ATI Physical Therapy, Inc. - (ATIP)
10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity
Cybersecurity remains a high priority for the Company, and we have made investments over the past several years to enhance our cybersecurity program, capabilities, and posture. We utilize a holistic approach to assess, identify, and manage cybersecurity risk including but not limited to the following approaches:
Layered defense and monitoring: we utilize a layered defense approach to help protect the Company’s computer systems, network, and data. This approach is combined with 24x7 monitoring and analysis of security logging and alerting along with incident response processes.
Threat intelligence and industry collaboration: we leverage multiple threat intelligence sources including the health and retail information sharing and analysis centers ("ISACs"), key security vendor partners, and other sources. We also collaborate with other cyber leaders, teams, and vendor partners to discuss leading practices, mitigation strategies to address emerging industry cyber threats, and to share relevant cyber information.
Cybersecurity awareness: we use multiple approaches to help develop a culture of cybersecurity awareness in the Company. This includes annual cybersecurity training within the Company’s annual employee compliance training, cyber related security bulletins, tips, and communications, and simulated email phishing tests for employees.
External and third-party assessments: we leverage external parties to conduct periodic assessments of the Company’s cybersecurity posture including cybersecurity penetration testing. We also assess the cybersecurity risk of key third-parties and vendors during the vendor evaluation process and as an ongoing monitoring activity.
Integration with enterprise risk management: we utilize an enterprise risk management process which considers cybersecurity risk along with other key risks to the Company. As part of the enterprise risk management process, the Company conducts periodic risk ranking exercises including input from the Board of Directors, the Executive Leadership Team, and other leaders in the Company to evaluate key enterprise risks. The Company’s enterprise risk management process resides within the legal and compliance department which is led by our Chief Legal Officer ("CLO") and who reports to our Chief Executive Officer ("CEO").
The Company’s cybersecurity function resides within the information technology department which is led by our Chief Information Officer ("CIO") and who reports to our CEO. The Company’s cybersecurity function is led by our Chief Information Security Officer ("CISO") who reports to the CIO and who also works closely with the Company’s executive leadership team and senior management team. Our CISO has over 20 years of combined experience with cybersecurity and information technology, has been with the Company for more than five years, and has previous experience working with large public and private companies. Our cybersecurity team includes broad experience and expertise in the area of cybersecurity and information technology.
49
Our CIO and CISO provide information technology and cybersecurity updates to the Company’s Audit Committee which has oversight for enterprise risks including cybersecurity. Our legal and compliance department also provides updates on enterprise risks to the Audit Committee. These information technology, cybersecurity, and enterprise risk updates typically occur four times per year in conjunction with the quarterly board and committee meeting process. Our CISO also provides periodic cybersecurity updates and cybersecurity tabletop practice exercises with the Board of Directors and executive leadership team. A cybersecurity executive debrief is also shared on a quarterly basis with the Company’s executive leadership team, senior management team, senior clinic leaders, the information technology department, and other key leaders.
We are not aware of any cybersecurity incidents that have materially affected or that are reasonably likely to materially affect our business strategy, results of operations, or financial condition. The Company faces risk from future potential cyber-attacks which, if significant, could have a material impact to business strategy, results of operations, financial condition, or reputation. Please see Part I, Item 1A. Risk Factors for additional discussion of Company risks.