Page last updated on July 28, 2025
CVS HEALTH Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-12 06:47:38 EST.
Filings
10-K filed on 2025-02-12
CVS HEALTH Corp filed a 10-K at 2025-02-12 06:47:38 EST
Accession Number: 0000064803-25-000007
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
Cybersecurity Risk Management
Cybersecurity is an important and integrated part of the Company’s enterprise risk management strategy. Safeguarding the Company’s business information, intellectual property, customer, patient and employee data and technology systems is essential for the continuity of its businesses, meeting applicable regulatory requirements and maintaining the trust of its stakeholders.
To help protect the Company from a major cybersecurity incident that could have a material impact on operations or the Company’s financial results, the Company has implemented a robust information security program and has made technology investments that focus on cybersecurity incident prevention, detection and mitigation. The steps the Company takes to reduce its vulnerability and to mitigate the impacts from cybersecurity incidents include, but are not limited to: comprehensive information security policies and standards, implementing logical and technical controls through processes and technologies, monitoring its information technology systems for cybersecurity threats, assessing cybersecurity risk profiles of key third-parties, implementing cybersecurity training and collaborating with public and private organizations on cyber threat information and best practices. The Company is currently in material compliance with applicable information privacy and cybersecurity standards.
The Company has implemented a Cybersecurity Incident Response Plan (the “Plan”), which is integrated into its overall crisis management program. The Plan provides a framework for responding to cybersecurity incidents. The Plan identifies applicable requirements for incident disclosure and reporting as well as provides protocols for incident evaluation, including the use of third-party service providers and partners, processes for notification and internal escalation of information to the Company’s senior management, the disclosure committee, the Board and appropriate Board committees. The Plan also addresses requirements for the Company’s external reporting obligations. The Plan is reviewed and updated, as necessary, under the leadership of the Company’s Chief Information Security Officer (“CISO”) and Chief Privacy Officer (“CPO”).
The Company’s information technology systems and processes are regularly assessed internally as well as by independent third parties for compliance with the following standards: HIPAA; NIST 800-53; System and Organization Controls (“SOC”) 1; SOC 2 Type 2; HI-TRUST; Payment Card Industry Data Security Standards; and the National Association of Insurance Commissioners. The Company annually purchases a cybersecurity risk insurance policy that is expected to help defray the costs associated with a covered cybersecurity incident if it occurred.
Although the Company did not experience a material cybersecurity incident during the year ended December 31, 2024, it did experience previously-disclosed impacts from the Change Healthcare cybersecurity incident in February 2024. See the Company’s Form 10-Q for the three months ended March 31, 2024 for more information. The scope and impact of any future direct or third-party cybersecurity incident cannot be predicted. See “Item 1A. Risk Factors” for more information on the Company’s cybersecurity-related risks.
Governance
Management has responsibility to manage risk and bring to the Board’s attention the most material near-term and long-term risks to the Company. The Company’s CISO leads management’s assessment and management of cybersecurity risk. The CISO reports to the Company’s Chief Digital, Data, Analytics & Technology Officer (the “CDDATO”), who reports directly to the Company’s Chief Executive Officer. The CDDATO, CISO and the CPO, regularly review cybersecurity matters with management. The current CDDATO, CISO and CPO each has more than 10 years of experience managing risks or advising on cybersecurity issues.
The Board is actively engaged in overseeing and reviewing the Company’s strategic direction and objectives, taking into account, among other considerations, the Company’s risk profile and related exposures. As part of this oversight the Board has delegated certain of these responsibilities to committees of the Board. The Board has delegated the responsibility for the oversight of the Company’s cybersecurity risks to the Audit Committee. As part of this oversight, the Audit Committee reviews the Company’s cybersecurity program periodically, and at least annually. The Company’s CDDATO and CISO update the Audit Committee periodically, and at least annually, and the full Board as needed, on the Company’s cybersecurity program, including particular cybersecurity threats, incidents and new developments in the Company’s risk profile. The CISO is a member of the Company’s Disclosure Committee, and the CPO advises the Disclosure Committee on cybersecurity matters on an as-needed basis.
Company Information
| Name | CVS HEALTH Corp |
| CIK | 0000064803 |
| SIC Description | Retail-Drug Stores and Proprietary Stores |
| Ticker | CVS - NYSE |
| Website | |
| Category | Large accelerated filer |
| Fiscal Year End | December 30 |