iRhythm Technologies, Inc. - (IRTC)

10-K Filing Date: February 22, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity Risk Management and Strategy
Cybersecurity is an important part of our risk management at iRhythm. Our cybersecurity program includes mitigating risks for our company and for other companies that may have access to our data and systems. Our board of directors recognizes the critical importance of maintaining the trust and confidence of our customers, clients, business partners, and employees. The risk oversight responsibility of our board of directors and its committees is supported by our cybersecurity management reporting processes, which are designed to provide visibility to our board of directors and to our personnel that are responsible for risk assessment and information about the identification, assessment, and management of critical risks and management’s risk mitigation strategies. These areas of focus include risks from cybersecurity threats as well as competitive, economic, operational, financial, legal, regulatory, privacy, compliance, and reputational risks, among others. We understand that our customers, patients, and stakeholders entrust us with sensitive data, including Protected Health Information, and we take this responsibility seriously.
Our board of directors has an important role in the oversight of the Company’s cybersecurity risk management and strategy and has delegated certain components of such oversight related to the security of and risks related to computerized information and technology systems across the company, as well as by risk area (including privacy, data security, and cybersecurity matters), to the audit committee, which regularly interacts with our Vice President of Cybersecurity (“VP of Cybersecurity”) and Chief Risk Officer (“CRO”). We also regularly engage external parties to assist in the review of our cybersecurity risk oversight processes.
We have established policies to govern the security of our systems and the protection of customer and patient data, which include regular system updates and patches, employee training on cybersecurity and HIPAA best practices, incident reporting, and the use of encryption to secure sensitive information. Our Cybersecurity department, which reports to our VP of Cybersecurity, is responsible for our cybersecurity program and our Global Risk & Integrity department, which reports to our CRO, is responsible for our privacy program as further discussed below. To identify, assess, and manage material cybersecurity risks, our Cybersecurity team uses a cybersecurity risk assessment process aligned with leading frameworks such as the National Institute of Standards and Technology’s (“NIST”) Cybersecurity Framework and HIPAA. To ensure appropriate and consistent risk evaluation and decision-making processes among our Cybersecurity and Global Risk & Integrity departments, we utilize an Adjusted Risk Rating (“ARR”) system that considers certain attributes that represent impact to the Company, and we prioritize our actions based on our ARR system. Our cybersecurity risk assessment program provides the underlying basis for the activities our Cybersecurity and Global Risk & Integrity departments take to identify and mitigate risks from, as well as develop risk management and response strategies for, evolving and emerging cybersecurity threats.
In addition, we also regularly perform phishing tests on our employees and review our training plan at least annually for appropriate updates to address results from this testing. Further, we are focused on building and maintaining a positive cybersecurity culture through a combination of trainings, educational tools, videos, and other cybersecurity awareness initiatives. On top of annual information security awareness training for our employees, we also provide focused training for certain departments. Our security training incorporates awareness of cyber threats (including malware, ransomware, and social engineering attacks), password hygiene, and incident reporting process, as well as physical security best practices.
We engage in the periodic assessment of our policies, standards, processes, and practices that are designed to address cybersecurity threats and incidents, internally and through assessments by external providers. These efforts include a wide range of activities, including audits, assessments, tabletop exercises, threat modeling, vulnerability testing, penetration testing, and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. Assessments by external providers of our cybersecurity measures include information security maturity assessments, audits, and independent reviews of our information security control environment and operating effectiveness. The results of such internal and external assessments, audits, and reviews are reported to the audit committee and the board of directors, and we adjust our cybersecurity policies, standards, processes, and practices as necessary based on the information provided by these assessments, audits, and reviews.
57

In addition to the assessment of internal cybersecurity risks, we have implemented processes to oversee and identify risks from cybersecurity threats associated with our use of third-party service providers that have access to our data and systems, including payors and IDTFs. These processes include vetting of all service providers for security, reliability, and availability; execution of a Business Associate Agreement with each provider for compliant management, storage, or processing of PHI; and confirmation by each service provider that its SOC-2 reports, or equivalent reports, are current and available, where applicable. In the event a service provider does not have a current and available SOC-2 or equivalent report, we complete an in-depth review of the service provider’s cybersecurity risk management and advise relevant business stakeholders of any significant identified risks.
Based on our board of directors’ and management’s review of risks associated with cybersecurity threats, we have concluded that, to date, there have been no cybersecurity threats which have materially affected or are reasonably likely to materially affect our company, including our business strategy, results of operations, or financial condition. If we were to experience a material cybersecurity incident in the future, such incident may have a material effect, including on our business strategy, operating results, or financial condition. For more information regarding cybersecurity risks that we face and potential impacts on our business related thereto, see the risk factor titled “Cybersecurity risks, including those involving network security breaches, services interruptions and other incidents affecting the confidentiality, integrity or availability of our data and systems, could result in the compromise of confidential data or critical data systems and give rise to potential harm to our patients, remediation and other expenses, expose us to liability under HIPAA, breach notification laws, consumer protection laws, or other common law theories, subject us to litigation and federal and state governmental inquiries, damage our reputation, and otherwise be disruptive to our business and operations.”
Governance
As described above, our board of directors has an important role in the oversight of the Company’s cybersecurity risk management and strategy, with certain components of such oversight, including matters related to the security of and risks related to computerized information and technology systems, delegated to the audit committee.
At the management level, our Cyber Security and Risk departments work together to monitor our cybersecurity and risk programs, reporting to our VP of Cybersecurity and CRO, respectively. Our VP of Cybersecurity currently leads a team of cybersecurity professionals, has held leadership roles in the Cybersecurity team since joining us in 2019, and has over fifteen years of management experience within cybersecurity teams. Our CRO has held leadership roles in internal audit and risk for over a decade, including most recently as CRO of another public company.
Individuals in our Cybersecurity and Global Risk & Integrity departments regularly monitor the prevention, detection, mitigation and remediation of cybersecurity incidents. We have implemented procedures by which any identified or potential cybersecurity risk is communicated to the VP of Cybersecurity promptly and discussed in regular team meetings generally held several times per week. Risks are escalated to the CRO and other members of management in accordance with our incident response and reporting policy.
Our VP of Cybersecurity reports cybersecurity-related matters twice annually to the audit committee, and promptly reports any significant cybersecurity developments or incidents to our management, who may similarly escalate to the audit committee. These periodic updates include updates on our cybersecurity risk posture, including material risk assessments, the status of any projects to improve our information security systems, and the emerging cybersecurity threat landscape. The audit committee’s reviews may also include presentations by members of senior management, as well as briefings with other internal and external subject-matter experts to help broaden the board of directors’ understanding of the latest cybersecurity issues and the latest regulatory and threat landscapes. Additionally, the audit committee monitors our progress to address cybersecurity risks and opportunities, as well as cybersecurity incident response and recovery metrics. Our management also periodically engages external service providers to conduct objective assessments of our cybersecurity program, and results of such assessments are directly reported to the audit committee. Finally, the audit committee reports out to the larger board of directors periodically on the company’s cybersecurity risks and posture.
58