BrightSpring Health Services, Inc. - (BTSG)
10-K Filing Date: March 06, 2024
Risk Management and Strategy
We recognize the importance of identifying, assessing, and managing material risks associated with cybersecurity threats, which include, among other things, operational risks, intellectual property theft, fraud, extortion, harm to employees or patients, and violation of data privacy or security laws. We incorporate cybersecurity practices into our Enterprise Risk Management (ERM) approach, which is subject to oversight by our
81
Board of Directors. Our cybersecurity policies and practices are aligned with relevant industry standards and are designed to detect, prevent, contain, and respond to cybersecurity threats and incidents in a prompt and effective manner.
Our cybersecurity risk management program is informed by prevailing security standards and is designed to provide a framework for evaluating and responding to cybersecurity risks. This includes processes for assessing the severity of a cybersecurity threat, identifying the source of a cybersecurity threat, implementing cybersecurity countermeasures and mitigation strategies, and informing and updating management and, as needed, the Audit Committee and our Board of Directors of cybersecurity incidents that may pose a significant risk for the business. Security events and data incidents are evaluated, ranked by severity, and prioritized for response and remediation. Incidents are evaluated to determine materiality, as well as operational and business impact, and reviewed for privacy impact.
We deploy technical safeguards that are designed to protect our information systems, products, operations and sensitive information from cybersecurity threats. These include firewalls, intrusion prevention and detection systems, disaster recovery capabilities, malware and ransomware prevention, access controls, and data protection. We provide periodic training for all personnel regarding cybersecurity threats, with such training appropriate to the roles, responsibilities and access of the relevant Company personnel. Our policies require all workers to report any real or suspected cybersecurity events.
Recognizing the complexity and evolving nature of cybersecurity threats, incidents and risks, we engage third-party experts, including cybersecurity consultants, to evaluate and support our risk management systems. We also rely on software support from third-party vendors to assist with evaluating, monitoring, and testing our information technology systems. These relationships enable us to leverage specialized knowledge and insights, to help ensure our cybersecurity strategies and processes remain effective. Our collaboration with these third parties includes regular audits, routine system monitoring, threat assessments, and consultation on potential security enhancements. We require third-party service providers with access to personal, confidential, or proprietary information to implement and maintain comprehensive cybersecurity practices consistent with applicable legal standards and industry best practices.
As of the date of this Annual Report on Form 10-K, we are not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition. For further discussion of the risks associated with cybersecurity incidents, as well as a description of an event that occurred in March 2023, see “Risk Factors—Risks Related to Our Business—Security breaches, loss of data, and other disruptions could compromise sensitive business or patient information, cause a loss of confidential patient data, employee data, personal information, or prevent access to critical information, and expose us to liability, litigation, and federal and state governmental inquiries and damage our reputation and brand.”
Governance
Our Board of Directors has overall oversight responsibility for our risk management, and delegates information security and related risk management oversight to the Audit Committee. The Audit Committee receives regular briefings on cybersecurity risks and risk management practices, including, for example, recent developments in the external cybersecurity threat landscape, evolving standards, vulnerability assessments, third-party and independent reviews, technological trends, as well as how management is addressing or mitigating those risks. The Audit Committee may also promptly receive information regarding any material cybersecurity incident that may occur, including any ongoing updates regarding the same. The Audit Committee periodically discusses our approach to cybersecurity risk management with our Chief Digital & Technology Officer (CDTO).
Our CDTO is a member of our executive management team who is principally responsible for overseeing our cybersecurity risk management program, in partnership with other business leaders across the Company. Our CDTO has over twenty years of extensive experience in information technology and security, and works in coordination with other members of the management team, including, among others, the Chief Financial Officer, the Chief Compliance Officer and the Chief Legal Officer and their designees. We believe our business leaders have the appropriate expertise, background and depth of experience to manage risks arising from cybersecurity threats.
Our CDTO, along with leaders from our privacy and corporate compliance functions, collaborate to implement a program designed to manage our exposure to cybersecurity risks and to promptly respond to
82
cybersecurity incidents. Prompt response to incidents is delivered by multi-disciplinary teams in accordance with our incident response plan. Through ongoing communications with these teams during incidents, the CDTO monitors the triage, mitigation and remediation of cybersecurity incidents, and reports such incidents to executive management, the Audit Committee and other colleagues in accordance with our cybersecurity policies and procedures, as is appropriate.