Sharecare, Inc. 10-K Cybersecurity GRC - 2024-03-29

Page last updated on April 11, 2024

Sharecare, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-29 16:59:08 EDT.

Filings

10-K filed on 2024-03-29

Sharecare, Inc. filed an 10-K at 2024-03-29 16:59:08 EDT
Accession Number: 0001816233-24-000078

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We recognize the critical role of developing, implementing, and maintaining cybersecurity measures to protect our information technology networks and systems and the sensitive data of our partners, clients, and members. To manage cybersecurity risks, we use a multi-layered security approach, involving data privacy, application security, physical and environmental security, network access controls, monitoring and incident reporting, administrative and service availability controls, and regulatory compliance. As part of this multi-layered approach, Sharecare utilizes a managed service for its Security Operations Center that monitors all security related events collected in our Security Information and Event Management (SIEM) system 24x7. The SIEM application correlates events from the various systems and applications looking for indicators of compromise, and if found, initiates our incident response protocols. Through data protection, high availability, and built-in redundancy, Sharecare mitigates risks to application availability and minimizes accidental data loss or destruction during a cybersecurity incident, business interruption, or other event. As we utilize third-party service providers for important aspects related to the collection, storage and transmission of sensitive data, we require a risk based vendor management process to ensure the safety of our sensitive data that they store or process. We conduct a formal vendor management process on all third-party service providers that provide services that utilize or create sensitive information, which includes initial and yearly risk assessments performed by experienced third party risk management personnel, annual vendor assessments of performance including onsite review of security programs for vendors that handle sensitive customer data, and entering into Business Associate Agreements with an Information Security Addendum and Data Use Agreements in contracts for vendors that process sensitive Sharecare information that define security requirements, incident reporting, corrective action management and handling of data. 43 Table of Contents As of December 31, 2023, we have not detected any cybersecurity threats, including prior incidents, that have materially impacted the Company, our business or our financial results. For an examination of cybersecurity threats that could potentially have a material impact on us, please refer to our Risk Factors discussion in the section titled, Security breaches, loss of data, and other disruptions could compromise sensitive information related to our business, partners, clients, or members, or prevent us from accessing critical information and expose us to liability, which could adversely affect our business and reputation. Governance Our Audit Committee oversees the Company s policies and monitoring programs relating to data privacy and security, including cyber or technology related attacks or malfunctions and reviews and discusses with management the Company s risk exposures pertaining to data privacy and security, and management s risk management policies. Our cybersecurity management team provides periodic updates to the Audit Committee, which occur no less than annually. Such updates include information related to threat landscape, risks, initiatives, and security incidents. In the event that any matter requires escalation, such matter would be brought to the Board however, no matter has required such escalation since the Business Combination.

Company Information