MultiPlan Corp - (MPLN)
10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity
MultiPlan’s business is dependent upon our ability to: (1) store, retrieve, process and manage information; (2) maintain and upgrade our data processing and information technology capabilities; and (3) deliver high-quality and uninterrupted access for our customers to our computer systems. Further, much of the data that we store, process and manage is highly sensitive, such as Personal Health Information ("PHI") and individually identifiable information for patients, customers, contractors, employees and other third parties. For these reasons, our cybersecurity program is critical to our business success. Moreover, we understand that we are entrusted with sensitive data and we take our responsibility to protect that data very seriously.
Detailed below is various components of our cybersecurity program, processes and practices.
Risk Management and Strategy
Our business faces many risks and one of the ways in which we identify, assess, manage and mitigate those risks is through our Enterprise Risk Management ("ERM") program, which is our overall risk management program. Through our ERM program, we oversee, control and drive improvement of MultiPlan's risk management capabilities in a constantly changing operating environment. Given the importance of cybersecurity to our business, cybersecurity risk has been identified as one of the key risk areas in our ERM program. We maintain a cybersecurity risk management program that informs and feeds into our ERM program. This means that cybersecurity risk identification, assessment, management, mitigation and monitoring is part of our overall risk management program. Oversight of the ERM program, including cybersecurity risk, rests with the Risk Committee of our Board (the "Risk Committee"), which receives periodic updates regarding the ERM program from management. However, because of the importance of cybersecurity to our business and the position of cybersecurity as a key risk area, cybersecurity matters are reported to the Risk Committee at least quarterly, with a more in-depth briefing to the Risk Committee as well as a briefing to the full Board occurring at least annually.
Risk Identification
We view the identification of cybersecurity risks as an ongoing and ever-evolving process. As an initial matter, we know we are subject to inherent risks as a result of our business. We discuss these risks above in the section entitled "Risk Factors — Risks Related to Information Technology Systems, Intellectual Property and Cybersecurity", but the two primary inherent cybersecurity risks we face are: (i) a large scale exfiltration or acquisition of the sensitive data and information we use; and (ii) a prolonged disruption to our information technology environment, impacting our ability to deliver value to our customers.
These inherent risks can become realized risks because of actions taken or caused by a variety of sources. Prevalent sources of risk are external, malicious threat actors, whether motivated financially, politically, or otherwise; MultiPlan personnel with or without malicious intent; third-party vendors or business partners or breaches impacting them; and natural disasters or other non-malicious events, such as fire, weather, power loss, telecommunications failures, and other catastrophic events.
Taking into account the inherent risks that face our business as well as the sources from which these inherent risks may become realized, we identify specific vulnerabilities by: (i) monitoring threat intelligence; (ii) evaluating and testing our cybersecurity posture; (iii) conducting audits, assessments of, and exercises with respect to, our cybersecurity practices; and (iv) conducting due diligence of third parties that touch our sensitive data or our information technology environment. We utilize our commercial relationships and third-party partners as necessary and prudent to assist in identifying vulnerabilities, such as private threat intelligence, third-party monitoring, and the facilitation of audits and assessments.
Risk Assessment
As a result of the risk identification process, newly identified risks, vulnerabilities or issues are assessed to determine prioritization and to recommend corrective actions. Risks are assessed based on their perceived likelihood and potential impact to determine prioritization and actions. Likelihood is estimated based on various factors such as internet exposure, exploitability, vulnerability severity, threat intelligence, and the strength of any mitigating controls. Impact is estimated based on various factors such as the assets that could be impacted (e.g., criticality, size, information sensitivity and volume, etc.), the potential resulting effects to the business (e.g., ability to operate, financial losses, etc.), as well as client needs, reputational implications, competitiveness, potential litigation, and regulatory fines.
Risk Management
Once risks are identified and assessed, a risk management plan is determined, based on recommendations from internal and external subject matter experts.
MultiPlan strives to implement a multi-layered set of security controls based on industry standard security controls frameworks and best practices to mitigate relevant cybersecurity risks. The controls include preventive, detective, and corrective controls and are employed via a combination of security personnel, security technologies and associated policies, standards, and processes. MultiPlan has implemented controls in alignment with SOC 1, SOC 2, and HITRUST frameworks, and measures cybersecurity maturity against the NIST Cybersecurity Framework (CSF).
MultiPlan tracks identified risks and control deficiencies in a risk register. Risks and control deficiencies are assigned to a risk owner and the owner makes risk treatment decisions, such as whether to mitigate or accept the risk. Risk owners are typically senior managers or leaders within the business who have been authorized to make risk decisions. Efforts are made to ensure that the risk owners understand the implications of the risk to help facilitate informed risk decision making. Risk decisions and the status of risk mitigation activities are reported on and reviewed at least quarterly by senior management and the Risk Committee of MultiPlan’s board of directors. For risks that will be mitigated, specific risk treatment actions or corrective action plans are identified and assigned to specific subject matter experts to implement based on the priority determined during the assessment process, where the highest risk issues and action plans are prioritized first.
Risks from Cybersecurity Threats
From time to time, including on limited occasions in the past, we have experienced cybersecurity incidents and have been notified by third party partners of cybersecurity incidents at such partners that affected MultiPlan. However, we have not experienced a cybersecurity threat or incident that has materially affected our business strategies, results of operations or financial condition.
Despite the efforts described above to identify, assess and mitigate cybersecurity vulnerabilities, we may not be able to prevent cybersecurity incidents resulting from the cyber threats we face, including incidents that may materially affect our business strategies, results of operations or financial condition.
We devote significant resources to cybersecurity, both in terms of financial expenditures and the time and effort of our employees. The devotion of these resources impacts our results and operations and financial condition. Further, cybersecurity considerations may impact our business strategies in the future. For example, as we continue to implement artificial intelligence and machine learning in our products and services, the cybersecurity risks that are associated with these technologies will be considered when we determine how and to what extent these technologies are utilized.
Governance
Board of Directors
Our Board of Directors is acutely aware of the importance of cybersecurity to the success of our business and that we have a responsibility to take prudent steps to protect the sensitive data that we maintain. To that end, in 2022, the Board formed the Risk Committee. Primary among the areas of oversight of the Risk Committee is cybersecurity, as evidenced by the fact that the Risk Committee receives a cybersecurity briefing from our Chief Information Security Officer (“CISO”) at each of its regularly scheduled quarterly meetings as well as a more detailed review of our cybersecurity posture annually. The CISO also provides an annual cybersecurity report to the full Board.
The Risk Committee is chaired by Richard A. Clarke, an internationally recognized cybersecurity and security risk management expert, with more than 30 years serving in the U.S. Government. His accomplishments include: first-ever White
House Counter-Terrorism Czar and Cyber Czar; elected to Cyber-Security Hall of Fame; former co-chair of Virginia’s Cybersecurity Commission; former member of the New York Cybersecurity Advisory Board; former member of the Presidential Review Group on Intelligence and Technology; and numerous publications on risk management and cybersecurity, including the New York Times bestsellers Cyber War and Warnings on Terrorism and National Security. Mr. Clarke manages Good Harbor Security Risk Management, a cyber consultancy for major corporations. The Risk Committee is also bolstered by one of its other members, Dr. C. Martin Harris. Given Dr. Harris’ leadership role at the Dell Medical School at the University of Texas at Austin and his former experience as a Chief Information Officer at The Cleveland Clinic Foundation Department of General Internal Medicine, he brings real-world cybersecurity experience in the healthcare context.
The frequent briefings by our CISO to the Risk Committee include, as topics of discussion, relevant threats and security incidents, high risk security issues identified and remediation plans, financial investment in cybersecurity, security ratings, overall program maturity against industry frameworks and recommended best practices, and regulatory updates. From time to time, there are other relevant topics that are reviewed as well, such as artificial intelligence as well as due diligence and integration of acquisitions.
Management
Senior management of MultiPlan believes it has established a culture where cybersecurity risk management is prioritized, the establishment and enforcement of information security strategies, policies, standards, and procedures is supported, and the individuals with responsibility for the same are empowered. Central in this culture is the role of CISO, who is responsible for overseeing, implementing, and operating MultiPlan’s cybersecurity risk management program, as well as assessing and managing the risks from cybersecurity threats. The CISO provides regular reports to senior management.
MultiPlan’s CISO, John Riding, has been with the Company since July 2021. He is a two time CISO, with nearly 20 years of experience in cybersecurity. Prior to joining MultiPlan, he was CISO at a technology company in the financial services industry. He has also worked in cybersecurity consulting prior to becoming a CISO and he has experience in cybersecurity strategy, risk management, security architecture, incident response, digital forensics, and compliance. A team of dedicated cybersecurity staff reports to the CISO and is responsible for information security governance, risk, compliance, architecture, engineering, and operations. Mr. Riding receives regular reports from his information security team regarding in place controls, improvement efforts, and ongoing events related to the prevention, mitigation, detection, and remediation of cybersecurity incidents. These reports also include the status of threat and vulnerability management efforts, security controls engineering, user awareness training, third-party risk management, security events, detections, investigations, as well as audit and compliance activities, among others.
Mr. Riding reports to our Chief Information Officer, Michael Kim. Mr. Kim has served as our CIO since late 2013 and has 20 years of experience leading large IT organizations including at major insurance companies such as The Hartford Financial Services Group, Inc. and Torus Insurance Holdings Limited (prior to its acquisition by Enstar Group Limited).
MultiPlan has also established a cybersecurity risk management committee, which meets quarterly. This committee is comprised of stakeholders and senior leaders across the organization, to review the risks and remediation efforts relevant to their areas.