HEALTHEQUITY, INC. 10-K Cybersecurity GRC - 2024-03-22

Page last updated on April 11, 2024

HEALTHEQUITY, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-22 16:01:19 EDT.

Filings

10-K filed on 2024-03-22

HEALTHEQUITY, INC. filed an 10-K at 2024-03-22 16:01:19 EDT
Accession Number: 0001428336-24-000016

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Overview Cybersecurity risk is the risk of compromising the confidentiality, integrity, or availability of our technology platforms, data, and other systems, which could have an adverse impact on us, our members, Clients, and Network Partners. We take a strategic, risk-based approach to our cybersecurity program, which emphasizes continual improvement in an effort to protect and enable our business operations. Our enterprise cybersecurity program is designed to assess, identify, and manage cybersecurity threats through continuous monitoring of our information systems for potential vulnerabilities and through various controls and security tools designed to prevent, detect, escalate, investigate, resolve, and recover from identified and reasonably anticipated vulnerabilities, including any cybersecurity incidents, in a timely manner. In the event a security risk is detected, or a breach occurs, we are prepared with response protocols based on National Institute of Standards & Technology (“NIST”) guidelines. Our Security Incident Response Plan defines roles and responsibilities, incident severity levels, key contacts, post-incident steps, and guidelines for testing. Our procedures cover response steps for phishing attacks, ransomware, data breaches, and major vulnerabilities. In addition, we have an organic threat model that evaluates our security controls to help protect against attacker tactics, techniques, and procedures. See Risk Factors in Part I, Item 1A of this Form 10-K for further information about cybersecurity risk. -26- Table of Contents Risk management and strategy We have implemented the Three Lines of Defense Model as the foundation of our risk management approach. Our information security team serves as a First Line, working with our Enterprise Risk Management & Compliance functions as a Second Line, and our Internal Audit function as the Third Line. Cybersecurity is integrated into our operations, including through team member engagement, technology infrastructure, data fabric, and product development. Due to the sensitive nature of our customers data that we hold, we have a heightened focus on data security and protection. We maintain administrative, technical, and physical safeguards designed to protect confidential data. Our security team seeks to identify security risks by working with state and federal law enforcement, security information-sharing organizations, and 24/7 system surveillance through internal and external detection and response teams. Additionally, to help ensure our approach to customer privacy and security is effective and in line with industry standards, we publish Service and SOC 2 attestation reports on our risk management standards established by the Statement on Standards for Attestation Engagements 18 (SSAE-18). We regularly engage external and internal assessors and auditors to evaluate and audit our cybersecurity policies, procedures, standards, and practices. Results from these assessments are shared with management for remediation and with the Cybersecurity and Technology Committee of our board of directors on a regular basis. We have obtained, or are working toward obtaining, industry certifications and attestations and have aligned our cybersecurity program with the NIST Cybersecurity Framework and related controls. As part of our Partner Security Risk Management program, we perform initial risk assessments prior to engaging third-party service providers and ongoing risk assessments annually thereafter, which follow an established process designed to identify, assess, and periodically review our exposure to risk through our partners. During the fiscal year ended January 31, 2024, no known cybersecurity threats materially affected, or we believe are reasonably likely to materially affect, our business, our business strategy, financial reporting, or results of operations. Governance The Cybersecurity and Technology Committee of our board of directors provides oversight of the Company s cybersecurity threat landscape, risks and data security programs, and the Company s management and mitigation of cybersecurity risks and potential breach incidents. The Audit and Risk Committee of our board of directors provides an additional layer of cybersecurity oversight, as it provides oversight of the Company s enterprise risk management program, which includes management of cybersecurity risks and the potential fraud and privacy risks that could arise from a cybersecurity incident. The Chief Security Officer (CSO) and his delegates meet with the Cybersecurity and Technology Committee at least quarterly to, among other items, review any cybersecurity incidents, review key risks and metrics on the Company s cybersecurity program and related risk management programs, and discuss the Company s cybersecurity programs and goals. The Cybersecurity and Technology Committee also participates in cybersecurity tabletop exercises with management and receives training on cybersecurity trends and developments. The Cybersecurity and Technology Committee updates the full board of directors at each quarterly board meeting, or more frequently if needed. Our enterprise cybersecurity program is led by the CSO who oversees both information technology and information security functions. Our CSO brings more than 20 years of cybersecurity experience in various leadership positions, both in technology and finance industries. He holds a doctorate degree from the University of Michigan and holds over 100 US and global security-related patents. In order to assess and manage our material risks from cybersecurity threats, our CSO works with cross-functional teams, which are staffed with subject matter experts and leaders from each of the following areas: Cybersecurity: We follow a defense-in-depth security model with a Joint Security Operations Center (JSOC), Attack Surface Management, and Data Protection team working with security architects and engineers deploying controls designed to prevent or limit the success of an attack. Privacy and Governance: Our Data Privacy and Governance team helps our technology teams build a lasting roadmap to creating our products, services, and standards with privacy by design, and transparency at the forefront. People Safety and Crisis Management: Led by federal law enforcement veterans, our People and Partner Safety team is responsible for ensuring the security of our team members across the US. We also conduct regular tabletop exercises to ensure we are ready to respond to crises, including cybersecurity incidents. -27- Table of Contents Fraud Prevention: Our Fraud Strategy and Prevention team leverages industry best practices of fraud prevention, identity and access management, and cybersecurity monitoring to protect the transactions of our members and Clients.

Company Information