Option Care Health, Inc. - (OPCH)
10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
We have developed and implemented a cybersecurity framework designed to evaluate, identify and manage risks stemming from threats to the security of our information, systems and network using a risk-based approach. The framework is informed, in part, by the National Institute of Standards and Technology (NIST) Cybersecurity Framework, although this does not necessarily mean that we meet all technical standards, specifications or requirements outlined in the NIST framework. Additionally, we maintain a Systems and Organization Controls (SOC) 2 Type 2 attestation.
Our goal is to maintain an information technology infrastructure that implements physical, administrative, and technical controls. These controls are adjusted based on risk and designed to protect the confidentiality, integrity, and availability of our information systems, including the customer information, personal information and proprietary information stored on our networks.
We have a cybersecurity incident response plan and dedicated teams to respond to cybersecurity incidents. When a cybersecurity incident occurs, we have cross-functional teams that are responsible for leading the initial assessment of priority and severity. Our information security team assists in taking any remedial action in response to an incident, and external experts may also be engaged as appropriate.
Our overarching approach to cybersecurity risk management centers on governance, people, processes, and technology. We provide security awareness training to help employees understand their information protection and cybersecurity responsibilities. This includes mandatory annual cybersecurity training and monthly phishing simulations. We also perform periodic tabletops or simulation exercises involving technical experts and business and functional leaders.
We conduct third party assessments of potential new vendors who process, store or transmit our data, which include a formal security review. This can include the review of documentation related to a vendor’s security attestations, such as SOC 2 Type 2 or HITRUST certifications.
We leverage third party cybersecurity companies to periodically assess our cybersecurity program and procedures and reaffirm our compliance with SOC 2 standards. These assessments aid in continual improvement and help us identify and address risks from cybersecurity threats.
We also consider cybersecurity, along with our other top risks, within our enterprise risk management framework. This framework involves internal reporting at the business and enterprise levels, considering key risk indicators, trends and countermeasures. Our Senior Vice President, Chief Information Security Officer (CISO) serves on the Enterprise Risk Committee that assesses our enterprise-wide risks and oversees risk mitigation activities.
We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us or our results of operations, cash flow or financial condition. However, the scope and impact of any future incident, or the identification of new information related to prior cybersecurity incidents, cannot be predicted. See “Item 1A. Risk Factors” for more information about our cybersecurity-related risks.
27
Governance
The Quality and Compliance Committee of our Board of Directors provides board-level oversight of cybersecurity risk. As part of its oversight role, the Quality and Compliance Committee receives reports about our practices, programs, or notable threats or incidents related to cybersecurity throughout the year, including through periodic updates from our CISO and other leaders. The Quality and Compliance Committee provides regular reports to the full Board about these matters and other areas within its responsibility, and the CISO and other leaders provide updates regarding cybersecurity matters to the full Board as appropriate.
Our CISO reports to our Chief Information Officer and leads our overall cybersecurity function. Our CISO has over 20 years of experience in various security roles, which include managing information security, development cybersecurity strategy, and implementing cybersecurity programs. Our CISO collaborates with senior leaders and other members of our organization to identify and analyze cybersecurity risks and implement controls as appropriate and feasible to mitigate these risks. The CISO also supervises efforts to prevent, detect, mitigate and remediate cybersecurity risks and incidents through various means, including by collaborating with internal and external stakeholders. Our CISO is supported by a management-led Security Council, which consists of our Chief Executive Officer, Chief Financial Officer and other senior leaders throughout our organization, and which reviews and discusses our cybersecurity program as well as emerging cyber risks, threats, and industry trends, among other topics.