Ontrak, Inc. 10-K Cybersecurity GRC - 2024-04-16

Page last updated on April 16, 2024

Ontrak, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-16 17:19:41 EDT.

Filings

10-K filed on 2024-04-16

Ontrak, Inc. filed an 10-K at 2024-04-16 17:19:41 EDT
Accession Number: 0001628280-24-016456

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY The Company maintains a cybersecurity and risk management program called the Information Security Management Program (“ISMP”) designed to identify, assess, manage, mitigate and respond to cybersecurity threats and attacks. The ISMP is overseen by the Company’s Chief Compliance and Privacy Officer, who oversees the Company’s information technology security team as it relates to the ISMP and is responsible for assessing and managing the ISMP, informs senior management regarding the prevention, detection, mitigation and remediation of cybersecurity incidents and supervises such efforts. The cybersecurity team has decades of experience selecting, deploying, and operating cybersecurity technologies, initiatives, and processes, and relies on threat intelligence as well as other information obtained from governmental, public or private sources, including external consultants engaged by the Company. The ISMP is developed by the Company’s information security team in collaboration with cross functional stakeholders, and is designed to ensure the organization’s security posture and practices are in alignment with contractual, regulatory and industry requirements. Risk assessments against agreed criteria are conducted no less than annually, and sooner if there are significant changes in the environment. Security services are delivered through a combination of internal and third party resources. Formal periodic meetings are held with Company’s executive leadership to review relevant components of the ISMP, formal annual reviews of the policies are conducted, formal reviews of the entire ISMP and risk register are conducted at least annually, and more frequently if there are significant changes to the environment. Also, an independent review of the ISMP is conducted in the following ways: (i) an annual HIPAA risk assessment conducted by a third party and (ii) a HITRUST risk based two year assessment conducted by a third party. 28 Table of Contents The Audit Committee of the Board of Directors oversees the Company s cybersecurity risk exposures and the steps taken by management to monitor and mitigate cybersecurity risks. The cybersecurity team briefs the Audit Committee on the effectiveness of the Company s cybersecurity risk management program, typically on a quarterly basis. In addition, cybersecurity risks are reviewed by the Company’s Board of Directors, at least annually, as part of the Company s corporate risk mapping exercise. We have, from time to time, experienced threats to and breaches of our data and systems, including breaches of our data within third party vendor’s system. Risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected and are not reasonably likely to materially affect our company, including our business strategy, results of operations, or financial condition as of December 31, 2023. For more information about the cybersecurity risks we face, see the risk factor entitled “Cybersecurity incidents, security breaches, loss of data and other disruptions could compromise sensitive information related to our business, prevent us from accessing critical information or expose us to liability, which could adversely affect our business and our reputation” in Part I, Item 1A of this report.

Company Information