Cue Health Inc. - (HLTH)

10-K Filing Date: March 13, 2024
Item 1C. Cybersecurity

Risk Management and Strategy

We have established policies and processes for assessing, identifying, and managing material risk from cybersecurity threats, and have integrated these processes into our overall risk management systems and processes. We routinely assess material risks from cybersecurity threats, including any potential unauthorized occurrence on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein.

We conduct periodic risk assessments to identify cybersecurity threats, as well as assessments in the event of a material change in our business practices that may affect information systems that are vulnerable to such cybersecurity threats. These risk assessments include identification of reasonably foreseeable internal and external risks, the likelihood and potential damage that could result from such risks, and the sufficiency of existing policies, procedures, systems, and safeguards in place to manage such risks.

Following these risk assessments, we evaluate whether, and if so, how, to re-design, implement, and maintain reasonable safeguards to minimize identified risks; work to reasonably address any identified gaps in existing safeguards; and regularly monitor the effectiveness of our safeguards. We devote significant resources and designate high-level personnel, including our Chief Technology Officer (CTO), who reports to our Chief Executive Officer, to manage the risk assessment and mitigation process.

As part of our overall risk management system, we monitor and test our safeguards and train our employees on these safeguards, in collaboration with human resources, IT, and management. Personnel at all levels and departments are made aware of our cybersecurity policies through trainings.

We engage independent third party auditors to validate our risk management program. Third party experts assist us to design and implement our cybersecurity policies and procedures, as well as to monitor and test our safeguards. We require each third-party service provider to certify that it has the ability to implement and maintain appropriate security measures, consistent with all applicable laws, to implement and maintain reasonable security measures in connection with their work with us, and to promptly report any suspected breach of its security measures that may affect our company.

Our business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats, but we cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents. For more information on our cybersecurity related risks, see Item 1A Risk Factors of this Annual Report on Form 10-K, including the risk factor entitled “Risks Related to Our Business and Strategy —Security breaches and incidents, loss of data, and other disruptions could compromise sensitive information related to our business, or information of our customers, users of our products, healthcare stakeholders or others, or prevent us or our customers, users of our products, healthcare providers, healthcare payors or others from accessing critical information, all of which could result in a material adverse effect, including without limitation, a material operational or service interruption, harm to our reputation, significant fines, penalties and liability, breach or triggering of Data Protection Laws, Privacy Policies and Data Protection Obligations, loss of customers or sales, or customers curtailing or ceasing their use of our services.”

Governance

One of the key functions of our board of directors is informed oversight of our risk management process, including risks from cybersecurity threats. Our board of directors is responsible for monitoring and assessing strategic risk exposure, and our executive officers are responsible for the day-to-day management of the material risks we face. Our board of directors administers its cybersecurity risk oversight function directly as a whole, as well as through its audit committee.

80

Table of Contents
Our CTO oversees a dedicated Vice President, Information Security and Privacy, and the CTO’s team is primarily responsible to assess and manage our material risks from cybersecurity threats. The CTO oversees our cybersecurity policies and processes, including those described in “Risk Management and Strategy” above.

The CTO provides periodic reports to our board of directors through its audit committee, as well as our Chief Executive Officer and other members of our senior management as appropriate. These reports include updates on our cyber risks and threats, the status of projects to strengthen our information security systems, assessments of the information security program, and the emerging threat landscape. Our program is regularly evaluated by internal and external experts with the results of those reviews reported to senior management, including the CTO, and the board of directors through its audit committee.

The audit committee has oversight responsibility for risks and incidents relating to cybersecurity threats, including compliance with disclosure requirements, cooperation with law enforcement, and related effects on financial and other risks, and it reports any findings and recommendations, as appropriate, to the full board of directors for consideration. Senior management regularly discusses cyber risks and trends and, should they arise, any material incidents with the audit committee.