MOLINA HEALTHCARE, INC. 10-K Cybersecurity GRC - 2026-02-10

Page last updated on February 10, 2026

MOLINA HEALTHCARE, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-10 16:18:56 EST.

Filings

10-K filed on 2026-02-10

MOLINA HEALTHCARE, INC. filed a 10-K at 2026-02-10 16:18:56 EST
Accession Number: 0001179929-26-000005

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY CYBERSECURITY RISK MANAGEMENT, GOVERNANCE AND RISK ASSESSMENT The Company is committed to protecting the confidentiality, integrity, and availability of its information systems and the data they contain from cybersecurity threats. The Company recognizes that cybersecurity is a dynamic and evolving area of risk that requires ongoing assessment, management, and oversight. The Company has established a cybersecurity risk management program (the "Program") that is designed to protect the confidentiality, integrity, and availability of our critical systems and information, including to assess, identify, manage, and mitigate material cybersecurity threats, as well as to respond to and recover from cybersecurity incidents. CYBERSECURITY RISK MANAGEMENT We design and assess our Program based on cybersecurity frameworks, such as the National Institute of Standards and Technology Cybersecurity Framework ("NIST CSF"). This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use the NIST CSF framework as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. The Program is integrated into the Company's overall enterprise risk management system and processes, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas. Key elements of our Program, include but are not limited to the following: - risk assessments designed to help identify material risks from cybersecurity threats to our critical systems and information; - a security team principally responsible for managing (1) our cybersecurity risk assessment processes, (2) our security controls, and (3) our response to cybersecurity incidents; - the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security processes; - cybersecurity awareness training of our employees, including incident response personnel and senior management; - a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and - a third-party risk management process for key service providers based on our assessment of their criticality to our operations and respective risk profile. Control procedures are assessed regularly to confirm their effectiveness. The Company undergoes an annual Service Organization Controls ("SOC") Type 2 attestation report covering the performance of safeguards deployed to protect certain Company systems and applications. The Company has a designated Chief Information Security Officer (the "CISO"), who is primarily responsible for assessing and managing material risks from cybersecurity threats. The Program is implemented and managed by the Company's executive management under the leadership of the CISO. The Company contracts with third-party service providers to support aspects of the Program implementation, operations, and review of information technology operations and cybersecurity technologies. Additionally, the Company has retained a number of well-established and reputable cybersecurity consultants, including forensics experts, auditors, as well as outside cybersecurity legal counsel to assist with cybersecurity matters as needed from time to time. The Company has a Computer Incident Response Team ("CIRT") which is responsible for monitoring, preventing, detecting, assisting with the investigation, and responding to cybersecurity threats. The Company has in place an Information Security Incident Response Plan ("IRP") Protocol which provides an operational framework to coordinate the response to any type of cybersecurity incident affecting the Company. The CIRT team informs the CISO of cybersecurity threats consistent with the IRP. The IRP also provides the process and oversight to manage cybersecurity incidents that may arise from a third-party service provider. In addition, the IRP addresses management responsibility with respect to disclosure determinations related to a cybersecurity incident and provides for Audit Committee and Board briefings as appropriate. The Company's cybersecurity policies and procedures are reviewed by the CISO and updated at least annually. In addition, under the IRP, following the resolution of a cybersecurity incident, the Company will generally consider the effectiveness of the Program and the IRP, make adjustments as appropriate, and report to senior management and the Audit Committee as appropriate on these matters. The cybersecurity policies and procedures are communicated Molina Healthcare, Inc. 2025 Form 10-K | 36 and enforced throughout the Company, as well as with the third-party service providers that have access to the Company's information systems or nonpublic information. Cybersecurity policies and procedures are also subject to periodic review and audits by internal and external parties, such as the internal audit function, external auditors, regulators, or independent assessors. The Company requires employees to undergo cybersecurity-related training, including phishing prevention training, and employees are tested regularly through phishing exercises. GOVERNANCE The CISO is primarily responsible for developing, maintaining, and enforcing the Program's policies and procedures, as well as reporting on the Program's performance and material cybersecurity risks to the Audit Committee, and supervising both our internal cybersecurity personnel and our retained external cybersecurity consultants. The CISO has the relevant expertise and authority to carry out the Program's objectives and to coordinate with other key stakeholders within and outside the Company. The CISO's expertise includes decades of information technology and cybersecurity as a subject matter expert, including more than a decade of executive management experience as a CISO for Fortune 500 companies. The Program and cybersecurity risk is overseen by the Company's Board of Directors and has delegated to its Audit Committee which, pursuant to its charter, assists the Board with oversight of Company privacy, data security, and cybersecurity matters and risks, including implementation of the Program. The Audit Committee meets regularly with the Company's executive management, including the CISO and the Chief Information Officer, and receives regular updates on the status and overall effectiveness of the Program, changes to the Program, relevant information technology operations, any changes in material cybersecurity risks and any significant cybersecurity incidents consistent with the IRP. The Audit Committee also discusses with executive management the steps management has taken to monitor and mitigate privacy, data security, and cybersecurity risk exposures, the Company's information governance policies and programs, and major legislative and regulatory developments that could materially impact the Company's exposure regarding privacy, data security risk, and cybersecurity. The Audit Committee reports to the full Board regarding its activities, including those related to cybersecurity. The full Board also receives briefings from the Company's executive management on the Program. Board members receive presentations on cybersecurity topics from our CISO or external experts as part of the Board's continuing education on topics that impact public companies. Our CISO takes steps to stay informed about and monitor efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in our IT environment. The Audit Committee and the Board consider cybersecurity as part of the Company's business strategy, financial planning, and capital allocation. CYBERSECURITY RISK ASSESSMENT Our CISO is primarily responsible for assessing and managing the Company's material risks from cybersecurity threats. The Company conducts regular risk assessments to identify, evaluate, and prioritize material cybersecurity risks to the Company, including its health plans and state contracts, shared services and IT operations, or business strategy. The risk assessments are informed by various sources of information, such as internal and external audits, vulnerability scans, penetration tests, threat intelligence, incident reports, industry benchmarks, and accepted industry practices. The risk assessments consider the potential impact and likelihood of various cybersecurity threats, such as ransomware, malware, social engineering, third-party incidents, supply chain attacks and insider threats, and contemplates the adequacy of controls to detect, prevent, respond, and recover to reduce the possibility of an adverse material cybersecurity event. The Company has in place processes to identify material risks from cybersecurity threats associated with its use of third-party service providers and as such, conducts assessments of such third-party service providers with respect to their cybersecurity programs and risks and requires third-party service providers to notify the Company if they experienced a cybersecurity incident. The Company hires experienced security professionals to conduct advanced and realistic cybersecurity attack simulations to verify its Program, and conducts regular cybersecurity tabletop exercises with executive management, which are coordinated by a third-party. We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, or financial condition. For a discussion of the Company's cybersecurity-related risks, see Item 1A of this Form 10-K under the heading "Risk Factors-If we or one of our significant vendors sustain a cyber-attack or suffer data privacy or security breaches that disrupt our information systems or operations, or result in the dissemination of sensitive personal or confidential information, we could suffer increased costs, exposure to significant liability, reputational harm, loss of business, and other serious negative consequences." Molina Healthcare, Inc. 2025 Form 10-K | 37

Company Information