Evolent Health, Inc. - (EVH)

10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity

Risk Management and strategy

We have developed processes for assessing, identifying and managing material risks from cybersecurity threats. We maintain an enterprise risk management program, which includes management of material risks from cybersecurity threats alongside other Company risks as part of our overall risk assessment process. Our cybersecurity strategy includes defense in depth and zero trust based controls intended to protect our information technology systems. We maintain an enterprise information and cybersecurity program. As part of this program, we employ a range of tools and services to inform our assessment, identification and management of material risks from cybersecurity threats, which include, from time to time, monitoring emerging data protection laws and implementing responsive changes to our processes; undertaking periodic reviews of our partner facing policies and statements related to cybersecurity; conducting cybersecurity management and incident training for employees involved in our systems and processes that

42


handle sensitive data; conducting phishing email simulations for employees and contractors with access to corporate email systems; requiring employees, as well as third-parties who provide services on our behalf, to treat information and data with care; and employing a cyber risk management and quantification system customized to our environment.

We maintain an incident response plan that includes processes to triage, assess severity for, escalate, contain, investigate and remediate material cybersecurity incidents, as well as to comply with potentially applicable legal obligations. As part of the above processes, we periodically engage with assessors, consultants, auditors, and other third-parties, including by periodically annually having a third-party/an independent Qualified Security Assessor review our cybersecurity program to help identify areas for improvement and/or compliance. Our risk management processes also address cybersecurity threat risks associated with our use of third party service providers.

For a discussion of whether and how any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the Company, including our business strategy and results of operations, see “Risk Factors – “Risks Related to Data Protection Privacy, Cybersecurity, Intellectual Property and Technology” which is incorporated by reference into this Item 1C.

In the three most recently completed fiscal years, we have not experienced any material cybersecurity incidents and the expenses we have incurred from cybersecurity incidents were immaterial. This includes penalties and settlements, of which there were none.

Governance

The Compliance and Regulatory Affairs Committee of the Board (the “Compliance and Regulatory Affairs Committee”) provides oversight of risks from cybersecurity threats. The Compliance and Regulatory Affairs Committee receives updates from our Chief Information Security Officer (“CISO”) and other members of management to, among other items, review material cybersecurity incidents, review key metrics on our cybersecurity program and related risk management programs, and discuss our cybersecurity programs and goals. The Compliance and Regulatory Affairs Committee updates the full Board on matters relating to cybersecurity. The Audit Committee of the Board provides an additional layer of cybersecurity oversight on specific financial matters.

Our management disclosure and compliance committees, which include representatives from our legal, financial and accounting and information technology (“IT”) teams, meet at least quarterly to monitor potential risks and review procedures and controls relating to cybersecurity. Management periodically assesses such risks and assists in the implementation of policies and procedures related to cybersecurity risk oversight in conjunction with the Compliance and Regulatory Affairs Committee.

Our CISO is responsible for assessing and managing the Company’s material risks from cybersecurity threats. Our CISO has served in this role for the past four years, and has more than 25 years of experience in the aggregate in various roles involving managing information security, technology infrastructure, IT operations and developing cybersecurity strategy, and is a Certified Information Systems Security Professional (CISSP).

Our CISO is informed about and monitors the prevention, detection, mitigation and remediation of cybersecurity incidents through the management of and participation in the cybersecurity risk management and strategy process described above, including the operation of our incident response plan. As discussed above, our CISO reports to the Compliance and Regulatory Affairs Committee, about the risks from cybersecurity threats among other cybersecurity related matters, and meets regularly with our Chief Technology Officer.