Performant Financial Corp - (PFMT)
10-K Filing Date: March 13, 2024
ITEM 1C. Cybersecurity
We are committed to maintaining robust oversight and governance of potential cybersecurity risks and to implementing processes and controls that help us identify, assess, manage, and mitigate such risks. To date, we have not experienced a cybersecurity threat or incident that has resulted in a material adverse impact to our business or operations. However, we cannot guarantee that we will not experience such a threat or incident in the future, given the increasing sophistication of those responsible for cybersecurity incidents. While we seek to detect and investigate unauthorized attempts and attacks against our network and to prevent their occurrence where practicable through our internal processes and tools, we remain potentially vulnerable to known or unknown threats. In some instances, we can be unaware of a threat or incident or its magnitude and effects. Further, there is increasing regulation regarding responses to cybersecurity incidents, including reporting to regulators, which could subject us to additional liability and reputational harm. See "Item 1A. Risk Factors" for more information on our cybersecurity risks.
We aim to incorporate and align with industry best practices throughout our cybersecurity program. Our cybersecurity strategy focuses on implementing effective and efficient controls, technologies and other processes to identify, assess, manage, and mitigate material cybersecurity risks. These include, among other things, having mechanisms in place to detect and monitor unusual network activity, utilizing vulnerability assessment scans and tools, and conducting external and internal penetration tests and security assessments. We engage a third party expert to assist with numerous aspects of our cybersecurity program, including vulnerability assessment scans, penetration tests and security assessments. Additionally, from time to time, our internal audit function reviews and assesses various aspects of our cybersecurity program. We also engage in threat intelligence monitoring, including monitoring the dark web and zero-day vulnerability and attack information, and have processes in place to assess the potential cybersecurity impact or risk of any identified threats on our company, including potential impacts on our business partners and other parties with whom we share information. We actively engage with industry groups for peer benchmarking purposes and to stay current on best practices. We rely heavily on vendors and other third-party service providers in the conduct of our business operations, and a cybersecurity incident at a vendor or other third-party service provider could have a material and adverse impact on our business, results of operations and financial condition. We have further processes in place to assess the cybersecurity risks associated with our vendors and other third-party service providers, and we require such providers to take appropriate precautions to protect our data and to notify us promptly in the event of any known or suspected data breach or cyber incident.
Our cybersecurity program is integrated into our broader approach to risk management, and ultimate oversight for the program sits with our Board of Directors. The Board of Directors is aided by its Audit Committee, which regularly reviews our cybersecurity program with management and reports to the Board of Directors. Review of cybersecurity risks and internal audits regarding information security are conducted by the Audit Committee on a quarterly basis, or more frequently as determined to be necessary or advisable.
Our VP Information Security Officer (VPISO) runs our cybersecurity program. Our VPISO, who holds numerous cybersecurity and related certifications, including Certified Information Systems Security Professional, reports to our Chief Financial Officer (CFO). Our VPISO and CFO have extensive experience assessing and managing cybersecurity programs and cybersecurity risk. They regularly report directly to the Audit Committee or the Board of Directors on our cybersecurity program and our efforts to identify, assess, manage, and mitigate cybersecurity incidents. In addition, we have an escalation process in place to inform senior management and the Board of Directors of any material issues as they arise.