CLOVER HEALTH INVESTMENTS, CORP. /DE - (CLOV)
10-K Filing Date: March 14, 2024
Item 1C. Cybersecurity.
Risk Management and Strategy
Due to the sensitivity of the personal information, including protected health information, or PHI, that the Company and its subsidiaries store and transmit, in the ordinary course of business, identifying, assessing, and managing material cybersecurity risks is an important component of the Company’s overall cybersecurity and enterprise risk management program.
We maintain a cybersecurity program based on the National Institute of Standards and Technology Cybersecurity Framework’s guidance and HIPAA, which applies to the Company and each of its subsidiaries. The cybersecurity program seeks to protect the enterprise against threats from cybersecurity risks, to comply with applicable laws and regulations, and to establish and enhance our processes for responding to cybersecurity events.
55
Among other things, the program includes the following components:
•security event monitoring and detection;
•extended detection and response;
•vulnerability scanning;
•security awareness and privacy training for personnel;
•phishing simulations; and a cybersecurity incident response team.
The Company also engages third-party vendors and consultants, respectively, to perform audits and penetration tests.
The Company and its subsidiaries’ third-party service providers collect, process, and store certain information, including PII, PHI, or other confidential and proprietary information. We maintain a third-party vendor security risk management program to assess the cybersecurity risk and measures taken by such service providers. The program includes a dedicated third-party risk assessor, security risk reports, and formal business owner risk response.
During the period covered by this report, the Company has not identified any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. Risks from cybersecurity threats, however, in the future may, among other things, cause material disruptions to our or our subsidiaries’ operations, which may materially affect our liquidity, results of operations and financial condition, as well as damage our reputation. For additional information related to risks from cybersecurity threats, please refer to Item 1.A. — “Risks Related to Our Business and Industry — Our failure to protect our sites, networks, and systems against security breaches, or otherwise to protect our confidential or health information or the confidential or health information of our beneficiaries, providers, or other third parties, would damage our reputation and brand, and substantially harm our business and results of operations.”
Governance
The Company’s Board of Directors (the “Board”) oversees the Company’s overall risk management program, and has assigned oversight of cybersecurity risk management to its Audit Committee. The Audit Committee reviews the adequacy and effectiveness of the Company’s cybersecurity policies and internal controls regarding information and cybersecurity, and together with the full Board, regularly receives reports from our and our subsidiaries’ management, including our Chief Information Security Officer (the “CISO”) on cybersecurity matters, including, but not limited to: Security Awareness, Internal Risk, Third-Party Risk, IR / DR Readiness, Access Control IAM/PAM, HIPAA Security Rule Compliance, Phishing, Security Monitoring, Vulnerability Management, Application Security, Governance, Data Security, and Cloud Security.
The Company’s CISO is responsible for developing and managing the cybersecurity program, including security incident response, remediation, and setting security policy and standards required by applicable law or regulation. The CISO holds a dual-accredited Executive MBA, and Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), Certified Data Privacy Solutions Engineer (CDPSE) certifications. The security team holds multiple certifications including but not limited to CISSP, CRISC, CCSFP, and AWS CP, a bug bounty hall of fame member, and a range of experience with different firms. The CISO is informed by the cybersecurity team about the prevention, detection, mitigation, and remediation of cybersecurity incidents through general communications, and reporting. The cybersecurity team is made aware of security risks and incidents by various means including our SIEM, assessments, audit, threat feeds, and security team connections and network.
Depending on the circumstances, information regarding cybersecurity risks and incidents may be elevated from the CISO and his team through a variety of different channels, including risk response forms as part of our formal security risk process, discussions with the Audit Committee and reports to the Board on a quarterly basis.