HEALTHSTREAM INC - (HSTM)

10-K Filing Date: February 26, 2024
Item 1C. Cybersecurity

 

Cybersecurity Risk Management Program

 

The Company’s cybersecurity risk management program is designed to employ industry best practices, including ongoing enhancement of governance, risk, and compliance management, regular updates to our response planning and protocols, security policy and standards maintenance, and new technology implementation to proactively monitor vulnerabilities and reduce risk, including processes designed to identify material cybersecurity risks associated with our use of third-party service providers. This program includes the engagement of consulting firms and other third parties.

 

24

 

A key component of our cybersecurity risk management program is our incident response policy, which provides for evaluation, response, and reporting procedures in connection with a cybersecurity incident. Under this policy, we have established an incident response team (IRT), a multi-disciplinary management-level team led by the Company’s Chief Technology Officer (CTO) and comprised of the Company’s Chief Executive Officer (CEO), General Counsel/Compliance Officer, Chief Financial Officer, and EVP, Corporate Strategy. The policy provides that the IRT will conduct an initial assessment in the event of a cybersecurity incident meeting certain criteria elevated for the review of the IRT. In such event, the policy provides that the IRT will assess whether a cybersecurity incident has the potential to materially impact the Company and whether public disclosure is required or advisable in connection therewith, and further provides that, if appropriate, any such cybersecurity incident may be further elevated for the review of senior management, the Audit Committee and/or the Board of Directors.

 

The Company maintains cyber liability insurance to help mitigate potential liabilities resulting from cybersecurity matters. While we maintain cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. We do not believe that any risks we have identified to date, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. However, despite our security measures, there is no assurance that we or the third parties with which we interact, have not identified or experienced, or will not experience a cybersecurity incident in the future that will materially affect us. For additional information regarding the risks to us associated with cybersecurity incidents, see “A data breach or cybersecurity incident could result in a loss of confidential data, give rise to remediation and other expenses, expose us to liability under federal and state data protection and data privacy requirements, foreign data privacy regulations, consumer protection laws, common law theories, and other laws, rules and regulations, subject us to litigation and governmental inquiries and actions, damage our reputation, and otherwise adversely impact our financial results and business” included in Part I, Item 1A of this Form 10-K.

 

Cybersecurity Governance

 

The Company’s cybersecurity risk management processes are integrated into the Company’s overall risk management program. In this regard, our Board of Directors has designated the Audit Committee as being primarily responsible for overseeing risk management at a board level, and has delegated certain specific categories of risk oversight matters to the Audit Committee as well as to the other standing committees of the Board, within their respective areas of responsibilities. Additionally, the Audit Committee makes periodic reports to the Board regarding briefing and reports provided by management and advisors regarding various risk oversight matters as well as the Audit Committee’s own analysis and conclusions regarding the adequacy of the Company’s risk management program.

 

As part of its board-level risk oversight responsibilities, the Audit Committee provides oversight of the Company’s privacy, data, cyber security, and information security risk exposures. Further, at a management level, the Company’s cybersecurity risk management program is led by our CTO, who reports to the Company’s CEO. Our CTO was appointed as the Company’s senior vice president and chief technology officer in July 2017. Our CTO has expertise in cybersecurity risk management through his more than 20 years of experience in healthcare technology, including his service with us as well as his service as chief technology officer at other organizations prior to joining the Company in 2017. On a quarterly basis, the Company’s CTO reports to the Audit Committee regarding the Company’s cybersecurity program. The CTO also reports to the Audit Committee on a quarterly basis regarding remediation activities, if any, along with related security metrics, in connection with any areas where cybersecurity threats have been identified.