HUMANA INC - (HUM)
10-K Filing Date: February 15, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
In the ordinary course of our business, we process, store and transmit large amounts of data, and rely on third-party service providers to do the same, including sensitive personal information as well as proprietary or confidential information relating to our business or a third-party. The protection of information and business processes is an integrated component in our overall risk management program, and reflected in our Code of Ethics, security standards, and privacy policies. We employ processes to safeguard information and protect our members’ data, including by deploying both proactive and defensive practices against the evolving cyber threat landscape. Examples of these processes include:
a.Employing a qualified Chief Information Security Officer.
b.Maintaining tools to identify malicious cyber activity.
c.Monitoring risks posed by threat actors, including through partnerships with industry groups and government agencies.
d.Providing annual cybersecurity training to our associates.
e.Testing our associates’ knowledge through internal phishing simulations.
f.Engaging an independent third-party audit firm to perform an Annual Service Organizational Controls (SOC) 2 audit of enterprise claims platforms.
g.Reporting data breaches, as required by law, to the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), and various state agencies; our reports are publicly available, free of charge, and can be obtained through the OCR Portal at https://ocrportal.hhs.gov/ocr/breach.
h.Maintaining a program to identify cybersecurity risks associated with certain third party vendors, which is one component of an overall vendor risk management program.
We also enhance our information technology infrastructure and security protocols to assess, identify, protect against, and manage material risks from cybersecurity threats following a risk-based approach. In addition, we conduct cybersecurity risk assessments at least annually, and periodically engage an independent auditor or other external assessors to aid in pro-active risk identification, prevention, detection, mitigation, and remediation. Our efforts to manage against cybersecurity threats are further guided by Federal and state laws, as well as contractual
36
commitments with third parties, which regulate our collection, use and disclosure of confidential information such as protected health information and personally identifiable information.
Although we have been subject to breaches of our information technology systems, including breaches of the information technology systems of third-party service providers, the impact of such attacks has not been material to our business strategy, operations or results of operations, financial position, or cash flows through December 31, 2023. We do not believe that cybersecurity threats resulting from any previous cybersecurity incidents of which we are aware are reasonably likely to materially affect the Company. For additional information on the risks we face from cybersecurity threats, please refer to Part I, Item 1A, "Risk Factors" of this Form 10-K.
Governance
As part of its overall responsibility for oversight of our enterprise risk management, our Board of Directors reviews material risks to our Company, including risks from cybersecurity threats. The Board has designated our Audit Committee and Technology Committee with joint oversight over our information technology internal controls, cybersecurity, business continuity and disaster recovery programs.
Management is responsible for designing and implementing our governance framework and controls for managing our material risks from cybersecurity threats, under the oversight of our Board of Directors. Our Chief Information Security Officer is responsible for assessing and managing identified cybersecurity risks, and evaluating and remediating cybersecurity incidents, and sharing information directly with the Audit Committee and Technology Committee, or full Board of Directors, when appropriate. Our Chief Information Security Officer reports to our Chief Information Officer, who is in turn responsible for the management of Humana’s data and information technology risks more generally. Our Chief Information Officer is a senior executive and industry leader in risk management practices in highly regulated fields. Our Chief Information Security Officer is an experienced cybersecurity executive and leader in the field, with many years of relevant experience working in highly regulated industries.
Among our cybersecurity and risk teams, we utilize established governance mechanisms to enable a transparent and holistic approach to cybersecurity risk management, and the evaluation and remediation of cybersecurity incidents. These processes enable cross-functional engagement from our enterprise information protection, enterprise risk management, enterprise compliance, information technology, legal, privacy, and data governance teams.
As a key component of this governance framework, the Audit Committee and Technology Committee also receive regular updates regarding our cybersecurity program and cybersecurity incidents from our Chief Information Security Officer.