CROSS COUNTRY HEALTHCARE INC - (CCRN)
10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity
We acknowledge the evolving nature of cyber threats to our business and industry. The Board oversees management’s processes for identifying and mitigating cybersecurity risks to help align our risk exposure with our strategic objectives. To that end, cybersecurity risk management is integrated into the Company's overall enterprise risk management function. The Company utilizes a combination of processes and systems designed to assess, monitor, and respond to organizational cybersecurity risks in an effective manner across our operations. The cybersecurity risk management program includes regular assessments, providing a holistic view of our risk posture; this contributes to the ongoing improvement of our process, cybersecurity program, and security position.
A.Governance
Understanding the importance of cybersecurity, the Board maintains oversight of the cybersecurity risks and threats within the organization. Specifically, Board has delegated authority to the Audit Committee to oversee risk management relating to cybersecurity. The Audit Committee is composed of members with various expertise including risk management, technology, and finance.
The Company’s information security program is managed by a dedicated Vice President (VP) of Security Compliance and Risk Management (VP of Security), whose team is responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture, and processes, and who reports directly to the Chief Information Officer (CIO).
The Company’s Security and Privacy Steering Committee, which meets on a regular basis, also provides oversight of our security and privacy programs inclusive of defining the security strategy, reviewing risks and risk management strategies, and program performance. The committee (chaired by the VP of Security) comprises a broad selection of Senior Management
21
leaders within the organization. This facilitates enterprise-wide collaboration in aligning cybersecurity objectives with organizational goals.
The VP of Security reports regularly to the CIO and the Security and Privacy Steering Committee. Further, the CIO provides regular reports to the Audit Committee and to the full Board. Reports include updates on our cyber risks and threats, projects to strengthen our information security systems, assessments of the information security program, and the emerging threat landscape.
B. Key Program Components
Standards Based Program
We use our best efforts to align our cybersecurity risk management with industry best practices, including processes to prevent, identify, assess, treat, monitor, and report on organizational risks. We design and assess our program utilizing tools such as the National Institute of Standards and Technology Cybersecurity Framework. This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use these tools as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. This covers Company owned and managed systems and technologies, along with those supplied to the organization by third parties.
Evolving Threats
The program utilizes various resources, inclusive of third-party partners, to support an awareness and understanding of evolving cybersecurity threats, allowing the organization to be actively engaged in understanding and staying abreast of risks, and thereby supporting informed decision-making.
Incident Response
Our strategy includes a formal Incident Response Plan, designed to help the organization prepare for, respond to, and recover from confirmed or suspected cybersecurity or privacy incidents. Further, it evaluates and validates the effectiveness of our incident response capabilities, and allows for improvements as needed.
Data Privacy
During the course of normal business operations, the Company collects, stores, and processes personal data. Being cognizant of the importance of protecting personal data and respecting the rights of individuals to have control over their personal information, the organization implements a data privacy program designed to comply with U.S. data privacy regulations and incorporates data privacy into its risk management program.
Training and Education
Our enterprise-wide awareness and training program is utilized to mitigate risks by educating users on their role in combating security breaches, following good security practices, and maintaining awareness of security risks associated with their actions. This program includes mandatory and optional activities inclusive of online training, presentations, newsletters, blog posts, and simulation exercises.
Use of Third Parties
Being cognizant of the complexity and dynamic nature of cybersecurity threats, the Company engages the services of various third-party experts, inclusive of Managed Security Service Providers, application and infrastructure cybersecurity assessors, consultants, and advisors. These engagements allow for the supplementing of our internal capabilities with specialized knowledge and expertise in the execution of cybersecurity strategic functions.
Third-Party Risks
Given that risks associated with third parties can adversely impact an organization’s overall security and risk posture, the Company implements a third-party risk management program to assess the security posture of third-party service providers. This includes security assessments prior to service engagement and ongoing monitoring.
Benchmarking
The Company understand that the effective management of cybersecurity risks requires continuous assessment and improvement. Security benchmarking is a critical component to assess how well our security investments and processes compare with internal and external standards and objectives.
C. Management’s Role and Expertise
Primary responsibility for assessing, monitoring, and managing the Company’s cybersecurity risks rests with the VP of Security, Compliance, and Risk Management, who has over 15 years of dedicated experience in the field of cybersecurity across multiple industries. Their background includes extensive experience in cybersecurity program development, leadership, and risk management, which is instrumental in the execution of our cybersecurity strategies. Some specific responsibilities include overseeing our governance and compliance, risk management (identification, assessments, and treatment), and security and privacy awareness programs.
22
The Company's Chief Information Officer (CIO) possesses a wealth of information technology expertise and has served in various technology leadership roles across multiple industries. They are responsible for all technology systems, services, and solutions. The cybersecurity function reports directly into the office of the CIO.
Notwithstanding the extensive approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While we maintain cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. See Item 1A. “Risk Factors” for a discussion of cybersecurity risks.
23