ACCENDRA HEALTH INC/VA/ 10-K Cybersecurity GRC - 2026-02-20

Page last updated on February 20, 2026

ACCENDRA HEALTH INC/VA/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-20 16:19:33 EST.

Filings

10-K filed on 2026-02-20

ACCENDRA HEALTH INC/VA/ filed a 10-K at 2026-02-20 16:19:33 EST
Accession Number: 0001104659-26-018169

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Our cybersecurity risk management processes are integrated within our enterprise risk management framework. We conduct periodic cybersecurity risk assessments to identify, evaluate and prioritize threats and vulnerabilities across our information technology environment and business operations. These assessments consider the evolving threat landscape, vulnerabilities in our systems and those of our third-party service providers and potential impacts to our business. Identified risks are evaluated based on likelihood and potential business impact, and we implement controls and mitigation measures aligned with business priorities. We model our cybersecurity program to align with the practices and standards referenced within the National Institute of Standards and Technology cybersecurity framework . Our information security program is integrated within our larger enterprise risk management program and includes, but is not limited to: - Following the methodology of Identify, Protect, Detect, Respond, and Recover; - Mandatory annual cybersecurity awareness training for all teammates accessing our network; - Monthly Company-wide phishing prevention and awareness exercises; - Identification and remediation of information security risks and vulnerabilities in our information technology systems, including regular scanning of both internal and externally facing systems and annual third-party penetration testing; - Implementation of security technologies intended to identify and assist in containing and remediating malware risks; - Active monitoring of logs and events for our network perimeter and internal systems; - Due diligence of information security maintained by third-party vendors that handle our data; - Partnering with the Cybersecurity and Infrastructure Security Agency (CISA), DHS, and the Federal Bureau of Investigation, to leverage their provided sensitive or confidential threat intel and with CISA for weekly vulnerability scans of our key public-facing servers; - Maintaining a cyber insurance policy that provides coverage for security breach recovery and response; and - Engagement of third party consultants to assess the health of our cybersecurity program. We maintain a Cybersecurity Incident Response Plan (CIRP) to assist in promptly responding to, resolving and recovering from cybersecurity incidents. The CIRP includes guidelines for assessing, identifying, managing, reporting and remediating cyber incidents, including protocols for disclosure of material breaches with the SEC. Following a cybersecurity incident, we consult external subject matter experts, including legal counsel, to reduce the risk of further compromise to our information and to ensure proper reporting and documentation. Material cybersecurity incidents are escalated to our disclosure committee and senior management for materiality assessment, and the Audit Committee is informed promptly of material cybersecurity incidents in the event that they arise. For more information see Item 1A. "Risk Factors" for the Risk Factor entitled " Our operations depend on the proper functioning of information systems, and our business or results of operations could be adversely affected if we experience a cyberattack or other systems breach or failure ." Governance Our Cybersecurity program is managed by our Chief Information Security Officer (CISO) . Our CISO works collaboratively with senior management, including the Chief Financial Officer, General Counsel, and other business leaders. The CISO has eighteen years of experience in cybersecurity. The CISO is responsible for developing and managing the overall strategy, leading the response to cybersecurity incidents and reporting to the Board . Our policies require teammates, contractors, service providers and suppliers who become aware of a cybersecurity incident to immediately report it to their supervisor or the CISO through the appropriate reporting channels. In the event of a cybersecurity incident, in addition to the standing members, teammates would be selected to serve on the Cybersecurity Incident Response Team (CIRT) based on the facts and circumstances of the particular cybersecurity incident. Additionally, our outside legal counsel is held on retainer to assist with our response to cybersecurity incidents. The Audit Committee of the Board has primary responsibility for oversight of our cybersecurity risk management program. The Audit Committee receives updates from management at least quarterly, or more frequently as appropriate, on our cybersecurity program including the threat environment, program initiatives and investments, cyber insurance coverage, significant incidents or risks, and key metrics. To date, we have not experienced any cybersecurity incidents that have materially affected , or are reasonably likely to materially affect, out business strategy, results of operations, or financial condition.

Company Information