Pediatrix Medical Group, Inc. - (MD)

10-K Filing Date: February 20, 2024
ITEM 1C. CYBERSECURITY

 

Cybersecurity Risk Management and Strategy

 

49


 

We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity and availability of our critical systems and information. As part of this program, we have processes in place that are designed to assess, identify and manage material risks from cybersecurity threats, which are part of the Company’s overall enterprise risk management process and have been embedded in the Company’s operating procedures, internal controls and information systems.

 

We design and assess our program based on various cybersecurity frameworks, such as the National Institute of Standards and Technology (“NIST”) 800-53, including derivatives such as NIST Cybersecurity Framework (“CSF”) and HITRUST, as well as NIST 800-66 and the Center for Internet Security (“CIS”). This does not mean that we meet any particular technical standards, specifications, or requirements, but only that we use these standards as a guide to help us design and assess our program.

 

We rely on a multidisciplinary team, including our information security organization, legal department, management, and third-party service providers, as described further below, to assess, identify, and manage cybersecurity threats and risks.

 

Our cybersecurity risk management program includes:

risk assessments designed to help identify material cybersecurity risks to our critical systems, information, services, and our broader enterprise information technology (“IT”) environment, including monitoring and evaluating our threat environment and our risk profile;
a security governance council principally responsible for management’s oversight of our IT security;
the use of external service providers, where appropriate, to assess, test, or otherwise assist with aspects of our cybersecurity controls;
a third-party risk management process for service providers, suppliers and vendors covering compliance and technical controls;
cybersecurity awareness training for our employees, incident response personnel and senior management; and
a cybersecurity incident response plan with established procedures for assessing and responding to cybersecurity incidents, and that includes having an experienced incident response firm on retainer.

 

For information on the Company’s cybersecurity-related risks, see “Information Systems, Cybersecurity and Data Privacy Risks” in “Risk Factors” on page 46 of this Annual Report on Form 10-K. While to date we have not identified any breaches from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, the sophistication of cybersecurity threats continues to increase, and the preventative actions we take to reduce the risk of cybersecurity incidents and protect our systems and information may be insufficient. Accordingly, no matter how well our program is designed or implemented, we will not be able to anticipate all security breaches, and we may not be able to implement effective preventive measures against such security breaches in a timely manner.

 

Cybersecurity Governance

 

Our Board of Directors considers cybersecurity risk as part of its risk oversight function and oversees management’s implementation of our cybersecurity risk management program. Our Board of Directors has elected to exercise direct oversight over this area, rather than acting through one of its committees, given the increasing importance of cybersecurity matters and the cross-functional impacts of technology on our business. Our Board of Directors receives reports at least twice per year from members of senior management, including our Chief Information Security Officer (“CISO”) and Chief Compliance Officer, regarding the Company’s information systems and technology and associated policies, processes, and practices for managing and mitigating cybersecurity and technology-related risks. Our Board of Directors also meets with external advisors to discuss technology and cybersecurity risks applicable to the Company and obtains perspectives which inform senior management’s

50


 

discussions with our Board of Directors. Our Board of Directors has delegated oversight of the process for determining disclosure required with respect to cybersecurity incidents to its Audit Committee.

At the management level, our information security organization is led by our CISO, who is responsible for cybersecurity risk management, with oversight by our Board of Directors. Our CISO has more than 20 years of experience in information security and IT risk management. He has specific experience in the following information security areas: security governance and policy, information security strategy and planning, penetration testing, vulnerability management, cybersecurity threat intelligence, incident response, third party risk management, cloud security, application security, identity and access management, data loss prevention, and security awareness.

 

Our CISO is informed about and monitors prevention, detection, mitigation, and remediation efforts through regular communication and reporting from professionals in the information security organization, many of whom hold cybersecurity certifications such as a Certified Information Systems Security Professional (CISSP), Certified Data Privacy Solutions Engineer (CDPSE), or Security+ and through the use of technological tools and software and results from third-party audits. Our cybersecurity incident response framework is governed by a cybersecurity incident response plan, which sets out our approach for categorizing, responding to, and mitigating cybersecurity incidents. We have an incident response team comprised of our CISO, executive leaders, management and internal and external legal counsel, whose primary responsibilities include:

Evaluating and validating the impact of an incident;
Approving certain incident response countermeasures and remediation actions;
Escalating incidents and response countermeasures for approval; and
Acting in an advisory capacity in support of cybersecurity incident remediation, as appropriate.

 

We have also established a security governance council (the “Council”) to further strengthen our cybersecurity risk management activities across the Company. The Council includes our Chief Executive Officer, Executive Vice President and Chief Financial Officer, Executive Vice President, General Counsel and Secretary, Executive Vice President and Chief Operating Officer, Executive Vice President – National and Market Operations, Senior Vice President and Chief Information Officer, Vice President and Chief Information Security Officer, Vice President, Chief Compliance Officer, Vice President, People Services, and Associate Vice President, Internal Audit. The Council plans to meet quarterly beginning in 2024 and is responsible for management’s oversight of our IT security in a cohesive and holistic manner that is designed to enable optimal decision-making.