Progyny, Inc. - (PGNY)
10-K Filing Date: February 29, 2024
ITEM 1C. CYBERSECURITY
At Progyny, cybersecurity risk management is an integral part of our broader risk management system and processes. Our cybersecurity risk management program incorporates industry-standard frameworks, policies and practices designed to protect the security of our technology infrastructure and sensitive information.
Our cybersecurity risk management program provides a framework for handling cybersecurity threats and incidents, including receiving notification of threats and incidents associated with the use of services provided by business associates. This framework includes steps for assessing the severity of a cybersecurity threat, identifying the source of a cybersecurity threat including whether the cybersecurity threat is associated with a third-party service provider and implementing cybersecurity countermeasures and mitigation strategies. In addition, it provides steps for our cybersecurity team to report to management and our Board of Directors on information security and cybersecurity matters including material cybersecurity threats and incidents.
We have established and test our disaster recovery plan and we protect against business interruption by backing up our major systems. Our cybersecurity team engages third-party security experts for risk assessment and system enhancements, including a third-party security consultant that conducts regular network security reviews, scans and audits. In addition, we maintain various preventive measures, such as protections designed to safeguard against cyberattacks, including employee training, multifactor authentication, firewalls and virus detection software, periodic scans of our environment for any vulnerabilities and penetration testing.
Our Board of Directors has overall oversight responsibility for our risk management, and delegates cybersecurity risk management oversight to the Audit Committee. The Audit Committee is responsible for ensuring that management has processes in place designed to identify and evaluate cybersecurity risks to which we are exposed and implement processes and programs to manage cybersecurity risks and mitigate cybersecurity incidents. The Audit Committee also reports material cybersecurity risks to our full Board of Directors. Management is responsible for identifying, considering and assessing material cybersecurity risks on an ongoing basis, establishing processes to ensure that such potential cybersecurity risk exposures are monitored, putting in place appropriate mitigation measures and maintaining cybersecurity programs. Our cybersecurity programs are under the direction of our Chief Information Security Officer who receives reports from our cybersecurity team and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents. Our Chief Information Security Officer and dedicated personnel are experienced information systems security professionals and information security managers with many years of experience. Management, including our Chief Information Security Officer and cybersecurity team, regularly update the Audit Committee on our cybersecurity programs, material cybersecurity risks and mitigation strategies and provide cybersecurity reports annually that cover, among other topics, third-party assessments of our cybersecurity programs, developments in cybersecurity and updates to our cybersecurity programs and mitigation strategies.
In 2023, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced an undetected cybersecurity incident. For more information about these risks, please see “Risk Factors – If our information technology systems, or those of our provider clinics, specialty pharmacies or other vendors lag, fail or suffer security breaches, we may incur a material disruption of our services or suffer a loss or inappropriate disclosure of confidential information, which could materially impact our business and the results of operations” in this annual report on Form 10-K.