U S PHYSICAL THERAPY INC /NV - (USPH)

10-K Filing Date: February 29, 2024
ITEM 1C.
CYBERSECURITY

RISK MANAGEMENT AND STRATEGY

The Company recognizes the critical importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our patients’ health information and all our data.

Managing Material Risks & Integrated Overall Risk Management
 
The Company has strategically integrated cybersecurity risk management into our broader risk management framework to promote a company-wide culture of cybersecurity risk management. Cybersecurity considerations are an integral part of our decision-making processes where communication, data and access are involved. Our Information technology (“IT”) department works closely with our operations teams to continuously evaluate and address cybersecurity risks in alignment with our business and operational objectives. Our Chief Information Systems Officer, (“CISO”) and IT teams play an important role in assessing the cybersecurity infrastructure employed within our acquired practices to ensure that necessary security enhancements are employed in a timely manner. The Company provides annual cybersecurity awareness training to its employees to mitigate risks by educating employees regarding best practices to avoid cybersecurity related breaches.

24

Engage Third-parties on Risk Management

Understanding the ever-changing and complex nature of cybersecurity threats, our organization values collaboration with external experts, including cybersecurity consultants, for advisory purposes. These collaborations are aimed at enhancing our understanding and management of cybersecurity risks. Through such engagements, we seek to gain insights and recommendations on improving our risk management frameworks and responses to potential cybersecurity incidents.

This approach allows us to benefit from specialized expertise, helping ensure that our cybersecurity strategies and processes are informed by current industry insights. While these collaborations are not mandated, they are encouraged as part of our commitment to maintaining a vigilant and adaptive cybersecurity posture in line with evolving best practices.

Oversee Third-party Risk
 
Aware of the potential risks posed by third-party service providers, our Company takes steps to perform security-related diligence on such providers. This diligence process aims to understand and evaluate the security measures and practices of our third-party partners. Our approach includes reviewing available information and seeking insights into their security and data management practices. This method is part of our broader strategy to mitigate the risks associated with data breaches or other security incidents that may arise from third-party engagements.
 
Risks from Cybersecurity Threats
 
We have not encountered cybersecurity challenges that have materially impaired our operations or financial standing. While we have experienced cybersecurity incidents within several of our partnership subsidiaries over the years, these incidents have not been material, as each incident (i) has been isolated to certain segregated IT environments, (ii) has affected relatively few patients and their associated health information, and/or (iii) had a low probability of compromised data. Each of the foregoing cybersecurity incidents has been remediated in the ordinary course of business. However, we could experience a cybersecurity incident that materially affects us in the future. See “Risk Factors” in Item 1A on this Form-10K for additional discussion of cybersecurity risks to our business.

Governance
 
The Board of Directors recognizes the significance of cybersecurity threats to the Company’s operational integrity, data security and stakeholders. The Board of Directors is acutely aware of the critical nature of managing risks associated with cybersecurity threats and sees this as a major priority for the company. The Board has established oversight mechanisms to ensure effective governance in managing risks associated with cybersecurity threats.

Board of Directors Oversight
 
The Compliance Committee is central to the Board’s oversight of cybersecurity risks and bears the primary responsibility for this domain. The Compliance Committee is composed of board members with diverse expertise, including risk management, technology, health care operations, and finance, equipping them to oversee cybersecurity risks effectively. In addition, each of the directors on the Compliance Committee has completed the Diligent Cyber Risk and Strategy Certification Program, developed by Diligent Corporation, a leading corporate governance technology company, which teaches cyber literacy for corporate directors to effectively govern significant enterprise-wide cyber risks and have meaningful conversations with management.

Management’s Role Managing Risk
 
The CISO plays a pivotal role in informing the Compliance Committee on cybersecurity risks. The CISO, in concert with the Chief Compliance Officer and General Counsel, provides comprehensive briefings to the Compliance Committee on a regular basis. These briefings encompass a broad range of topics, including:


Current cybersecurity landscape and emerging threats;

Status of ongoing cybersecurity initiatives and strategies;

25


Incident reports and learnings from any cybersecurity events; and

Compliance with regulatory requirements and industry standards.

In addition to our scheduled meetings, the Compliance Committee and management maintain an ongoing dialogue regarding emerging or potential cybersecurity risks. The Compliance Committee actively participates in strategic decisions related to cybersecurity. This involvement ensures that cybersecurity considerations are integrated into the Company’s broader strategic objectives.

Risk Management Personnel
 
Primary responsibility for assessing, monitoring and managing our cybersecurity risks rests with the CISO, Mr. Chadd Pence. With over 25 years of experience in the field of IT and cybersecurity, Mr. Pence brings a wealth of expertise to his role. His background includes experience as an enterprise CISO and his knowledge and experience are instrumental in developing and executing our cybersecurity strategies. Our CISO oversees our cybersecurity efforts and governance programs, tests our compliance with standards, remediates known risks, and provides regular guidance to management and the Board on these areas. In addition, to supplement this expertise, we periodically engage external experts, including cybersecurity consultants, to help us evaluate our risk management related policies and to help us to review and remediate cybersecurity incidents.

Monitor Cybersecurity Incidents
 
The CISO is continually informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. This ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. The CISO implements and oversees processes for the regular monitoring of our information systems. This includes the deployment of a variety of security measures and system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, the CISO is equipped with a well-defined incident response plan. This plan includes immediate actions to mitigate the impact and long-term strategies for remediation and prevention of future incidents.

Reporting to Board of Directors
 
The CISO, in his capacity, regularly informs our Chief Financial Officer and Chief Executive Officer of all aspects related to cybersecurity risks and incidents. This ensures that the highest levels of management are kept abreast of the cybersecurity posture and potential risks facing the Company. Furthermore, significant cybersecurity matters, and strategic risk management decisions are escalated to the Compliance Committee and the full Board of Directors, ensuring that they have comprehensive oversight and can provide guidance on critical cybersecurity issues.

© 2024 Material-Incidents. All rights reserved.