AMN HEALTHCARE SERVICES INC - (AMN)

10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity
 
AMN Healthcare’s board of directors (the “Board”) is responsible for overseeing our enterprise-wide risk management program. The audit committee of the Board (the “Audit Committee”) has primary oversight responsibility for information security and cybersecurity, including internal controls designed to mitigate risks related to these topics. This includes regular, and at least quarterly, review by the Audit Committee of reports on topics including, among others, significant cybersecurity risks results from third-party assessments, training and vulnerability testing, and our incident response plan. Material breaches, if any, and any disclosure obligations arising from any such breach are also discussed during separate Audit Committee meetings as part of the Boards’ risk oversight generally.

AMN’s information security program reports up to our Chief Information & Digital Officer (“CIO”) and is managed by our Senior Director, Information Security, whose team is responsible for leading our enterprise-wide cybersecurity strategy. Through ongoing communications with the team, the CIO and the Senior Director, Information Security, are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents and progress on cybersecurity infrastructure initiatives. In the event of a material cybersecurity incident, the CIO will escalate to the Audit Committee and the Board is made aware as appropriate and in accordance with AMN’s incident response plan. Our CIO and Senior Director, Information Security have proven experience as technology leaders establishing and overseeing enterprise information security programs in the healthcare industry. Our CIO has over 25 years of experience serving as Chief Information Officer, Senior Vice President of IT, and Director of IT at various healthcare services and technology companies. AMN’s Senior Director, Information Security has over 20 years of experience in various roles in information technology and information security. He holds a M.Sc. in Computer Information Systems and holds several relevant certifications, including Certified Information Security Manager and Zero Trust Certified Architect.

19

AMN’s Privacy function, which reports up through our Chief Legal Officer, works collaboratively with the Information Security function and to create and review policies, standards and processes. In addition to updating the Audit Committee, the CIO and Senior Director, Information Security, and Privacy team provide regular updates to our Chief Executive Officer and other members of our senior management as appropriate.

AMN’s information security program has adopted policies, standards, processes, and practices that follow recognized frameworks established by the National Institute of Standards and Technology (“NIST”), the International Organization for Standardization, and other relevant standards. AMN Healthcare has also implemented certain controls and procedures that allow its management to assess, identify, and manage material risks from cybersecurity threats. Our processes are integrated into the overall enterprise risk management program, which includes financial risk, compliance risk and other strategic and operational risks that affect the Company. These processes complement our enterprise-wide risk assessment architecture, as implemented by the Company’s management and as overseen by the Board through its Audit Committee.

To identify and assess material risks from cybersecurity threats, we engage in regular network and endpoint monitoring, vulnerability assessments, penetration testing, and tabletop exercises. We have developed an incident response plan to manage identified vulnerabilities and further improve our cybersecurity preparedness and response infrastructure. The incident response plan sets forth the actions to be taken in responding to and recovering from cybersecurity incidents, which include triage, assessing the severity of incidents, escalation protocols, containment of incidents, investigation of incidents, and remediation.

In addition to our in-house capabilities, we engage with key security and technology vendors, industry participants and intelligence communities to assess our program and test our technical capabilities and enhance the effectiveness of our information security policies and procedures. We use a combination of tools and technologies to protect AMN Healthcare and the personal information we maintain and operate a proactive threat intelligence program to identify and assess risk. We have also implemented processes to identify, monitor and address material risks from cybersecurity threats associated with our use of third-party vendors, including those in our supply chain or who have access to our systems, data or facilities that house such systems or data.

Our team members receive annual training to understand the behaviors necessary to protect company and personal information and receive annual training on privacy laws and requirements. We also offer ongoing practice and education for team members to recognize and report suspicious activity, including phishing campaigns.

The Company has experienced cyber threats resulting in immaterial cyber incidents and expects cyber threats to continue with varying levels of sophistication.