Elevance Health, Inc. - (ELV)

10-K Filing Date: February 21, 2024
ITEM 1C. CYBERSECURITY
We operate in a highly-regulated industry. Federal, state and international laws and contractual commitments guide our collection, use and disclosure of confidential information such as protected health information, personal financial information and personally identifiable information. Our success depends on maintaining a high level of trust among our stakeholders, including our consumers, clients, business partners, providers, regulators and associates. Failure to effectively secure, maintain and upgrade our information systems, or the availability and integrity of our data, could adversely affect our business, including our business strategy, cash flows, financial condition and results of operations.
Cybersecurity Risk Assessment
We work to identify and manage cybersecurity risks through established processes and accountability. We also conduct periodic reviews and updates to uphold our security standards. Our management has implemented ongoing and annual risk assessment processes to identify and manage risks that could affect our ability to safeguard sensitive data or provide reliable transaction processing. These risks include, but are not limited to:
Regulatory compliance
Third-party management, including risks from business partners and software providers
Mergers and acquisitions
System availability and disruption of business operations
Data security
Vulnerability and configuration management
Fraud and extortion
Reputational risk
As of December 31, 2023, no known cybersecurity threats have materially affected, or are reasonably likely to materially affect, the Company, including our business strategy, cash flows, financial condition or results of operations. See Part I, Item 1A. "Risk Factors” for more information on the Company’s cybersecurity-related risks.
Governance and Management of Cybersecurity Risk
Our Board of Directors (“Board”) oversees and guides our business and oversees our exposure to major risks. The Board receives periodic reports from management on various risks, and delegates to its Audit Committee certain oversight responsibilities. The Board monitors cybersecurity risks and receives a report at least quarterly from our Chief Information Security Officer (the “CISO”) regarding our Information Security Program. In addition, certain cybersecurity incidents are escalated to the Board in accordance with our escalation criteria as described below. Periodically, the Board also receives third party assessments of our information security. The Audit Committee receives regular updates on both information security and data privacy matters, and oversees data privacy, integrity, incident and breach risks.
We have a cross-organizational steering committee, the Information Security Steering Committee (“ISSC”), that supports direction and governance of our enterprise-wide Information Security Program. The ISSC is chaired by the CISO and is comprised of accountable senior business leaders including the Chief Compliance Officer (“CCO”), Chief Risk Officer (“CRO”), legal counsel, and human resources, procurement and business segment leaders.
In addition to the ISSC, we have defined risk functions to cover overall enterprise risks and information technology and cybersecurity risks, including:
IT Risk Management program led by the CISO
Compliance led by the CCO
Internal Audit led by Chief Audit Executive (“CAE”)
Enterprise Risk Management programs led by the CRO
Third-Party Risk Management, comprised of business and information security leaders
IT Due Diligence, comprised of business, technology and information security leaders
Corporate Insurance Program, including cybersecurity insurance, led by the Treasurer
-38-


To evaluate cybersecurity and privacy incidents and enable the Company to comply with public disclosure requirements, we have defined escalation criteria in support of our incident response processes. We have a Cyber Incident Response Taskforce, comprised of our Chief Privacy Officer, our CISO, and applicable legal counsel and business and corporate services leaders, which is responsible for reviewing such incidents and reporting relevant incidents to a subcommittee of our disclosure committee in order to assess the materiality of an incident as well as reporting to the senior leadership team, the chief legal officer, the CEO and ultimately the Board based on the facts and circumstances of an incident.
Cybersecurity Expertise
Our Information Security Program has been established with the mission of minimizing risk to our member, client and associate data and it is managed by our CISO. Our current CISO has over 30 years of experience in information security and technology and has held a wide variety of technical and strategic leadership positions. He holds advanced certifications including Certified Information Systems Security Professional and Certified Secure Software Lifecycle Professional.
Our associates, including those responsible for cybersecurity, are evaluated for competence, including the knowledge and skills necessary to accomplish tasks that define associates’ roles and responsibilities and undergo regular training regarding privacy, security, ethics and compliance. Our job summaries contain specific educational and knowledge requirements necessary for cybersecurity jobs. In addition, a criminal background check is completed for all new associates and performance reviews are conducted annually to measure performance results and achievements and to assess the job competency of our associates.
We use our Information Security teams, as well as trusted third-party auditors, recognized cybersecurity consultants and certified assessors, to assess cybersecurity risks, related controls, and alignment to relevant regulatory and legal requirements. A third party evaluates our Information Security Program and control environment at least annually. Assessments are performed against industry best practices and widely recognized security frameworks.