R1 RCM Inc. /DE - (RCM)

10-K Filing Date: February 27, 2024
Item 1C.Cybersecurity

Risk Management and Strategy

Our Cybersecurity Program (“Program”) is designed from a risk- and compliance-based approach to achieve systemwide resilience and protection across our operations and to ensure the appropriate acquisition, access, use, and/or disclosure of PHI, PII, and payment card information (“PCI”). Our Program employs the National Institute of Standards Technology (NIST) cybersecurity framework and strategy to deliver clear and proactive processes, multi-layered defenses, and relevant technologies that are designed to control, audit, monitor, and protect access to sensitive information. In concert with our Program, the Company’s Enterprise Risk Management program builds resiliency in our operations to support continuous delivery of services and considers cybersecurity risks alongside other company risks.

Our Program includes the following elements: (i) internet and perimeter security; (ii) endpoint and email security; (iii) threat intelligence, monitoring and management; (iv) data security for PHI, PII, and PCI; (v) personal accountability, which includes comprehensive training for our employees and third party-contractors (including onboarding and annual training), exercises (including advanced phishing exercises), and awareness for our employees to promote vigilance of cybersecurity risks and opportunities; (vi) access management; (vii) application and cloud security; and (viii) compliance audits and assessments, which include routine technical and non-technical audits and assessments internally and in collaboration with independent third parties at least annually.

As a company managing the use and disclosure of PHI and PII, our Program incorporates annual independent Systems and Organization Control 2 (SOC 2) Type 2 audits that are conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants, which provide an independent evaluation of the design and operating effectiveness of our controls. We also annually undergo independent HIPAA Security Rule risk assessments of our administrative, physical, and technical safeguards for protecting the confidentiality, integrity, and availability of data; independent attestations of compliance with the Payment Card Industry Data Security Standard (PCI-DSS); and Health Information Trust Alliance (HITRUST) certification. In addition, external assessors periodically evaluate our safeguards against multiple frameworks, including NIST.

The R1 Security Program Policy delineates responsibilities and initiatives to maintain our comprehensive Program. It includes frequent reviews and development of our security policies and standards, monitoring to detect potential threats or disruptions, testing of protocols to verify the effectiveness of our defense systems, and training for our workforce. Our teams continuously and proactively monitor our information systems for potential risks, threats, and disruptions, including at our U.S.-based third-party data centers. Through the use of our rapid response and incident management processes, which include our IT incident management and IT disaster recovery processes, we assess potential incidents and determine a course of action. This may involve risk mitigation, resolution plan development, and process improvements.

In parallel with our Code of Integrity, we have created and posted publicly, and incorporate into vendor contracting, our Third-Party Code of Conduct for our contractors, subcontractors, and other vendors and suppliers, which holds R1’s third parties to the same applicable data and privacy standards as R1. We request Attestations of Compliance and execute HIPAA-compliant Business Associate Agreements in these contexts as appropriate.

In 2023, we did not identify risks from cybersecurity threats that have materially affected or are currently reasonably likely to materially affect our business strategy, results of operations, or financial condition. While prior incidents have not had a material impact on us, future incidents could have a material impact on our business, operations, and reputation. See Part I, Item 1A “Risk Factors—Risks Related to Our Cybersecurity and Technology” for more information.
38



Governance

The Board, as a whole and through its committees, has responsibility for the oversight of risk management, including cybersecurity. The Board has delegated primary oversight of risk to the Compliance & Risk Management Committee, which partners with our Audit Committee to oversee risks related to the prevention, timely detection, and mitigation of the effects of cybersecurity threats or incidents on us. The Audit Committee monitors our Program, including as it relates to financial and reporting systems and controls. The Information Security Team, described below, communicates quarterly with the Audit and/or Compliance & Risk Management Committees to keep them informed about the state of our Program, current and evolving threats, compliance with regulations, and other strategic initiatives. Both committees regularly brief the entire Board on cybersecurity matters discussed during committee meetings.

Our Information Security Team is responsible for the oversight and operation of our Program. Our Chief Information Security Officer oversees our Information Security Team and works in close collaboration with our Chief Technology Officer, Chief Compliance Officer, General Counsel, and Chief Privacy Officer. This group works hand in hand with our Privacy Team in the protection of data. The Privacy Team is a team of senior leaders that identifies and addresses issues related to the use and disclosure of data. The Information Security Team, on the other hand, controls our security standards and operating procedures. In particular, they and their teams provide guidance and support to each of our business segments, coordinate internal reviews, including those conducted by our internal auditors, and monitor and evaluate the security assessments from our internal and external parties.

Cecil Pineda is our Chief Information Security Officer. Mr. Pineda has nearly 20 years of experience in the cybersecurity industry, having held senior IT security-related roles at nationally recognized companies and organizations. Mr. Pineda holds a degree in Electronics and Communications Engineering. He reports directly to Brian Gambs, our Chief Technology Officer. Mr. Gambs is an experienced leader with over two decades of expertise in managing cybersecurity risk for HIPAA-regulated entities, including payers and providers, and an extensive background in technology leadership for a publicly traded healthcare and financial services company. The other members of our Information Security Team have substantial cybersecurity experience, including cybersecurity incident response, mitigation and remediation; information security program design; and regulatory compliance.

© 2024 Material-Incidents. All rights reserved.