Teladoc Health, Inc. - (TDOC)
10-K Filing Date: February 23, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
We recognize the increasing significance that cybersecurity has to our operations and the success of our business, as well as the need to continually assess cybersecurity risk and evolve our response in the face of a rapidly and ever-changing environment. We process and maintain sensitive data on our Clients and members, including in the form of PHI
50
and PII. In addition, we maintain intellectual property for our solutions and personal information of our employees. Because of the data we manage, we are subject to various cybersecurity threats that, if they materialized, could adversely affect our business, employees, Clients, and members through impacts to the confidentiality, integrity, and/or availability of our systems. We maintain a cybersecurity program and controls as part of our enterprise risk management program in an effort to reduce the risk of exposure of our information and systems.
To assess, identify, and manage the risks of cybersecurity threats to our information system, we maintain a cybersecurity program, including policies and controls, which are regularly reviewed through internal and external assessments. We leverage several industry frameworks for adopting and assessing controls, such as HIPAA, the National Institute of Standards and Technology Cybersecurity Framework, and HITRUST. We have an active HITRUST certification and Service Organization Control ("SOC") 2 Type II security compliance that are issued by external entities.
We have controls in place intended to assess our cybersecurity posture and prevent successful access to our critical systems, including, but not limited to: vulnerability scanning on systems and applications; endpoint detection capabilities to identify malware and other indicators of threat activity; multifactor authentication; and blocking of malicious e-mail. In addition, we also provide annual cybersecurity awareness training for our employees. Further, we engage with an external security firm to perform regular penetration testing. We subject our critical third-party service providers to risk assessment prior to engagement, and periodically thereafter, to identify material risks. Additionally, we have a process to engage with these third parties to understand potential impacts of, and remediation efforts associated with, critical vulnerabilities.
To stay abreast of the evolving threat landscape, we actively engage with key vendors, industry information sharing, and intelligence and law enforcement communities. These engagements serve as inputs into understanding techniques and tactics being used by threat actors and in expanding the countermeasures we use to protect Teladoc Health.
In the event of a potential cybersecurity incident, or a series of related cybersecurity incidents, we have a documented security incident response plan that provides a consistent approach to identifying and classifying the incident as well as a defined escalation process to management to assess the materiality.
Despite the efforts outlined above, we cannot ensure that we will not be subject to any cybersecurity incidents or threats. See “Risk Factors Risks Related to Information Technology” for additional information. To date, management has not determined that any cybersecurity incidents the Company has experienced would have resulted in, or are reasonably likely to result in, a material impact to its financial condition, results of operations, or business strategy.
Governance
Cybersecurity risk oversight continues to remain a top priority for our Board. The audit committee of our Board maintains primary responsibility related to overseeing our cybersecurity risk as part of its program of regular risk management oversight. This includes, but is not limited to, the overall maturity and strategy of our cybersecurity program.
We have a rigorous and comprehensive cybersecurity program managed by a dedicated team of subject matter experts and is led by our Chief Information Security Officer (“CISO”), who has extensive cybersecurity experience. We have implemented telehealth industry standard processes, policies, and tools, including regularly scheduled vulnerability scanning and third-party penetration testing to reduce the risk of vulnerabilities in our system.
Our CISO regularly engages with other members of our executive management team to discuss cyber risk, including the Chief Technology Officer, the Chief Information Officer, Deputy Chief Legal Officer, and Chief Compliance Officer, among others, as well as the audit committee of our Board. Our executive management team has the appropriate expertise, background, and depth of experience to manage risk arising from cybersecurity threats. Executive management has also participated in cybersecurity tabletop exercises to test our cyber response playbooks.