CLOVER HEALTH INVESTMENTS, CORP. /DE 10-K Cybersecurity GRC - 2026-02-27

Page last updated on February 27, 2026

CLOVER HEALTH INVESTMENTS, CORP. /DE reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-27 08:08:29 EST.

Filings

10-K filed on 2026-02-27

CLOVER HEALTH INVESTMENTS, CORP. /DE filed a 10-K at 2026-02-27 08:08:29 EST
Accession Number: 0001801170-26-000057

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity Risk Management, Strategy, and Governance The Company's Board of Directors (the "Board") oversees the Company's enterprise risk management program, including risks related to cybersecurity. The Board has delegated primary oversight of cybersecurity risk management to its Audit Committee. The Audit Committee regularly reviews the adequacy and effectiveness of the Company's cybersecurity program, including policies, internal controls, and risk management processes related to information security and data protection. The Audit Committee and the full Board receive periodic reports from management, including the Company's Chief Information Security Officer (the "CISO"), regarding the Company's cybersecurity posture, risk assessment activities, emerging threat landscape, and mitigation efforts. These reports address, among other topics, artificial intelligence-related security considerations, security awareness and training, internal and third-party risk management, incident response and disaster recovery readiness, identity and access management, HIPAA Security Rule compliance, phishing and social engineering risks, security monitoring, vulnerability and application security management, governance and policy maturity, data protection, and cloud security. Management's Role in Cybersecurity Risk Management The Company's CISO is responsible for the design, implementation, and ongoing management of the Company's cybersecurity program , including security policies, standards, incident response, and remediation activities, in accordance with applicable legal and regulatory requirements. The cybersecurity program is designed to identify, assess, manage, and mitigate risks to the confidentiality, integrity, and availability of the Company's information systems and sensitive data. The cybersecurity organization is supported by personnel with experience across healthcare, technology, and regulated industries and is informed by internal monitoring, independent assessments, audits, threat intelligence, and security tooling. Cybersecurity risks and incidents are identified through a combination of automated monitoring systems, risk assessments, internal reporting mechanisms, and external intelligence sources. 54 The Company has implemented an automated, AI-assisted compliance and evidence management capability designed to support continuous monitoring, control validation, and documentation in connection with internal controls, regulatory compliance, and audit readiness. These capabilities are intended to enhance efficiency and visibility into control performance; however, they are subject to inherent limitations and operate under ongoing human oversight. Artificial Intelligence-Related Security Considerations The Company increasingly utilizes artificial intelligence-enabled technologies within its operations and also evaluates risks associated with the use of AI by third-party vendors and service providers . AI-related security and governance risks are considered as part of the Company's broader cybersecurity and enterprise risk management processes. These considerations include, among other factors, risks related to data integrity, model governance, access controls, third-party dependencies, and the potential misuse of AI-enabled systems. The Company's approach to identifying and managing AI-related security risks is informed by recognized industry frameworks, including the NIST Artificial Intelligence Risk Management Framework, as appropriate to the Company's use of AI-enabled technologies. The Company's use of automated and AI-assisted tools within its cybersecurity and compliance functions is intended to enhance monitoring, risk identification, and control validation; however, such technologies are subject to inherent limitations and require ongoing human oversight. The Company continues to evaluate its AI-related risk management practices as technologies, threat vectors, and regulatory expectations evolve. Risk Escalation and Reporting Cybersecurity risks and incidents are evaluated through a formal risk management process and escalated as appropriate based on severity, potential impact, and materiality considerations. Depending on the circumstances, cybersecurity matters may be elevated from the CISO to senior management, the Audit Committee, and the Board through established reporting channels, including risk assessments, incident reports, and quarterly updates. Fraud, Waste, and Abuse Monitoring In addition, the Company began implementing a cybersecurity monitoring program, operated by the Company's cybersecurity organization, in coordination with the Company's other fraud, waste, and abuse and compliance functions. As implementation progresses, the program is intended to evaluate provider, member, and vendor activity for indicators of potential credential exposure or misuse. The program is designed to strengthen detection capabilities, reduce financial and compliance risk, and support the integrity of Company systems and data. Subsidiary-Specific Oversight The Company has established dedicated cybersecurity resources for Counterpart Health, a subsidiary of Clover Health, to ensure that cybersecurity risk management practices are aligned with enterprise standards while addressing subsidiary-specific operational and clinical considerations.

Company Information