceted approach including third party assessments, internal IT Audit, IT security, governance, risk and compliance reviews. To defend, detect and respond to cybersecurity incidents, the Company conducts proactive cybersecurity reviews of systems and applications, audits applicable data policies, performs penetration testing using external third-party tools and techniques to test security controls, conducts employee training, monitors emerging laws and regulations related to data protection and information security and implements appropriate changes. We have implemented incident response and breach management processes which have four overarching and interconnected stages: 1) preparation for a cybersecurity incident, 2) detection and analysis of a security incident, 3) containment, eradication and recovery, and 4) post-incident analysis. Such incident responses are overseen by leaders from our Information Security, Compliance and Legal teams regarding matters of cybersecurity. Security events and data incidents are evaluated, ranked by severity and prioritized for response and remediation. Incidents are evaluated to determine materiality as well as operational and business impact, and reviewed for privacy impact. As of the date of this Form 10-K, we have not experienced a cybersecurity threat or incident that resulted in a material adverse impact to our business or operations. We also conduct exercises to simulate responses to cybersecurity incidents. Our team of cybersecurity professionals then collaborate with technical and business stakeholders across our business units to further analyze the risk to the Company, and form detection, mitigation and remediation strategies. As part of the above processes, we regularly engage consultants to assess our internal cybersecurity programs and compliance with applicable practices and standards. For 2023, our Information Security Management System is compliant with ISO 27001. We also had a SOC 2, Type 2 review performed for the year 2023. Our risk management program also assesses third party risks, and we perform third-party risk management to identify and mitigate risks from third parties such as vendors, suppliers, and other business partners associated with our use of third-party service providers. We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading Disruptions in internet or telecommunication service or damage to our data centers could adversely affect our business by reducing our customers confidence in the reliability of our services and products included as part of our risk factor disclosures in Item 1A of this Annual Report on Form 10-K. Our Vice President of IT Infrastructure is responsible for overseeing the Company s cybersecurity. He has a Bachelor s degree in computer science and has 16 years of extensive experience spanning diverse IT domains, with a specialized emphasis on Information Security across endpoints, servers, data centers, cloud infrastructure, and enterprise applications. He has been actively overseeing the strategic implementation of cybersecurity in accordance with information security management standards, HIPAA, and SOC 2 policies and procedures throughout the entire organization. This multifaceted responsibility involves managing and ensuring compliance with internationally recognized standards such as the ISO 27001 framework, healthcare regulatory guidelines under HIPAA and other recognized standards. Cybersecurity Governance Cybersecurity is an important part of our risk management processes and an area of focus for our Board of Directors and management. Our Cybersecurity subcommittee of the Board of Directors is responsible for the oversight of risks from cybersecurity threats. Members of the Cybersecurity subcommittee receive updates on a quarterly basis from senior management, including leaders from our Information Security, Finance, Internal Audit, Compliance and Legal teams regarding matters of cybersecurity. This includes existing and new cybersecurity risks, status on how management is addressing and/or mitigating those risks, cybersecurity and data privacy incidents, (if any), and status on key information security initiatives. Our cybersecurity risk management and strategy processes are overseen by leaders from our Information Technology department. These individuals are informed about, and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan, and report to the Cybersecurity subcommittee on any appropriate items. 35

Company Information