Aveanna Healthcare Holdings, Inc. - (AVAH)

10-K Filing Date: March 14, 2024
Item 1C. Cybersecurity.

 

Governance

 

Management’s Role Managing Risk

 

Aveanna’s cybersecurity program and related policies are managed by a dedicated Assistant Vice President (“AVP”) of Cybersecurity who reports to our Chief Information Officer (“CIO”). The AVP of Cybersecurity and his team is responsible for assessing, identifying and managing enterprise-wide cybersecurity needs. The AVP of Cybersecurity and his team monitor breach attempts and other cyber-related incidents, both directed at the Company and those impacting other industry participants, to identify new and emerging risks to be added to our Vulnerability Management Framework, which is discussed below.

The AVP of Cybersecurity works directly with the CIO to create and maintain cyber policies, standards, and processes that support the Company’s overall strategy and the current cyber environment. We believe our cybersecurity program and policies are aligned with industry standards and best practices, such as the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. The AVP of Cybersecurity and CIO are experienced technology and cybersecurity professionals, with over 10 and 20 years of experience in information security and technology, respectively. The AVP of Cybersecurity leads periodic meetings of our chartered Cybersecurity Steering Committee, which cover key cyber threats, policy changes, and project updates. The Cybersecurity Steering Committee includes our CIO, other executive-level leaders, and key members of management. Further, the Cybersecurity Steering Committee engages an external expert to prepare a formalized evaluation on the design of, and adherence to, the Company's current cybersecurity policies.

Board of Directors Oversight

The Audit Committee of the Board of Directors is tasked with providing oversight related to cybersecurity topics. At least quarterly, the Audit Committee receives a report of any cybersecurity incidents and other key monitoring metrics from a representative of the Cybersecurity Steering Committee. For each incident, the Audit Committee is briefed on the nature of the incident, points of vulnerability, scope of the incident, and the Company's response. The Audit Committee will then communicate cyber-related issues with the Board as needed. Our Board is currently reviewing our existing cybersecurity program and related policies, including, among other things, the Board’s role within our cybersecurity risk management infrastructure.

Risk Management and Strategy

Our cybersecurity management process is based on an internally developed Intelligence Policy and a Vulnerability Management Framework. Cybersecurity risk management is currently independent of enterprise risk management. Our Vulnerability Management Framework addresses discovery, risk rating, remediation timeliness required per risk, and obligations on reoccurring third-party security products. Risks that fall outside the required remediation timeline are documented on the risk register, which is discussed during periodic Cybersecurity Steering Committee meetings.

We have in place a Security and Privacy Incident Response Plan that specifies incident classifications, reporting requirements, and which person must respond to such incidents. In most cases, cybersecurity management is handled by employees of the Company as described above, though if an incident does occur, external counsel and experts related to impacted systems or data may be engaged to supplement the Company's response.

Existing third-party relationships are monitored on a risk-by-risk basis via the Vulnerability Management Framework. Before entering into new third-party provider agreements, third-party providers and related services are subject to scrutinization and a review from the AVP of Cybersecurity’s team.

We are constantly evolving our cybersecurity strategy and responses for new and emerging threats. As of the date of this Annual Report on Form 10-K, we have not encountered risks from cybersecurity threats with respect to our information systems that have materially affected, or are reasonably likely to materially affect, our business strategy, results of operations or financial position. For more information about the cybersecurity risks we face, see the risk factor entitled “Failure to maintain the security and functionality of our information systems, or to defend against or otherwise prevent a cybersecurity attack or breach, could adversely affect our business, financial position, results of operations and liquidity” described under “Risk Factors” contained in Item 1A of this Annual Report on Form 10-K.

 

50