American Oncology Network, Inc. 10-K Cybersecurity GRC - 2024-03-28

Page last updated on April 11, 2024

American Oncology Network, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-28 16:59:32 EDT.

Filings

10-K filed on 2024-03-28

American Oncology Network, Inc. filed an 10-K at 2024-03-28 16:59:32 EDT
Accession Number: 0001839998-24-000021

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy AON has developed a standardized and systematic process for identifying, assessing, and mitigating cybersecurity risks within the organization. The process includes the gathering of information on cybersecurity trends, assessing risks, and recommending mitigation actions for periodic reporting to boards or committees. The documented standard operating procedure ( SOP ) outlines the processes, responsibilities, and methodologies that the Company follows to proactively manage and mitigate risks associated with the confidentiality, integrity, and availability of sensitive organizational and healthcare information. The SOP includes guidelines for risk identification and information gathering, consistent with the National Institute of Standards and Technology Cybersecurity Framework ( NIST CSF ), risk assessment, mitigation planning and recommendation, executive board and committee reporting, and documentation and review. The SOP also identifies the roles and responsibilities of individuals and groups within the organization that participate in ensuring that risks are identified, assessed, and mitigated in a way that aligns with organizational goals, risk appetite, legal requirements, and best practices. The SOP is required to be approved by the Information Security Review Board ( ISRB ) as well as our SEC Reporting Manager and reviewed every 2 years for relevance and effectiveness. AON has implemented a risk-based approach to identify and assess cybersecurity threats (both internal and external) that could affect our operations (including, but not limited to, our mission, functions, image, or reputation), assets, information, and individuals. This approach incorporates both external and internal risk and threat identification methodologies. External : AON engages in penetration testing and external trend analysis, which primarily monitors industry reports, threat intelligence feeds, and cybersecurity news sources for potential risks and emerging threats/trends relevant to the organization. Internal : AON s internal risk and threat identification includes the conducting of real-time monitoring of the AON data communications systems, transactions, and event logs on a 24x7 basis. We also conduct periodic security risk identification exercises including regulatory compliance assessments, vulnerability scanning and penetration testing to identify potential 40 Table of Contents risks and threats. Finally, we periodically conduct cybersecurity awareness training for all users and continuously encourage/remind them to report any identified threats or potential risks. Identified risks are documented in a risk register or security gap remediation worksheet with detailed information and an expert opinion on their probability of occurrence and potential impact. These values are then used to determine the overall rating value of the risk. There are several major risk categories that AON takes into consideration when identifying risks. The major risk categories that AON recognizes include: Advanced Persistent Threat ( APT ), Denial of Service ( DoS ), Equipment Loss or Theft , Inappropriate Use or Unlawful Activity , Malware/Ransomware , Phishing/Smishing/Vishing , Supply Chain/Vendor Incident , Unauthorized Access or Privacy Breach , and Unplanned Downtime/Outage . AON also strives to categorize organizational data based on sensitivity levels. AON s data is classified into one of the following categories: Restricted/Confidential, Private/Internal, or Public . These data categories are taken into consideration and aligned with potential risks and impact assessments. AON’s risk management team is charged with the responsibility of ensuring that the processes described above are implemented according to the company’s risk management policy and that they align with the organization’s stated risk appetite and tolerance levels. AON’s risk management policy dictates that the company shall identify, assess, and manage material risks and craft a risk response strategy to address each individual case of an identified risk. AON engages third parties in various stages of the risk management process. These third parties include a virtual chief security officer service ( vCISO ), which is engaged as needed, and an incident response team associated with our managed detection and response service. AON has established a comprehensive vendor management program to assess, monitor, and manage risks associated with all third-party vendors including cybersecurity service providers. Thorough due diligence is exercised when selecting cybersecurity vendors including the evaluation of the provider’s reputation, experience, certifications (where applicable), and adherence to industry best practices. The evaluation process includes the review of Business Associate and Information Security Questionnaires as well as the company’s Service/System Organization Controls ( SOC ) report, and these must be reviewed annually. Clear cybersecurity expectations and requirements are required to be defined in contractual agreements, as well as clauses related to data protection, incident response, reporting, and compliance with security standards. Vendors must comply with all applicable AON policies, practice standards and agreements, including, but not limited to: non-disclosure agreements, code of conduct and safety policies, privacy and security policies, auditing policies, and software licensing policies. Governance AON has defined multiple roles and responsibilities to create a collaborative and effective approach to cybersecurity risk management. Each plays a critical part in ensuring that risks are identified, assessed, and mitigated in a way that aligns with organizational goals, risk appetite, legal requirements, and best practices. The collaboration between these roles ensures a comprehensive and well-coordinated effort to protect the organization from cybersecurity threats. Business Owner / Data Stewardship - Has responsibility for specific business processes or data sets. Ensures that data is used, stored, and transmitted securely. Chief Information Security Officer (CISO) / Chief Information Officer (CIO) - Provides overall leadership for the information security program. Represents cybersecurity interests at the executive level. Compliance Officer - Ensures that the organization complies with relevant laws and regulations. Provides guidance on compliance requirements impacting cybersecurity. IT Security Team / Information Security Practitioners - Acts as point of contact for risk-related concerns within respective teams. Implements security measures based on risk assessments. Legal Team - Provides legal expertise on cybersecurity and data protection matters. Ensures that cybersecurity practices comply with applicable laws and regulations. 41 Table of Contents Risk Officer - Facilitates and coordinates risk management activities. Ensures that the risk management process is followed consistently. Risk Management Committee - Provides expertise in various domains of cybersecurity. Ensures the overall effectiveness of risk management processes. This is an informal management committee that was initiated by the IT Security Director. Members include the CIO, CISO, Risk Officer, and Compliance Officer. Members were selected based on their existing roles within AON and their relationship to cybersecurity and risk management functions. The AON Risk Management Committee meets on a quarterly cadence to summarize cybersecurity trends, identified risks, and mitigation strategies. The committee works together to craft executive-level reports suitable for board or committee review. It is the responsibility of the CIO, CISO, or the Risk Officer, each of whom have at least 10 years of expertise in the cybersecurity field, to present key findings, risk assessments, and mitigation strategies to boards or committees, including the Information Security Review and Executive Boards. The AON Risk Management Committee reviews and summarizes key cybersecurity trends, identified risks, and mitigation strategies and crafts executive-level reports for AON’s leadership. It is the responsibility of the CIO, CISO, or the Risk Officer to present these reports to boards or committees, including the Information Security Review and Executive Boards on a regular cadence. It is the responsibility of our board of directors to establish and maintain a robust cybersecurity risk governance framework within the organization. The board of directors is also responsible for defining and communicating our organizational risk appetite and tolerance for cybersecurity. Additionally, the board of directors provides input and oversight of the organization’s cybersecurity strategy and objectives and ensures alignment between cybersecurity initiatives and overall business goals. AON s board of directors is required to actively participate in risk identification workshops and crisis management planning, especially regarding cybersecurity incidents. The board of directors is also responsible for promoting a cybersecurity-aware and continuous improvement culture within the organization. Starting in 2024, AON s board of directors will receive quarterly reports on the organization’s cybersecurity posture, including risk findings and assessments, mitigation strategies, and key performance indicators ( KPIs ), which shall be presented in a review meeting by representative from the Risk Management Committee. Material Effects of Cybersecurity Threats There is a vast array of potential material effects that AON could feasibly face from cybersecurity threats in the near future. While we have identified the most likely of these in our Cybersecurity Incident Response Plan and Risk Management, Assessment and Mitigation Guide, and have either taken proactive measures and/or created a response strategy to mitigate the likelihood and impact of each, there remains a distinct possibility that a new/emerging threat might impact the business. The most likely material effects that could impact the organization in the near future include: Business Disruption : Cybersecurity threats, such as malware or ransomware attacks or DoS attacks, which could lead to business disruptions. Unplanned downtimes or outages, particularly in critical systems or services, may impact the organization’s ability to operate efficiently, affecting business continuity. Supply Chain Disruptions : Cybersecurity threats targeting third-party vendors or supply chain partners may lead to disruptions. Dependencies on external entities could impact the organization’s ability to deliver services, affecting business strategy and financial conditions. Increased Operational Costs : Investing in cybersecurity measures, incident response, and recovery efforts may lead to increased operational costs. More importantly, budgetary constraints for other strategic initiatives may result from the need to allocate resources to address cybersecurity threats. Other possible material effects include, but are not limited to intellectual property theft, increased insurance premiums, unplanned litigation costs, reputation damage, and regulatory non-compliance.

Company Information