HCA Healthcare, Inc. - (HCA)

10-K Filing Date: February 16, 2024
Item 1C.Cybersecurity

Management is responsible for the day-to-day handling of risks facing our Company, while the Board of Directors, as a whole and through its committees, oversees risk management, including cybersecurity risks. The Board has delegated certain risk management responsibilities with respect to cybersecurity to our Audit and Compliance Committee.

The Audit and Compliance Committee periodically reviews our data security programs, including cybersecurity, and reviews our programs and plans that management has established to monitor compliance with data security compliance programs and test preparedness. The Audit and Compliance Committee also receives reports regarding risks associated with our data security programs and managements plans for monitoring and testing compliance with data security regulations.

The Audit and Compliance Committee meetings take place on a quarterly basis and include a report from our Chief Security Officer ("CSO") regarding our security programs, including (i) the status on activities under way to support our security strategy, (ii) an overview of the current threat landscape, including emerging threats and trends that may affect us, (iii) key performance measures of security operations, and (iv) general security program needs. The security program includes cybersecurity, privacy, physical security and information security risk management. Our senior security leadership team has an average of 20 years of data security experience, and each member has served in multiple roles within our security programs.

We seek to leverage a comprehensive risk management program that encompasses a structured approach to assess, identify, and manage cyber and information security risks. The internal processes for these activities are evaluated for alignment with our objectives and overall risk tolerance. This approach is consistent with our overall risk management efforts. The CSO participates with other senior officers, including the Chief Executive Officer, Chief Information Officer, Chief Financial Officer, Chief Legal Officer, Chief Ethics and Compliance Officer and others on our risk management committee, which develops and coordinates enterprise cybersecurity policy and strategy, and provides guidance to senior management.

We utilize cross-functional teams and risk assessment tools and technologies to identify potential cyber and information security threats and risks. These teams include representatives from various departments within our Company

51


 

to promote a holistic view of the organizations cyber and information security risk landscape and to facilitate communication. We have implemented multiple layers of security measures designed to protect the confidentiality, integrity and availability of our data and the systems and devices that store and transmit such data. We also seek to embed security measures into software and system development processes and to use current security technologies. In addition, we engage third parties to actively monitor potential threats as well as our security defenses. The risk landscape is assessed to determine the likelihood and potential impact of identified risks. This assessment involves a combination of qualitative and quantitative analyses to help prioritize identified risks and determine the appropriate risk treatment. The effectiveness of the cyber and information security program is tested through a combination of internal and external assessments. Updates are provided to senior management and the Audit and Compliance Committee for informed decision-making and are integrated into our broader enterprise risk management processes.

We also seek to oversee and identify potential cyber and information security threats and risks relating to suppliers and third-party service providers. These efforts may include due diligence to assess the partys cybersecurity practices, controls, and compliance with relevant statutes and regulations; the use of contractual agreements that outline certain cybersecurity requirements; and using outside services to perform ongoing monitoring of select suppliers and third-party service providers. We may also collaborate with third-party suppliers to develop and align incident response plans.

No risks from cybersecurity threats or previous cybersecurity incidents have materially affected our business strategy, results of operations, or financial condition. However, there can be no assurance that our controls and procedures in place to monitor and mitigate the risks of cyber threats, including the remediation of critical information security and software vulnerabilities, will be sufficient and/or timely and that we will not suffer material losses or consequences in the future. Additionally, while we have in place insurance coverage designed to address certain aspects of cyber risks, such insurance coverage may be insufficient to cover all insured losses or all types of claims that may arise.

52