Talkspace, Inc. - (TALK)
10-K Filing Date: March 13, 2024
Risk Management and Strategy
Talkspace recognizes the importance of assessing, identifying, and managing material risks associated with cybersecurity threats as a vital component to the success of our business. We have established policies and processes for assessing, identifying, and managing the material risk from cybersecurity threats which may include, among other things, operational risks; fraud; extortion; harm to our business, employees or customers; violation of privacy or security laws and other litigation and legal risk; and reputational risks.
We routinely assess material risks from cybersecurity threats, which include unauthorized access to our information systems that may result in adverse effects on the confidentiality, integrity, or availability of such systems or any information residing therein. Our process for identifying and assessing material risks from cybersecurity threats operates alongside our broader overall risk assessment process, covering all company risks. For additional information regarding risks from cybersecurity threats, please refer to Item 1A, “Risk Factors,” in this annual report on Form 10-K.
We also have a cybersecurity specific risk assessment process, which helps identify residual risk from cybersecurity threats. We have adopted the HITRUST CSF Assurance Program for Cloud assessment to inform this risk assessment process. Our risk assessments include the identification of reasonably foreseeable internal and external information security and cybersecurity risks, the likelihood that such events may occur and the impact or potential damage that could result from such risks. The assessments examine the adequacy of our policies, procedures, systems, and the safeguards in place to manage and mitigate the identified risks. The impact of these assessments is the refinement of existing safeguards and the implementation of new safeguards to improve our cybersecurity protections; reasonably address any identified gaps in existing safeguards; and ensure that we regularly monitor the effectiveness of those safeguards.
As part of the above processes, we engage with a third-party to review our information security program and related cybersecurity safeguards to help identify areas for continued focus, improvement, and/or compliance. Along with these third parties we ensure that the appropriate personnel collaborate with subject matter specialists, as necessary, to gather insights for identifying and assessing material cybersecurity threat risks, their impact and potential mitigations. We have implemented the following activities (among others) to mitigate risk:
41
Our incident response plan, as effected by management, coordinates the activities we take to prepare for, detect, contain, eradicate, and recover from cybersecurity incidents as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage. The incident response plan also outlines the appropriate communication flow and response for certain categories of potential cybersecurity incidents. The Chief Technology Officer escalates material events, including to the Chief Executive Officer and Board.
We require all employees to participate in cybersecurity awareness, privacy, security training annually and provide system-wide mechanisms to report potential threats. In addition, we use a third-party phishing awareness vendor to increase employee awareness of cybersecurity threats.
Our processes also address cybersecurity threat risks associated with our use of third-party service providers. Third-party risks are included within our broader overall risk assessment process, as well as our cybersecurity-specific risk identification program. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers and we continually monitor cybersecurity threat risks identified through such diligence.
There can be no guarantee that our policies and procedures will be effective. Although our risk factors include further detail about the material cybersecurity risks we face and how a cybersecurity incident may affect our business strategy, results of operations or financial condition, we believe that risks from prior cybersecurity threats, including as a result of any previous cybersecurity incident, have not materially affected our business to date. We can provide no assurances that there will not be incidents in the future or that they will not materially affect us, including our business strategy, results of operations or financial condition. See “Item 1A. Risk Factors” for further information about these risks.
Cybersecurity Governance
Cybersecurity is an important part of our risk management processes and an area of increasing focus for our Board and management. Our Audit Committee is responsible for the oversight of risks from cybersecurity threats. At least quarterly, and more frequently as relevant, the Audit Committee receives an overview from management covering topics such as security posture, results from third-party assessments, progress towards pre-determined risk-mitigation-related goals, and material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks.
Members of the Audit Committee are also encouraged to regularly engage in ad hoc conversations with management on cybersecurity-related news and discuss any updates to our cybersecurity risk management and strategy programs. Material cybersecurity risks are also considered during separate Board meeting discussions of important matters like risk management, business continuity planning, and other relevant matters. Management or the Audit Committee will provide a comprehensive update to the Board on cybersecurity threats and risk mitigation generally at least annually, and more frequently as relevant.
The Company’s information security and cybersecurity program is managed by our Chief Information Security Officer (CISO) and our Chief Technology Officer (CTO). The CISO and the Senior Director Information Security are responsible for our overall network security and assessing and managing cybersecurity risks and threats. The CISO has over 20 years of information security, privacy, auditing and compliance experience and holds numerous certifications. The Senior Director of Information Security has over 15 years of experience in information security, and holds numerous certifications. The CTO has over 20 years of experience and has been a leader of our Company’s information systems and technological advancements for the past nine (9) years. The SVP of Engineering has over 20 years of experience in IT and has specialized knowledge in systems and network infrastructure. The Director of SRE and Security has eight (8) years of experience and has principal responsibility for our network operations and system administration.
These members of management are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above.
42