Cano Health, Inc. 10-K Cybersecurity GRC - 2024-04-01

Page last updated on April 11, 2024

Cano Health, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-01 17:07:38 EDT.

Filings

10-K filed on 2024-04-01

Cano Health, Inc. filed an 10-K at 2024-04-01 17:07:38 EDT
Accession Number: 0001628280-24-014114

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We recognize that cybersecurity risk is a critical enterprise concern. To mitigate cybersecurity risk, we have obtained cybersecurity insurance coverage and established a Cybersecurity and IT Governance Program to stay at the forefront of security and threat management. Our program monitors and assesses our IT environment to provide continuous improvement and automate incident response. We have instituted best practices for preventive safeguards, governance, monitoring, detection, response and third-party validation. Data, updates and results from our program are provided to the Audit Committee at regularly scheduled meetings. The Company regularly assesses risks from cybersecurity threats, monitors its information systems for potential vulnerabilities and tests those systems pursuant to the Company s cybersecurity policies, standards, processes and practices. To protect the Company s information systems from cybersecurity threats, the Company uses various security tools that help the Company identify, escalate, investigate, resolve and recover from security incidents in a timely manner. These efforts include, but not limited to, managed detection and response, security information and event management, vulnerability management, email security filtering, threat intelligence, security awareness program, endpoint detection and response, security automation and orchestration, and intrusion detection and prevention systems. The Company partners with third parties to assess the effectiveness of our cybersecurity prevention and response systems and processes, including periodic penetration tests, annual compliance risk assessments, and third-party cybersecurity assessments. Cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected or are reasonably likely to affect the Company, including its business strategy, results of operations or financial condition. Refer to the risk factor captioned Data security breaches, loss of data and other disruptions could compromise sensitive information related to our business or our members, or prevent us from accessing critical information and expose us to liability, which could adversely affect our business and our reputation. in Part I, Item 1A. Risk Factors for additional description of cybersecurity risks and potential related impacts on the Company. Governance The Company s Audit Committee oversees our risk management program, which is designed to identify, evaluate, and respond to our high-priority risks and opportunities to mitigate those risks. The Company s management, including our executive officers, reports to the Audit Committee on areas of material risk based on its annual risk assessment exercise and management is primarily responsible for managing the risks associated with the Company s operation and business, including cybersecurity and other information security risks. As part of the annual risk assessment exercise, our management conducts executive management interviews, participates in key committee meetings (including meetings of the Disclosure Committee, Compliance Committee and, during our ERP implementation, the Oracle Committee), quantitatively and qualitatively scopes financial accounts and IT system sources and considers industry reports and legal and/or regulatory changes to understand short-term, medium-term and long-term priorities, objectives and strategies, taking into account the level of maturity and degree of integration of governance and risk management programs. Management provides regular updates to the Audit Committee on our risk management program and reports on identified high-priority risks and opportunities during regularly scheduled Audit Committee meetings. In turn, the Audit Committee Chairman is responsible for regularly reporting to the Board. The Company takes a risk-based approach to cybersecurity and has implemented cybersecurity policies throughout its operations that are designed to address cybersecurity threats and incidents. In particular, management oversees cybersecurity assessments to identify potential threats, vulnerabilities, and the potential impact on the business. Management is responsible for 85 establishing cybersecurity policies and procedures that align with industry best practices and regulatory requirements. Management oversees the implementation of systems that continuously monitor the Company’s cybersecurity posture and drives a culture of continuous improvement in cybersecurity. In February 2024, the Company formed a dedicated Cybersecurity Risk Committee (the “Cybersecurity Committee”), consisting of designated members of the Company s Information Technology team, the Company s General Counsel and Chief Compliance Officer, the Company s Deputy General Counsel, the Company s Controller, the Company s Chief Operating Officer, and designated members of the Company s Communications team. The Company s CEO and CFO have the authority to appoint and remove members of the Cybersecurity Committee. The Cybersecurity Committee is responsible for, among other things: Reviewing management s implementation of cybersecurity programs, privacy programs and related risk policies and procedures and management s actions to (a) safeguard the effectiveness of such programs and policies and the integrity of the Company s electronic systems and facilities and (b) prevent, detect and respond to cyber-attacks or information or data breaches involving the Company s electronic information, intellectual property and data Reviewing information from the Company s IT Department regarding matters related to the management of cybersecurity risks and privacy risks Reviewing management s cybersecurity and privacy crisis preparedness and incident response plans (including policies and procedures regarding public disclosure of any such incidents) and the Company s disaster recovery capabilities In the event of an identified breach or attempted breach, the details and impact of any such breach or attempted breach of the Company s information technology systems, networks and/or the types of information, data, and assets collected, created, used, processed, and/or maintained by or on behalf of the Company, including personal information and/or any information or assets of the Company s customers, consumers, employees and business partners, the appropriately investigating any such events, the response to such events, and the implementation of measures to help prevent the recurrence of such events and review summaries of any incidents or activities that are required to be reported to the Audit Committee pursuant to any escalation policies applicable to such cybersecurity incident Reviewing the effectiveness of the Company s cybersecurity and privacy risk management programs and its practices for identifying, managing and mitigating cybersecurity and privacy risks across all business functions and recommending improvements, where appropriate Reviewing the Company s framework for adopting policies and procedures establishing cybersecurity and privacy risk-management governance, cybersecurity and privacy risk-management procedures, and cybersecurity and privacy risk control infrastructure Reviewing the Company s processes and systems for implementing and monitoring compliance with cybersecurity and privacy risk-management and cybersecurity and privacy risk-control policies and procedures, including: Processes and systems for identifying and reporting cybersecurity and privacy risks (including emerging cybersecurity and privacy risks) and cybersecurity and privacy risk management deficiencies, and implementation of actions to address these deficiencies and Processes and systems to integrate cybersecurity and privacy risk management and associated controls with management goals Reviewing significant investments and expenditures the Company proposes to make to manage or mitigate enterprise risks and make recommendations, where appropriate Reviewing reports and presentations from management and the Company s advisors, including outside cybersecurity and privacy experts, regarding the management of cybersecurity and privacy risk programs 86 Reviewing and addressing, as appropriate, management s corrective actions for deficiencies that arise with respect to the effectiveness of the Company s cybersecurity and privacy risk management programs Reviewing and discussing with management the Company s public disclosures in its SEC reports relating to the Company s cybersecurity and privacy matters, including privacy, network security and data security, including reviewing applicable cybersecurity and privacy disclosures in the Risk Factors section of this 2023 Form 10-K Reviewing the adequacy of the Company s cybersecurity insurance programs to determine if the coverages are sufficient, consistent with market conditions, to protect the Company Reviewing, with the Company s General Counsel or their designee, any cybersecurity and/or privacy-related legal matter that could have a significant impact on the Company s business or reputation and Addressing other matters as the Cybersecurity Committee Chair or other members of the Cybersecurity Committee determine relevant to the Cybersecurity Committee s oversight of cybersecurity and privacy risk assessment and management. The Cybersecurity Committee will provide periodic updates to the Company s Audit Committee regarding its activities, and in the event of a material cybersecurity or privacy incident involving the Company, on the status of the Company s cybersecurity and data protection response and disclosures. Through these briefings, the Cybersecurity Committee will periodically provide the Audit Committee with appropriate information, as applicable, on the status of–(1) the Company s cybersecurity and data protection program strategies, projects, initiatives, opportunities, developments and any material changes in the foregoing (2) budgets and resources (3) information security or privacy assessments, audits and tests conducted by the Company or third parties (4) the Company s escalation protocols with respect to prompt reporting of cybersecurity incidents to management, the Audit Committee and the Board and (5) material cybersecurity and privacy incidents, risks, issues and legal developments, as well as the remediation or risk mitigation measures undertaken to address such issues. Also, any cybersecurity incident requiring public disclosure on a Current Report on Form 8-K or other applicable public filings or disclosures will be reported to the Audit Committee prior to any such disclosure. As appropriate, the briefings also will present management s recommendations for changes to the Company s cybersecurity and data protection practices. UnitedHealth Group Incorporated ( UHG ) recently widely-announced that they had experienced a cybersecurity incident in which a suspected nation-state associated cyber security threat actor had gained access to some of the Change Healthcare (owned by UHG) information technology systems. Through filings on Form 8-K, press releases and conference calls, UHG is providing regular updates on its assessment of this cybersecurity incident, including, without limitation, its remediation and service restoration activities. The Company s Cybersecurity Committee and its respective members are monitoring UHG s cybersecurity incident for any potential impact it may have on the Company and its various constituencies.

Company Information