ModivCare Inc - (MODV)

10-K Filing Date: February 24, 2024
Item 1C. Cybersecurity.
 
Risk Management and Strategy.

Our information technology ("IT") systems are critically important to our existing business operations and growth strategy. We provide services to individuals and others that require us to collect, process, maintain and retain sensitive and personal client confidential information in our IT systems, including patient identifiable health information, financial information and other personal information about our customers and end-users, such as names, addresses, phone numbers, email addresses, identification numbers, sensitive health data, and payment account information. As a result, we are subject to complex and evolving United States privacy laws and regulations, including those pertaining to the handling of personal data, such as HIPAA and CCPA. In addition to protecting the privacy of all health-related information for our members, our IT infrastructure supports the operations of all aspects of our business and ensures that we are able to continue to serve our
51


members' transportation, personal care, and remote monitoring needs and execute our strategy to better connect people with care.

The Company's Enterprise Risk Management Team (the "ERM Team") works in collaboration with the Company's Information Security Team to set the enterprise risk strategy and make risk-informed decisions, which include the assessment and response to cybersecurity risk. The Company maintains an information security, technology, and cybersecurity risk management program overseen by the Chief Information Security Officer (the "CISO") that uses a risk-based methodology to support the security, confidentiality, integrity, and availability of its information. The Company's information security, technology, and cybersecurity risk management program provides the structure for managing the respective risks utilizing a combination of automated tools, documented processes, and third-party assessments to identify and assess potential cybersecurity risks. The Company engages third parties in connection with its cybersecurity program. Third party monitoring activities include the use of Security Information Event Monitoring ("SIEM") software and regularly scheduled vulnerability assessments performed by an independent third-party to capture and identify vulnerabilities, security events, and potential incidents. The Company also maintains a formal information security training program that includes training on matters such as phishing and email security best practices as well as data privacy which is required for all employees on an annual basis.

While processes are in place to minimize the chance of a successful cyberattack, the Company has established incident response policies and procedures to address a cyber threat that may occur despite these safeguards. In these instances, the Company maintains a cybersecurity incident response policy (the "Incident Response Policy") and cybersecurity incident response plan (the "Incident Response Plan") to help ensure a timely, consistent and compliant response to actual or attempted cybersecurity incidents impacting the Company. The Incident Response Plan includes (1) detection, (2) analysis, which may include timely notice to the Audit Committee of our Board if deemed material or appropriate, (3) containment, (4) eradication, (5) recovery and (6) post-incident review. The Incident Response Plan includes leveraging the Company's cross-functional Cybersecurity Incident Committee that is supported by an organizational structure that includes executives across the Information Security, ERM, Finance, Legal, and Investor Relations functions of the business. The Cybersecurity Incident Committee is responsible for assessing the materiality of any cybersecurity incidents and for communicating any such incidents to the appropriate parties outside the Company.

The Company relies on our IT systems and networks in connection with many of our business activities. Some of these networks and systems are managed by third-party service providers and are not under our direct control. The Company has implemented processes to manage the cybersecurity risks associated with its use of third-party service providers, including processes during the contract review phase by both Information Security and Legal teams providing contractual safeguards as well as ongoing monitoring of third-party service providers for incidents that may affect the Company. To date, no cybersecurity incidents have had such a material adverse effect on us, and we are not presently aware of any cybersecurity threats that are reasonably likely to materially affect us.

Despite the security measures we have implemented, certain cyber incidents could materially disrupt our operational systems, compromise personally identifiable information regarding customers or employees, delay our ability to provide critical services to our customers, and/or jeopardize the security of our facilities. We continuously seek to maintain a robust program of information security and controls, but the impact of a material information technology event could have a material adverse effect on our competitive position, reputation, results of operations, financial condition and cash flows.

Governance.

Board's Roles and Responsibilities

The Audit Committee is responsible for overseeing and monitoring the Company's information security, technology, and cybersecurity program and other IT and data privacy risks, controls, strategies, and procedures. The Audit Committee is comprised of board members with expertise in the areas of risk management, finance and technology, enabling them to effectively oversee such cybersecurity and other IT and data privacy risks. The Audit Committee receives updates from management as needed or at least quarterly which cover the Company's current cybersecurity and other IT and data privacy risk assessments and key risk areas. The Audit Committee also reviews and discusses with management, at least quarterly, and as needed, any material or significant cyber incidents that have occurred or are reasonably likely to occur. In addition, the Audit Committee receives regular updates on cybersecurity trends and emerging threats from the Information Security Team led by the CISO.

Management's Roles and Responsibilities

In collaboration with the ERM team and the Audit Committee, the Company's Information Security Team, overseen by the CISO, is responsible for assessing and managing cybersecurity risks including the prevention, mitigation, detection, and remediation of cybersecurity incidents. The Information Security Team is comprised of various IT groups with the knowledge and expertise needed to execute the technical aspect of the Incident Response Plan. This team is led by the CISO and other
52


technical leaders with significant experience in the information security field. The CISO has over 18 years of experience serving as a CISO and in other security leadership positions in the information security and cybersecurity fields, including roles as VP of Information Security, Director of Infrastructure, Director of Information Security, and Manager of Information Security. In addition to his work experience, the CISO holds a certification as a Certified Information System Security Professional (CISSP). The CISO works closely with other management positions, including the Chief Accounting Officer, Chief Information Officer, Chief Audit Officer, Deputy General Counsel, and VP of Investor Relations through the Cybersecurity Incident Committee in order to ensure that the Company has effective communication and understanding of its cybersecurity risk management.

The processes by which the Information Security Team and CISO monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents include regular vulnerability assessments and penetration testing, security incident and event management, continuous monitoring, and threat and intelligence gathering. The CISO reports to the Audit Committee on a quarterly basis, and as needed, to provide an overview of our cybersecurity risk posture, the effectiveness of our cybersecurity policies, procedures, and strategies, and any material or significant cybersecurity incidents that have occurred or are likely to occur.