NeueHealth, Inc. 10-K Cybersecurity GRC - 2024-03-28

Page last updated on April 11, 2024

NeueHealth, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-28 17:18:37 EDT.

Filings

10-K filed on 2024-03-28

NeueHealth, Inc. filed an 10-K at 2024-03-28 17:18:37 EDT
Accession Number: 0001671284-24-000028

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Risk is an inherent component of the Company s strategic activities and operating environment. The ability to effectively identify, assess, measure, respond, monitor, and report on risks is critical to the achievement of the Company s mission and strategic objectives. Cybersecurity risk, including the risk of managing cybersecurity threats, is a key risk integrated into our enterprise risk management ( ERM ) program and processes. In addition to cybersecurity risk being included in our annual enterprise risk assessment process, other cybersecurity-related risk assessments, such as threat and vulnerability assessments, are performed regularly. Cybersecurity risk is also considered in the Company s annual fraud risk assessment. Annually, the Company completes a National Institute of Standards and Technology ( NIST ) Cybersecurity Framework ( CSF ) maturity assessment to identify and evaluate the areas of strength and opportunities for improvement. These maturity assessments, which are performed leveraging independent third-party advisors or through self-assessments, evaluate the organization s cyber maturity based on predefined standards and criteria (e.g., NIST Special Publication (SP) 800-66). Results of these assessments commonly set the roadmap for future cybersecurity improvement initiatives. Additionally, for third party vendors providing services to the Company, a security risk assessment is completed during vendor due diligence, before execution of agreements. The assessment evaluates, among other areas, the vendors data security, access identity, endpoint protection and incident management and response capabilities. Vendors are required to either complete a security questionnaire based on the HIPAA Security Rule requirements or provide evidence of a current Service Organization Control report completed by a third-party, Health Information Trust Alliance certification, or similar security and compliance attestation. These risk assessments are refreshed regularly during the duration of an agreement with the vendor, and the results can be used to influence the vendor to make improvements where weaknesses in their security and compliance measures are identified. Governance Board of Directors The Board of Directors has direct responsibility for the risk profile of the Company, as defined by the requirements of the shareholders. Inherently included in the Company s risk profile is the risk of cybersecurity threats. The Audit Committee of the Board of Directors has been delegated the responsibility to oversee the management of risks for the Company, including those pertaining to cybersecurity. The Audit Committee is responsible for: Providing oversight of risks, including but not limited to finance, operations, information technology and information security, privacy, legal and regulatory. Meeting periodically with management to review the Company s significant risks and the steps management has taken to monitor, control or mitigate such risks. Reviewing required disclosures pertaining to risks. Cybersecurity risk is a standing agenda topic at quarterly Audit Committee meetings. Common topics discussed include, but are not limited to, cybersecurity risks, threats and vulnerabilities, and the related monitoring activities, as well as progress made with the Company s information security roadmap. The Audit Committee is apprised of the results of cybersecurity risk assessment and prevention/detection activities (e.g., vulnerability scanning, penetration testing, security awareness training) as well as any changes to cybersecurity laws and regulations, current leading practices, and the changing threat landscape. Annually, the results of the Company s enterprise risk assessment are presented to the Audit Committee. These results include a discussion on the top enterprise risks (including, when appropriate, cybersecurity risk) identified through the enterprise risk assessment process, controls in place to address the risks, as well as the mitigation plans management will take to address any uncontrolled risks. Following most Audit Committee meetings, the Chair of the Audit Committee provides an update to the full Board of Directors at the Board s next regularly scheduled meeting. It is through this update where the Board of Directors would be apprised of any material risks or threats, including those pertaining to cybersecurity matters. 39 Table of Contents Management Management of risks, including risks of cybersecurity threats, is delegated to the Company s Head of Information Security, who reports administratively to the Chief Information Officer and has informal reporting relationships with the General Counsel and Chief Audit Executive. The Head of Information Security has over 30 years of information technology and security experience with assessing and managing cybersecurity threats and is responsible for the day-to-day information security program objectives. The Head of Information Security is also responsible for attending quarterly Audit Committee meetings and reporting results of the cybersecurity program to the Audit Committee, including results of preventative activities (e.g. endpoint protection, security training), ongoing monitoring activities (e.g., vulnerability testing), and remediation activities (e.g., issues identified through audits and assessment activities). The Head of Information Security utilizes various tools and resources to manage and monitor cybersecurity threats, vulnerabilities, and incidents, most of which are delivered through third-party solutions. Examples include, but are not limited to: Endpoint and network device vulnerability identification and scanning Internal and external penetration testing services with an emphasis on on-premise and cloud security Security training and awareness, with an emphasis on phishing threats Third-party security risk assessments NIST CSF assessment tools Security information and event management for monitoring infrastructure events. The Company s enterprise threat and vulnerability identification and detection capabilities operate on an ongoing basis, with results reported to Information Security daily. The capabilities utilize endpoint sensors and network scanning to meet and maintain leading bad actor tactics and techniques, including machine learning and artificial intelligence, to protect against potential malicious threats or other potentially unwanted programs or identity abuse, including privilege escalation or abuse of least privilege access enforced by the Company. The information gathered by the Head of Information Security through these activities, through assessment results provided by cybersecurity consultants or advisors, as well as through gathering cyber-risk landscape insights from various other third-party sources, informs the Company s assessment of the risk of cybersecurity threats. Finally, the Company s Disclosure Committee is responsible for assisting the CEO, CFO and Audit Committee to prepare SEC-required disclosures, confirming the Company s disclosure controls and procedures are properly implemented and asserting the accurate, complete, timely and fair presentation of public disclosures. The Disclosure Committee is comprised of the Company s CFO, Chief Accounting Officer, General Counsel, Chief Audit Executive, Head of Information Security, and senior members of our external reporting, financial planning and analysis, and tax departments. The Disclosure Committee meets quarterly prior to the issuance of required quarterly SEC filings, and in these meetings relevant cybersecurity risks would be discussed. Based on the Company s most recent assessments of cybersecurity risk, as of the date of this Form 10-K, we are not aware of any risk from cybersecurity threats that has caused or is reasonably likely to cause a material effect on the Company s business strategy, results of operations, or financial condition. For further discussion of the risks associated with cybersecurity incidents, see the cybersecurity risk factor under the caption Risks Related to our Intellectual Property, Information Technology, and Data Privacy included in Part I, Item 1A. - Risk Factors in this Form 10-K. 40 Table of Contents

Company Information