Addus HomeCare Corp - (ADUS)

10-K Filing Date: February 27, 2024
ITEM 1C. CYBERSECURITY

Risk Management and Strategy

We recognize that cybersecurity threats pose a risk to our business. As part of the Company’s overall risk management systems and processes, we employ a risk management framework designed with the goals of identifying, assessing and managing material risks from cybersecurity threats. Key aspects of this risk management framework include, but are not limited to:

Maintaining a cybersecurity incident response plan, coordinated by the Company’s IT department and Chief Information Security Officer, which includes controls and procedures for identifying, reporting and responding to cybersecurity incidents;
Partnering with outside cybersecurity vendors periodically to gain an independent view of our cybersecurity and information security program;
Providing our employees with regular training on cybersecurity and the protection of our information systems;
Maintaining and testing a business continuity and disaster recovery program;
Database activity monitoring, encryption, secure file transfer protocols and application firewalls; and
Maintaining insurance coverage intended to address cybersecurity and data breach risks.

We have also implemented processes to help identify, assess and manage cybersecurity risks associated with our use of third-party service providers.

We do not believe that risks from cybersecurity threats of which we are currently aware, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. For additional information, see “A cyber-attack or security breach could cause a loss of confidential consumer data, give rise to remediation and other expenses, expose us to liability under HIPAA, consumer protection laws, common law and other legal theories, subject us to litigation and federal and state governmental inquiries, damage our reputation, adversely impact our financial results, and otherwise be disruptive to our business.” included in Part I, Item 1A of this Form 10-K.

Governance

Our cybersecurity risk management program is integrated into our overall risk management system and processes. Together with the Board’s standing committees, the Company’s Board of Directors is responsible for ensuring that material risks, including material cybersecurity risks, are identified and managed appropriately. The Board receives updates at least bi-annually from our Chief Information Officer concerning our information security and cyber risk strategy, cyber defense initiatives, cyber event preparedness and cybersecurity risk assessments. The Chief Information Officer has extensive IT and program management experience and works closely with our Chief Information Security Officer, who oversees our cybersecurity program on a day-to-day basis. The Chief Information Security Officer has extensive cybersecurity experience, including more than 15 years working in senior IT infrastructure and IT security roles in the healthcare sector (seven of which years were spent as the Chief Information Security Officer). Our cybersecurity incident response plan provides that the Chief Information Security Officer will work with our IT Department and the impacted segment of our business to investigate and respond to any identified incident (including by escalating the incident to the Company’s senior management and the Board depending on the nature and scope).