eHealth, Inc. - (EHTH)
10-K Filing Date: February 29, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
At eHealth, information security is everyone’s responsibility, and we value the trust our customers and business partners place in us to protect their sensitive information. We have established policies and processes for assessing, identifying, and managing risk from cybersecurity threats, and have integrated these processes into our overall risk management systems and processes.
We are subject to various federal and state privacy and security laws, regulations, and requirements. These laws govern the collection, use, disclosure, protection, and maintenance of the individually identifiable information that we collect from consumers. We regularly assess our compliance with privacy and security requirements and conduct periodic risk assessments to identify cybersecurity threats, as well as assessments in the event of a material change in our business practices that may affect information systems that are vulnerable to such cybersecurity threats.
Early on, we identified information security as a salient risk as described in Part I, Item 1A, Risk Factors, of this Annual Report on Form 10-K. We maintain data privacy and security through a robust program of safeguards, including responsible management, appropriate use, and protection that is designed to address applicable legal and regulatory requirements. Furthermore, all employees are required to complete annual privacy and security training.
Our security policies and procedures are reviewed and updated regularly to address regulatory, industry, and contractual requirements and recommendations and address new and emerging security threats. We also conduct regular scans of our technical infrastructure and regular penetration audits to check for vulnerabilities and meet our governance and compliance requirements. Training our employees and contractors is crucial to eHealth’s governance and compliance requirements. All employees and contractors with access to an eHealth IT system are required to complete security awareness training during onboarding and annually thereafter. Due to the increased inherent risk associated with these roles, developers and privileged users are subject to additional security training requirements.
Every person with access to eHealth IT systems is required to undergo periodic phishing simulations and receives personalized tools to improve their security behavior. Performance is measured both individually and by functional groups to manage the maturity and improvement of eHealth’s overall security posture. Employees must also acknowledge receipt and understanding of their responsibility to comply with eHealth’s Code of Business Conduct, including the eHealth Information Security and Acceptable Use Policies, during onboarding and annually thereafter.
Despite our rigorous efforts, incidents may occur, and we are prepared to deal with them through our formal Incident Response Plan. Events such as human errors, computer viruses or other malicious code, unauthorized access, cyber-attacks, or phishing attempts concern all organizations. Our Incident Response Team is trained to contain incidents, mitigate impacts, resolve or remediate issues, and notify affected parties as appropriate. The team is made up of key security, privacy, and legal professionals who work with eHealth Technology and Business Teams and our managed security services.
Additionally, eHealth has engaged a guided cyber crisis response platform and conducted a mock cyber-attack exercise to build crisis management experience for our senior leadership and cybersecurity teams. We believe this voluntary skill building exercise put our teams in a better position to manage a potential cybersecurity crisis.
47
Our comprehensive data security strategy includes:
•Regular critical security assessments such as advanced attack simulations and vulnerability scans.
•A System Development Life Cycle (SDLC) framework to assess applications and related infrastructure before implementation to ensure our security standards are met.
•Use of a Role Based Access Control (RBAC) methodology, which defines the access a user receives to eHealth’s information systems based on job function.
•Requirements that third-party vendors that host, transmit, or have access to eHealth data comply with our policies and undergo reviews.
•Monitoring of security event data and the security industry to flag anomalies and be aware of potential threats.
•Dedicated domestic and international liaisons who help ensure that business and functional area employees have easy access to experts for guidance and assistance mitigating privacy and information protection risks.
•Encryption of customer data both in transit and at rest.
•A broad spectrum of technical controls, including data loss prevention, role-based access, application/desktop logging, and data encryption as well as multi-factor authentication and enhanced web application firewall controls.
We, like any technology company, have experienced cybersecurity incidents in the past. However, as of the date of this Annual Report on Form 10-K, we have not experienced any cybersecurity incidents which have been determined to be material. For additional information regarding whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our company, including our business, operating results and financial condition, please refer to Part I, Item 1A, Risk Factors, in this Annual Report on Form 10-K.
Governance
eHealth’s Board of Directors oversees our enterprise risk management process, including cybersecurity, information security, governance, risk management, and compliance programs and strategies. The Board is responsible for monitoring and assessing strategic risk exposure, and our senior leadership team are responsible for the day-to-day management of the risks that we face. The Board administers its cybersecurity risk oversight both directly and through its Audit Committee. The Audit Committee is regularly briefed on eHealth’s risk profile issues. These briefings are designed to provide visibility about identifying, assessing, and managing critical risks, audit findings, and management’s risk mitigation strategies. Management briefs the Audit Committee periodically about eHealth’s protection programs, focusing on current trends in the environment, incident preparedness, business continuity management, program governance, and program components, including updates on security processes, external testing, and employee training and awareness initiatives.
eHealth maintains an Office of the Chief Information Security Officer (“CISO”), who reports to our Chief Digital Officer (“CDO”). Our CISO focuses on information and systems technology, corporate governance, and behaviors to drive security best practices and safeguard information from unauthorized or inappropriate access, use, or disclosure. eHealth also has a Privacy Officer who advises the company on privacy-related laws and regulations, provides guidance on privacy compliance, drives privacy policy, creates, and oversees the privacy program.
Our CISO is informed about and monitors prevention, detection, mitigation, and remediation efforts through regular communication and reporting from professionals in our information security team and through the use of technological tools and software and results from third party audits. Our CISO and CDO have extensive experience
48
assessing and managing cybersecurity programs and risks. Our CISO has served in that position since 2019 and, before eHealth, was the Chief Information Security Officer and Vice President IT at Castlight Health where he led the company’s overall security program. Before that, our CISO was the Chief Information Security Officer and Director Global Infrastructure Operations at Ooyala with similar responsibilities during rapid growth. His security experience also includes a 21-year career in the U.S. Navy where he served as a Cryptologic Officer. Our CDO joined eHealth in 2023 and was previously Chief Product Officer at M1 Finance, responsible for defining the company’s product vision, strategy and roadmap to drive growth and profitability, Prior to M1 Finance, our CDO was the Chief Product Officer at Roofstock, Head of Product at LifeLock (acquired by Symantec) and Sr. Director and Head of Product, D3 Incubation Unit at Capital One. Our CISO reports directly to the Audit Committee of the Board of Directors on our cybersecurity program and efforts to prevent, detect, mitigate, and remediate issues at least once annually or more frequently as determined to be necessary or advisable. In addition, we have an escalation process in place to inform senior management and the Board of Directors when it is appropriate under the circumstances.