Surgery Partners, Inc. - (SGRY)

10-K Filing Date: February 26, 2024
Item 1C. Cybersecurity
The following sets forth information regarding our cybersecurity strategy, risk management program and approach to governance as it relates to cybersecurity risks. For additional information on the impact of cybersecurity risks on our business, please refer to Part I, Item 1A. Risk Factors, of this Form 10-K, under the heading "Cybersecurity and Data Risks."
Cybersecurity Risk Management and Strategy
Management has responsibility for developing and coordinating the Company’s cybersecurity policy and strategy, and for managing the prevention, detection, mitigation and remediation of cybersecurity incidents. We utilize various risk assessment tools and technologies to identify potential cyber and information security threats and risks as well as engage with various third parties to assist in program development, risk evaluation and testing. For example, we have implemented a third-party risk assessment process for certain service providers, suppliers, and vendors, which is conducted during the procurement cycle. Critical vendors are assessed on an annual basis. In addition, all team members are required to participate in ongoing training and awareness programs that include periodic assessments to drive adoption and awareness of cybersecurity processes and controls.
We promote a company-wide culture of cybersecurity risk management intended to protect the confidentiality, integrity, and availability of our critical systems and the information contained therein. As part of our cybersecurity risk management strategy, our corporate information technology team collaborates cross-functionally with key business leaders within privacy, compliance, finance and operations, among others, to identify, assess, and manage cybersecurity risks relevant to our business. On a quarterly basis, led by the Chief Information Security Officer (CISO) and Privacy Officer, the cybersecurity and privacy governance committee meets, which comprises of our executive and regional leadership teams. This governance committee assists in discussing existing or emerging threats, prioritizing roadmap items and/or budgetary considerations for project work.
No risks from cybersecurity threats or previous cybersecurity incidents have materially affected, or are reasonably likely to materially affect, our business strategy, financial condition or results of operations. However, there can be no assurance that the controls and procedures in place to monitor and mitigate the risks of cyber threats will be successful or sufficient to avoid material losses or consequences in the future. Additionally, while we have insurance coverage in place that is designed to address certain aspects of cyber risks, such insurance coverage may be insufficient to cover all insured losses or all types of claims that may arise.
Cybersecurity Governance
Management is responsible for the day-to-day handling of risks facing our Company Our Board of Directors, as a whole and through its committees, oversees risk management, including cybersecurity risks. The Board has delegated risk management responsibilities with respects to cybersecurity to our Audit Committee. Specifically, the Audit Committee periodically reviews our cybersecurity policies, data security programs and plans that management has established to monitor compliance and assess preparedness. Our cybersecurity team is led by our CISO, who has over 20 years of experience in the cybersecurity space and is a Certified Information Security Manager (CISM). On an annual basis, at minimum, our CISO or Chief Information Officer (CIO) present necessary updates on our cybersecurity risks and any material cybersecurity incidents. These updates include the following: (i) current cybersecurity threats, (ii) an overview of third-party risks, (iii) our cybersecurity roadmap, (iv) the maturity of our cybersecurity programs and/or (v) ongoing regulatory compliance.