JOINT Corp - (JYNT)

10-K Filing Date: March 08, 2024
ITEM 1C. CYBERSECURITY
Our Chief Technology Officer (“CTO”) is responsible for cybersecurity within our company, including information technology risks, controls, strategies and procedures. The Cybersecurity Subcommittee of the Board of Directors oversees cybersecurity for our company and meets with the CTO at least quarterly to discuss the status of cybersecurity efforts as well as any security incidents. Cybersecurity Subcommittee materials are provided to the Audit Committee as well as the full Board of Directors. The Board of Directors believes that a strong cyber strategy based on industry accepted best practices is vital to protect our business, customers and assets.

A dedicated team of technology professionals works throughout the year to monitor all matters of risk relating to cybersecurity. We have begun our certification process for the globally recognized International Organization for Standardization certification for Information Security Management Systems (ISO 27001) that we expect to achieve by the second quarter of 2024. Additionally, we operate and are compliant under the following provisions: HIPAA attestation for the HIPAA Security Rule and the Health Information Technology for Economic and Clinical Health Act (HITECH) Breach Notification requirements.

27

Vendors that have access to our information are required to manage such information in accordance with laws and appropriate privacy and security standards. Standards are applied on a per-contract basis and include requirements to have an information security program and report to us any incidents in which its confidential information or systems are compromised. Depending on the nature of the vendors' access to our information, we monitor and evaluate the controls and governance established with the vendors ranging from a continuous cadence to at least quarterly.

We annually assess our cybersecurity programs against third-party requirements, including HIPAA and the Sarbanes-Oxley Act (SOX). We test multiple aspects of cybersecurity regularly, including annual pen testing over our proprietary information systems and have historically tested annually and beginning 2024 will test semi-annually our technical recovery and incident response procedures.

We maintain a robust privacy compliance program. Employees receive periodic email communications, which train them to detect and report malware, ransomware and other malicious software and social engineering attempts that may compromise our information technology systems. In the first quarter of 2024, we will be implementing a best in class security awareness training system and a quarterly training program for all employees.

Currently, we rely on an established major incident management and communication process to address any potential cybersecurity incidents. This established process includes the use of third party partnerships to make available the distinct skill sets needed to assist in properly responding to any cybersecurity threat. We are in process of establishing defined response procedures to effectively address any cyber threat that may occur regardless of the safeguards in place that minimize the chance of a successful cyberattack. The response procedures will be designed to identify, analyze, contain and remediate such cyber incidents expeditiously. These procedures and approach to safeguard our information and assets will be continuously monitored by management and updated to evolve with the current cyber landscape in alignment with the ISO 27001 standard mentioned above.