Nutex Health, Inc. 10-K Cybersecurity GRC - 2024-03-28

Page last updated on April 11, 2024

Nutex Health, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-28 17:33:58 EDT.

Filings

10-K filed on 2024-03-28

Nutex Health, Inc. filed an 10-K at 2024-03-28 17:33:58 EDT
Accession Number: 0001558370-24-004287

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Nutex manages cybersecurity and data protection through a continuously evolving framework. The framework allows us to identify, assess and mitigate the risks we face, and assists us in establishing policies and safeguards to protect our systems and the information of those we serve. Our cybersecurity program is managed by our Information Technology Manager and Chief Operating Officer. The Audit Committee of the Board of Directors has oversight of our cybersecurity program and is responsible for reviewing and assessing the Company s cybersecurity and data protection policies, procedures and resource commitment, including key risk areas and mitigation strategies. As part of this process, the Audit Committee receives regular updates from the Information Technology Manager and Chief Operating Officer on critical issues related to our information security risks, cybersecurity strategy, supplier risk and business continuity capabilities. The Company s framework includes an incident management and response program that continuously monitors the Company s information systems for vulnerabilities, threats and incidents manages and takes action to contain incidents that occur remediates vulnerabilities and communicates the details of threats and incidents to management, including the Information Technology Manager and Chief Operating Officer, as deemed necessary or appropriate. Pursuant to the Company s incident response plan, incidents are reported to the Audit Committee, appropriate government agencies and other authorities, as deemed necessary or appropriate, considering the actual or potential impact, significance and scope. We work to require our third-party partners and contractors to handle data in accordance with our data privacy and information security requirements and applicable laws. We regularly engage with our suppliers, partners, contractors, service providers and internal development teams to identify and remediate vulnerabilities in a timely manner and monitor system upgrades to mitigate future risk, and ensure they employ appropriate and effective controls and continuity plans for their systems and operations. To ensure that our program is designed and operating effectively, our infrastructure and information systems are audited periodically by internal and external auditors. We will perform regular vulnerability assessments and penetration tests to improve system security and address emerging security threats. Our internal audit team independently assesses security controls against our enterprise policies to evaluate compliance and leverages a combination of auditing and security frameworks to evaluate how leading practices are applied throughout our enterprise. Audit results and remediation progress are reported to and monitored by senior management and the Audit Committee. We also periodically partner with industry-leading cybersecurity firms to assess our cybersecurity program. These assessments complement our other assessment work by evaluating our cybersecurity program as a whole. We complete an enterprise information risk assessment as part of our overall enterprise information security risk management assessment, which is overseen by our Information Technology Manager and Chief Operating Officer. This risk assessment is a review of internal and external threats that evaluates changes to the information risk landscape to inform the investments and program enhancements to be made in the future to rapidly respond and recover from potential attacks, including rebuild and recovery protocols for key systems. We evaluate our enterprise information security risk to ensure we address any unexpected or unforeseen changes in the risk environment or our systems and the resulting impacts are communicated to the Company s overall enterprise risk management program. We believe our Information Technology Manager and Chief Operating Officer have the appropriate knowledge and expertise to effectively manage our cybersecurity program. The Information Technology Manager has 17 years of information technology experience across multiple industries before joining Nutex Health. 36 Table of Contents As of December 31, 2023, the Company has not identified any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations or financial condition, but there can be no assurance that any such risk will not materially affect the Company in the future. For further information about the cybersecurity risks we face, and potential impacts, see Part I, Item 1A, Risk Factors.

Company Information