DocGo Inc. - (DCGO)

10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity.

Risk Management and Strategy

In the ordinary course of our business, we collect, use, store and transmit digitally large amounts of confidential, sensitive, proprietary, personal and health-related information. The secure maintenance of this information and our information technology systems is important to our operations and business strategy, and we consider cybersecurity, along with other significant risks that we face, within our overall enterprise risk management framework. To this end, we have implemented processes designed to assess, identify and manage risks from potential unauthorized occurrences on or through our information technology systems that may result in adverse effects on the confidentiality, integrity and availability of these systems and the data residing therein.

These processes are managed and monitored by a dedicated information technology team, which is led by our Chief Technology Officer (“CTO”), and include mechanisms, controls, technologies, systems and other processes designed to prevent or mitigate data loss, theft, misuse or other security incidents or vulnerabilities affecting the data and maintain a stable information technology environment. For example, we conduct penetration and vulnerability testing, data recovery testing, security audits and ongoing risk assessments, including due diligence on and audits of our key technology vendors and other contractors and suppliers. We also conduct regular employee trainings on cyber and information security, among other topics. In addition, we consult with outside advisors and experts, when appropriate, to assist with assessing, identifying, and managing cybersecurity risks, including to anticipate future threats and trends and their impact on the Company’s risk environment. We also rely on information technology and third party vendors to support our operations, including our secure processing of personal, confidential, sensitive, proprietary and other types of information.

With respect to incident response, we have adopted a Cybersecurity Incident Response Plan that applies in the event of a cybersecurity threat or incident (the “IRP”) to provide a standardized framework for responding to security incidents. The IRP sets out a coordinated approach to investigating, containing, documenting and mitigating incidents, including reporting findings and keeping senior management and other key stakeholders informed and involved as appropriate. In general, our incident response process follows the National Institute of Standards and Technology framework and focuses on four phases:

preparation and prevention;

detection and analysis;

containment, eradication and recovery; and

post-incident remediation.
46


The IRP applies to all Company personnel (including third-party contractors, vendors and partners) that perform functions or services that require access to secure Company information, and to all devices and network services that are owned or managed by the Company.

Despite ongoing efforts to continually improve our and our vendors’ ability to protect against cyber incidents, we may not be able to protect all information systems, and such incidents may lead to reputational harm, revenue and client loss, legal actions and statutory penalties, among other consequences. To date, risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected us, including our business strategy, results of operations or financial condition, and we do not believe that such risks are reasonably likely to have such an effect over the long term. However, there can be no guarantee that we will not be the subject of future successful cybersecurity attacks, threats or incidents that materially affect our business strategy, results of operations or financial condition. Additional information on cybersecurity risks we face is discussed in Part I, Item 1A, “Risk Factors,” under the heading “Risks Related to Information Technology.”

Governance

Our CTO, who reports directly to our Chief Executive Officer, is responsible for assessing and managing cybersecurity risks. Our CTO has gained substantial information technology and cybersecurity knowledge from over 25 years of work experience at the Company and elsewhere. Our CTO receives reports on cybersecurity threats from our dedicated information technology team on an ongoing basis and, in conjunction with management, regularly review risk management measures implemented by the Company to identify and mitigate data protection and cybersecurity risks. Our CTO also works closely with our legal and compliance departments to oversee compliance with legal, regulatory and contractual security requirements.

The Board, as a whole and at the committee level, has oversight for the most significant risks facing us and for our processes to identify, prioritize, assess, manage and mitigate those risks. The Board’s Audit and Compliance Committee, which is comprised solely of independent directors, has been designated by our Board to oversee cybersecurity risks. The Audit and Compliance Committee receives regular updates on cybersecurity and information technology matters and related risk exposures from our CTO, which address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to our peers and third parties. The Board also receives updates from management and the Audit and Compliance Committee on cybersecurity risks on at least an annual basis. In addition, we have protocols by which certain cybersecurity incidents are escalated within the Company and, where appropriate, reported promptly to the Board and Audit and Compliance Committee.