UpHealth, Inc. - (UPHL)
10-K Filing Date: April 05, 2024
Item 1C. Cybersecurity
Our Board of Directors recognizes the critical importance of maintaining the trust and confidence of our providers, patients, customers, clients, business partners, and employees. Our Board of Directors is actively involved in oversight of the Company’s risk management program through the Compliance Subcommittee of the Audit Committee of our Board of Directors (the “Compliance Subcommittee”), and cybersecurity represents an important component of our overall approach to enterprise risk management (“ERM”). Our cybersecurity policies, standards, processes, and practices are fully integrated into our ERM program and are based on recognized frameworks established by the National Institute of Standards and Technology, the International Organization for Standardization, and other applicable industry standards. In general, we seek to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, security and availability of the information that we collect and store by identifying, preventing, and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur.
As one of the critical elements of our overall ERM approach, our cybersecurity program is focused on the following key areas:
•Governance: As discussed in more detail below under the heading Governance, our Board of Directors’ oversight of cybersecurity risk management is supported by the Compliance Subcommittee, which regularly interacts with our ERM function, our Information Security Director, and other members of management and relevant management committees, including management’s Executive Compliance Committee, which reports to our Chief Privacy and Compliance Officer and the Chair of the Compliance Subcommittee.
•Collaborative Approach: We have implemented a comprehensive, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner.
•Technical Safeguards: We deploy technical safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, antimalware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence.
•Incident Response and Recovery Planning: We have established and maintain comprehensive incident response and recovery plans that fully address our response to a cybersecurity incident, and such plans are tested and evaluated on a regular basis.
•Third-Party Risk Management: We maintain a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers, and other external users of our systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems.
•Education and Awareness: We provide regular, mandatory training for personnel regarding cybersecurity threats as a means to equip our personnel with effective tools to address cybersecurity threats, and to communicate our evolving information security policies, standards, processes and practices.
We engage in the periodic assessment and testing of our policies, standards, processes, and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, including audits, assessments, vulnerability testing, and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. We engage third parties to perform assessments on our cybersecurity measures, including information security maturity assessments, audits, and independent reviews of our information security controls and operating effectiveness. The results of such assessments, audits and reviews are reported to the Executive Compliance Committee and the Compliance Subcommittee, and we adjust our cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, audits and reviews.
Governance
The Compliance Subcommittee oversees our ERM process, including the management of risks arising from cybersecurity threats. The Compliance Subcommittee receives regular presentations and reports on cybersecurity risks, which address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends, and information security considerations arising with respect to the Company’s peers and third parties. The Compliance Subcommittee also receives prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed. On a quarterly basis, our Chief Privacy and Compliance Officer and our Information Security Director discuss the Company’s approach to cybersecurity risk management with the Compliance Subcommittee.
The Compliance Subcommittee is comprised of two of our independent directors, Dr. Raluca Dinu, who serves as its Chair, and Mark Guinan, who serves as a member of the Compliance Subcommittee and also serves as Chairman of the Audit Committee. Each of Dr. Dinu and Mr. Guinan has served in various board and executive roles with risk oversight at public and private companies, each hold undergraduate and graduate degrees in their respective fields, and collectively they have over 23 years of experience managing risks at the Company and at similar companies, including risks arising from cybersecurity threats.
44
Our Information Security Director, in coordination with the Executive Compliance Committee, which includes our Chief Executive Officer, Chief Financial Officer, and Chief Legal Officer, works collaboratively across the Company to implement a program designed to protect our information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with our incident response and recovery plans. To facilitate the success of our cybersecurity risk management program, multidisciplinary teams throughout the Company are deployed to address cybersecurity threats and to respond to cybersecurity incidents. Through ongoing communications with these teams, our Information Security Director and the Executive Compliance Committee monitor the prevention, detection, mitigation, and remediation of cybersecurity threats and incidents in real time, and report such threats and incidents to the Compliance Subcommittee when appropriate.
Our Information Security Director has served in various roles in information technology and information security for over 20 years, including as a security consultant and as the Chief Information Security Officer for private companies, and has attained professional certifications in information technology and information security, healthcare privacy, and compliance. We also have security consultants who regularly work with us. One such consultant, who previously served as our Vice President Information Security until his retirement in January 2024, has over 40 years of experience serving in various roles in information technology and information security, holds undergraduate and graduate degrees in business administration, and has attained the professional certifications of Certified Information Systems Security Professional, Certified Information Security Manager, Certified in Risk and Information Systems Control, and Project Management Professional. Our Chief Executive Officer, Chief Financial Officer and Chief Legal Officer each hold undergraduate and graduate degrees in their respective fields, and collectively they have over 70 years of experience managing risks at the Company and at similar companies, including risks arising from cybersecurity threats.
We believe that cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected and are not reasonably likely to affect the Company, including its business strategy, results of operations or financial condition. See Item 1A, Risk Factors, of Part I of this Annual Report for the discussion of our risks related to cybersecurity.