U.S. NeuroSurgical Holdings, Inc. 10-K Cybersecurity GRC - 2024-04-05

Page last updated on April 11, 2024

U.S. NeuroSurgical Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-05 16:01:52 EDT.

Filings

10-K filed on 2024-04-05

U.S. NeuroSurgical Holdings, Inc. filed an 10-K at 2024-04-05 16:01:52 EDT
Accession Number: 0001140361-24-018303

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management, Governance And Risk Assessment The Company is committed to protecting the confidentiality, integrity, and availability of its information systems and the data they contain from cybersecurity threats. The Company recognizes that cybersecurity is a dynamic and evolving area of risk that requires ongoing assessment, management, and oversight. The Company intends to establish a cybersecurity program (the Program ) that will be designed to assess, identify, manage, and mitigate material cybersecurity threats, as well as to respond to and recover from cybersecurity incidents. 25 Table of Contents Cybersecurity Risk Management The Program will be based on the National Institute of Standards and Technology ( NIST ) Cybersecurity Framework ( CSF ), NIST Special Publication 800-53, and the Payment Card Industry standards, as applicable, and designed to comply with applicable laws and regulations, including HIPAA and the New York Department of Financial Services Cybersecurity Regulation, as applicable. This does not imply that we will meet any particular technical standards, specifications, or requirements. The Program will be aligned with the Company s overall enterprise risk management system and processes and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas. Control procedures are assessed regularly to confirm their effectiveness. The Company will designate a Chief Information Security Officer (the CISO ). The Program will be implemented and managed by the Company s executive management under the leadership of the CISO. The Company will contract with third-party service providers to support aspects of the Program implementation, operations, and review of information technology operations and cybersecurity technologies. The Company s cybersecurity policies and procedures will be reviewed by the CISO and updated at least annually and will include an incident response plan ( IRP ) for detecting, responding to and limiting the effects of a cyber security event. In addition, under the IRP, following the resolution of a cybersecurity incident, the Company will generally consider the effectiveness of the Program and the IRP, make adjustments as appropriate, and report to senior management and the Audit Committee as appropriate on these matters. Cybersecurity policies and procedures will also be subject to periodic review and audits by internal and external parties, such as the internal audit function, external auditors, regulators, or independent assessors. The Company will require employees to undergo cybersecurity-related training, including phishing prevention training, and employees are tested regularly through phishing exercises. Governance The CISO will be responsible for developing, maintaining, and enforcing the Program s policies and procedures, as well as reporting on the Program s performance and material cybersecurity risks to the Audit Committee. The CISO will have the relevant expertise and authority to carry out the Program s objectives and to coordinate with other key stakeholders within and outside the Company. The Program will be overseen by the Company s Board of Directors. Cybersecurity Risk Assessment The CISO will be responsible for assessing and managing the Company s material risks from cybersecurity threats. The Company will conduct regular risk assessments to identify, evaluate, and prioritize material cybersecurity risks to the Company, including its health plans and state contracts, shared services and IT operations, or business strategy. We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. 26 Table of Contents

Company Information