Alphatec Holdings, Inc. - (ATEC)

10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity

Cybersecurity Risk Management and Strategy

We recognize the need to maintain the security and confidentiality of personal information, protected health information, and other confidential data that we collect and use in connection with our business, and the importance of assessing, identifying, and managing various cybersecurity risks that may impact our business. We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information. Our cybersecurity risk management program includes a cybersecurity incident response plan.

We design and assess our program based on various cybersecurity frameworks, most prominently the Health Information Trust Alliance (“HITRUST”) Common Security Framework, and Service Organization Controls (“SOC”) 2, developed by the American Institute of CPAs. In 2023, our cybersecurity systems and services issued a SOC 2 Type 1 report for the design of our security processes. We use this cybersecurity framework and information security controls as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Our cybersecurity program includes annual review and assessment by external, independent third parties, who certify and report on these programs.

As part of our enterprise risk management process, we assess the various cybersecurity risks that may impact our business and implement plans and initiatives that are intended to mitigate those risks.

Our information security program includes: (i) risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, software, and services; (ii) an information security team principally responsible for managing our (1) information security risk assessment processes, (2) security controls, and (3) response to cybersecurity incidents; (iii) risk assessments and security tests, conducted internally and by external security and risk audit providers, as appropriate; (iv) new-hire and annual cybersecurity awareness training of our employees; (v) a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and (vi) third-party risk assessment procedures to review material third-party vendors and applications for information security.

We have not identified any risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition.

34


 

Cybersecurity Governance

Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee oversight over our information security and technology risks, including our information security, cybersecurity and related risk management programs. The Audit Committee oversees management’s implementation of our information security program and receives periodic reports from management on our material cybersecurity risks. Additionally, management updates the Audit Committee, as necessary, regarding material cybersecurity incidents. The full Board receives quarterly updates from management on our information security program.

Our management team, including our IT management team, is responsible for assessing and managing our material risks from cybersecurity threats. The team has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. To support data security, we have established an integrated risk management framework with practices that are derived from industry standards, including ISO 27001, HITRUST Common Security Framework (CSF) 11.2 certification, the NIST Cybersecurity Framework, and data privacy regulations, including HIPAA and the General Data Protection Regulation. The data security controls from these standards and regulations are evaluated for our risk management framework based on the needs of our business and our clients, the nature of our industry, and applicable regulations.

Our management team oversees efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel, threat intelligence and other information obtained from governmental, public, or private sources, including external consultants engaged by us, and alerts and reports produced by security tools deployed in the information technology environment.