Hinge Health, Inc. 10-K Cybersecurity GRC - 2026-03-03

Page last updated on March 3, 2026

Hinge Health, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-03 16:11:33 EST.

Filings

10-K filed on 2026-03-03

Hinge Health, Inc. filed a 10-K at 2026-03-03 16:11:33 EST
Accession Number: 0001628280-26-013808

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy The nature of our business as a digital clinic, including the collection and processing of sensitive personal health information, makes us susceptible to cybersecurity attacks. To address this, we work to integrate security into every aspect of our business and maintain a cybersecurity risk management program with safeguards, certifications, policies and controls designed to protect our systems from cyber threats. Our cybersecurity risk management program is designed to protect the confidentiality, integrity, and availability of our critical systems and information. We design and assess our cybersecurity risk management program based on the National Institute of Standards and Technology Cybersecurity Framework ("NIST CSF") 2.0, applicable privacy and data security laws, and regulations, including HIPAA and applicable state health privacy laws, and remain informed by industry standards and industry-recognized practices. In addition, our cyber security program is regularly evaluated by external auditors and we are currently SOC 2 Type 2, Health Information Trust Alliance Common Security Framework ("HITRUST CSF"), and ISO/IEC 27001:2022 certified. Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels, and governance processes that apply across our enterprise risk management program. Our cybersecurity risk management program includes: - risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise IT environment; 77 - a dedicated security team principally responsible for managing (1) our cybersecurity risk assessment processes, (2) our security controls, and (3) our response to cybersecurity incidents; - the use of external advisors and service providers, such as third-party penetration testing firms, bug bounty programs, or auditors, to advise on, assess, test, or otherwise assist with aspects of our security controls; - cybersecurity awareness training of our employees, incident response personnel, and senior management, including onboarding sessions and annual refresher training to address evolving threats; - a cybersecurity incident response plan that follows recognized frameworks (e.g., NIST CSF 2.0), outlines procedures for investigating and resolving incidents, and is supported by automated tools for threat triage and resolution; and - a third-party risk management process for service providers, suppliers, and vendors incorporating evaluations such as SOC 2 reports, HITRUST certifications, annual reviews, security questionnaires, and business associate agreement compliance to ensure risks are understood and addressed. While we have not identified risks from known cybersecurity incidents, including as a result of any prior cybersecurity incidents, that have materially affected us, we face risks from cybersecurity threats that, if realized, are reasonably likely to materially impact us, including our business, operations, results of operations, or financial condition. For additional information about these risks, see the risk factor titled - "We depend on our information technology systems, and those of our third-party vendors, contractors, and consultants, and any failure or significant disruptions of these systems, security breaches, or loss of data could expose us to liability or materially adversely affect our business, results of operations, and financial condition". Cybersecurity Governance Our board of directors considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee oversight of cybersecurity, data privacy, and other information technology risks. The Audit Committee oversees management's implementation of our cybersecurity risk management program. The Audit Committee receives quarterly reports from management on our cybersecurity risks, including threat landscape updates and the status of key security initiatives. In addition, management updates the Audit Committee, as necessary, regarding any material cybersecurity incidents, as well as regarding any incidents with lesser impact potential and regarding overall trends in the cybersecurity risks we face. The Audit Committee reports to our board of directors regarding its activities, including those related to cybersecurity. The full board of directors also receives quarterly briefings from management on our cyber risk management program. Board members receive presentations on cybersecurity topics from our Chief Information Security Officer ("CISO") , internal security staff, or external experts as part of the board of directors' continuing education on topics that impact public companies. Our CISO, Hassan Asghar, has over twenty years of experience in information security, engineering, and other technology-related roles, including experience in healthcare and other highly regulated industries. Mr. Asghar oversees our Enterprise Security and IT teams, which is responsible for assessing and managing our material risks from cybersecurity threats. Our Enterprise Security team has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our Enterprise Security team supervises efforts to prevent, detect, mitigate, remediate, and appropriately report cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public, or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the IT environment.

Company Information