Alignment Healthcare, Inc. - (ALHC)
10-K Filing Date: February 27, 2024
Risk Management and Strategy
As we are a company that leverages data, technology and analytics to improve health care, we invest in long-term solutions to address current and foreseeable risks and threats to data security and privacy, while also enabling technological development that enhances the member experience. We recognize the critical importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data.
We have designed and deployed a comprehensive cybersecurity risk management program that is embedded in our broader risk management framework, all of which is overseen by our Board of Directors. Our program is designed to include ongoing
64
assessment of our critical assets; detection and analysis of potential threats; timely management of identified security risks; and prompt remediation planning and implementation. To successfully operate and monitor our security readiness, we maintain a data security and privacy team with substantial real-world experience to detect and respond to cybersecurity threats. Our multi-layered security is bolstered by technologies and partners and includes annual employee and vendor security awareness trainings, enhanced access control, data loss protection and vulnerability management, among other technical and process security controls. Our proprietary data architecture, AVA, incorporates high security controls around member data. Our information security program considers how attackers are using emerging technologies (such as artificial intelligence) to help inform our defensive tactics. Our team also regularly reviews emerging product technology to improve our capabilities.
In 2021, we received the externally validated HITRUST certification, the gold standard compliance framework in the health care industry. Through our data security and privacy program and policies, we adhere to the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), other federal regulations and best-practices within the health care industry. Moreover, our risk analysis methodology is consistent with ISO 27001, the Federal Information Security Management Act and the U.S. Department of Commerce National Institute of Standards and Technology and Center for Internet Security Special Publication 800-66.
Our strict protection and security measures have resulted in zero security incident-related disruptions or downtime to our business continuity. However, there is no guarantee that a future security incident would not materially affect our business strategy, results of operations or financial condition. See “Risk Factors” beginning on page 27 of this Form 10-K.
Engagement of Third Parties
Our information security program is under nearly constant third-party review as part of Sarbanes-Oxley compliance and the HITRUST certification process, including independent third-party penetration testing of all information technology assets at least annually and assessment of our vulnerability to ransomware. Multiple industry-standard third-party tools are utilized to detect vulnerabilities. Alignment is a member of the Healthcare Information Sharing and Analysis Center (Health-ISAC) operated by the U.S. Department of Health and Human Services and the Department of Homeland Security and is affiliated with the FBI InfraGard program, providing deep, actionable intelligence regarding healthcare security and privacy threats and countermeasures. We continuously monitor the Health-ISAC reporting to anticipate and respond to potential threats.
Management of Third-Party Cyber-Risk
We rely on third-party vendors to provide supplemental benefits to our members and for a variety of other key business functions. Accordingly, our vendor onboarding process includes a comprehensive security assessment. Moreover, at least quarterly, we assess the risks from cybersecurity threats relating to each of our member-facing and other key third-party service providers with whom we share protected health information, personal identifying information and confidential information. We generally require our suppliers to adopt security-control principles based on industry-recognized standards and we seek audit rights over their security protocols.
Cybersecurity Governance
As a component of its general oversight over key risks to our business, our Board of Directors has established robust oversight mechanisms designed to ensure effective governance in managing risks associated with cybersecurity threats. As a technology-enabled Medicare Advantage platform, we have selected directors with backgrounds in technology and expertise in data privacy and cybersecurity matters, which represent important elements of our risk management strategy.
Our Audit Committee is responsible for the direct oversight of risks from cybersecurity threats. Members of the Audit Committee receive updates on at least a quarterly basis from senior management, including leaders from our information security,
compliance and legal teams regarding matters of cybersecurity. Reports by management to the Audit Committee include existing and new cybersecurity risks, status updates regarding how management is addressing and/or mitigating those risks, cybersecurity and data privacy incidents (if any) and status on key information security initiatives. The Audit Committee’s involvement ensures that cybersecurity considerations are integrated into the Company’s broader strategic objectives. The Audit Committee conducts an annual review of the company’s cybersecurity posture and the effectiveness of its risk management strategies. This review helps in identifying areas for improvement and ensuring the alignment of cybersecurity efforts with the overall risk management framework. As needed, this framework also includes consultations with our enterprise risk management committee, led by our Chief Compliance and Privacy Officer.
Alignment’s cybersecurity organization is led by David MacLeod, our Chief Information Security Officer, who is responsible for the prevention, detection, mitigation, and remediation of cybersecurity incidents and reports to Robert Scavo, our Chief Information Officer, as well as to the Audit Committee. Mr. MacLeod has served as our CISO since December 2022, has over 25 years of diverse leadership experience in the healthcare information space (including over 20 years as a certified information
65
systems security professional and chief information security officer) and holds advanced degrees in information technology management and computer science.
The CISO is continually informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. The CISO implements and oversees processes for the regular monitoring of our information systems. This includes the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, the CISO is equipped with a well-defined incident response plan. This plan includes immediate actions to mitigate the impact and long-term strategies for remediation and prevention of future incidents.