Option Care Health, Inc. 10-K Cybersecurity GRC - 2026-02-24

Page last updated on February 24, 2026

Option Care Health, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-24 16:02:20 EST.

Filings

10-K filed on 2026-02-24

Option Care Health, Inc. filed a 10-K at 2026-02-24 16:02:20 EST
Accession Number: 0001014739-26-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We have developed and implemented a cybersecurity framework designed to identify, detect, protect, respond to and recover from risks stemming from threats to the security of our information, systems and network using a governance-led risk-based approach. The framework is informed, in part, by the National Institute of Standards and Technology (NIST) Cybersecurity Framework, although this does not necessarily mean that we meet all technical standards, specifications or requirements outlined in the NIST framework. Additionally, we maintain a Systems and Organization Controls (SOC) 2 Type 2 attestation. Our goal is to maintain an information technology infrastructure that implements physical, administrative, and technical controls and is supplemented by a strong culture of security across the organization. These controls are adjusted based on risk and designed to protect the confidentiality, integrity, and availability of our information systems, including the customer information, personal information, and proprietary information stored on our networks. We have a cybersecurity incident response plan and dedicated teams to respond to cybersecurity incidents. When a cybersecurity incident occurs, we have cross-functional teams that are responsible for leading the initial assessment of priority and severity. Our information security team assists in taking remedial action in response to an incident, and external experts may also be engaged as appropriate. Our overarching approach to cybersecurity risk management centers on governance, people, processes, and technology. We provide security awareness training to help employees understand their role in protecting our information. This includes mandatory annual cybersecurity training and monthly phishing simulations. We also perform periodic internal tabletops or simulation exercises involving technical experts, business and functional leaders, as well as separate exercises with select critical third-party service providers. We conduct third-party assessments of potential new vendors who process, store or transmit our data. This includes a formal security review which may consist of review of documentation related to a vendor's security attestations, such as SOC 2 Type 2 or HITRUST certifications. We leverage third-party auditing companies to assess our cybersecurity program and procedures and reaffirm our NIST CSF Maturity level, our compliance with SOC 2 standards as well as the HIPAA Security Rule. These assessments aid in continual improvement of our program and help us identify and address cybersecurity related risks. We also consider cybersecurity, along with our other top risks, within our enterprise risk management framework. This framework involves internal reporting at the business and enterprise levels, considering key risk indicators, trends and countermeasures. Our Senior Vice President, Chief Information Security Officer (CISO) serves on the Enterprise Risk Committee that assesses our enterprise-wide risks and oversees risk mitigation activities. We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us or our results of operations, cash flow or financial condition. However, the scope and impact of any future incident, or the identification of new information related to prior cybersecurity incidents, cannot be predicted. See "Item 1A. Risk Factors" for more information about our cybersecurity-related risks. Governance The Quality, Technology and Compliance Committee ("QTCC") of our Board of Directors provides board-level oversight of cybersecurity risk. As part of its oversight role, the QTCC receives reports about our practices, programs, or notable threats or incidents related to cybersecurity throughout the year, including through periodic updates from our CISO and other leaders. The QTCC provides regular reports to the full Board about these matters and other areas within its responsibility, and the CISO and other leaders provide updates regarding cybersecurity matters to the full Board as appropriate. Our CISO reports to our Chief Information Officer and leads our overall cybersecurity function. Our CISO has over 20 years of experience in various security roles, which include managing information security, developing cybersecurity strategy, and implementing cybersecurity programs. Our CISO collaborates with senior leaders and other members of our organization to identify and analyze cybersecurity risks and implement controls as appropriate and feasible to mitigate these risks. The CISO also supervises efforts to prevent, detect, mitigate and remediate cybersecurity risks and incidents through various means, including by collaborating with internal and external stakeholders. Our CISO is supported by a management-led Security Council, which consists of our Chief Executive Officer, Chief Financial Officer and other senior leaders throughout our organization. The Security Council reviews and discusses our cybersecurity program as well as emerging cyber risks, threats, and industry trends, among other topics.

Company Information