MOLINA HEALTHCARE, INC. - (MOH)
10-K Filing Date: February 13, 2024
Item 1C. CYBERSECURITY
CYBERSECURITY RISK MANAGEMENT, GOVERNANCE AND RISK ASSESSMENT
The Company is committed to protecting the confidentiality, integrity, and availability of its information systems and the data they contain from cybersecurity threats. The Company recognizes that cybersecurity is a dynamic and evolving area of risk that requires ongoing assessment, management, and oversight. The Company has established a cybersecurity program (the "Program") that is designed to assess, identify, manage, and mitigate material cybersecurity threats, as well as to respond to and recover from cybersecurity incidents.
CYBERSECURITY RISK MANAGEMENT
The Program is based on the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework (“CSF”), NIST Special Publication 800-53, and the Payment Card Industry standards, as applicable, and designed to comply with applicable laws and regulations, including HIPAA and the New York Department of Financial Services Cybersecurity Regulation, as applicable. This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use the NIST CSF and Payment Card Industry standards as guides to help us identify, assess, and manage cybersecurity risks relevant to our business. The Program is aligned with the Company's overall enterprise risk management system and processes and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas. Control procedures are assessed regularly to confirm their effectiveness. The Company undergoes an annual Service Organization Controls (“SOC”) Type 2 attestation report covering the performance of safeguards deployed to protect certain Company systems and applications. The Company maintains cybersecurity insurance providing coverage for certain costs related to security failures and specified cybersecurity-related incidents that interrupt our network or networks of our vendors, in all cases up to specified limits and subject to certain exclusions.
The Company has a designated Chief Information Security Officer (the “CISO”). The Program is implemented and managed by the Company’s executive management under the leadership of the CISO. The Company contracts with third-party service providers to support aspects of the Program implementation, operations, and review of information technology operations and cybersecurity technologies. Additionally, the Company has retained a number of well-established and reputable cybersecurity consultants, including forensics experts, auditors, as well as outside cybersecurity legal counsel to assist with cybersecurity matters as needed from time to time.
The Company has a Computer Incident Response Team (“CIRT”) which is responsible for monitoring, preventing, detecting, assisting with the investigation, and responding to cybersecurity threats. The Company has in place an Information Security Incident Response Plan (“IRP”) Protocol which provides an operational framework to coordinate the response to any type of cybersecurity incident affecting the Company. The CIRT team informs the CISO of cybersecurity threats consistent with the IRP. The IRP also provides the process and oversight to manage cybersecurity incidents that may arise from a third-party service provider. In addition, the IRP addresses management responsibility with respect to disclosure determinations related to a cybersecurity incident and provides for Audit Committee and Board briefings as appropriate.
The Company’s cybersecurity policies and procedures are reviewed by the CISO and updated at least annually. In addition, under the IRP, following the resolution of a cybersecurity incident, the Company will generally consider the effectiveness of the Program and the IRP, make adjustments as appropriate, and report to senior management and the Audit Committee as appropriate on these matters. The cybersecurity policies and procedures are communicated and enforced throughout the Company, as well as with the third-party service providers that have access to the Company's information systems or nonpublic information. Cybersecurity policies and procedures are also subject to periodic review and audits by internal and external parties, such as the internal audit function, external auditors, regulators, or independent assessors. The Company requires employees to undergo cybersecurity-related training, including phishing prevention training, and employees are tested regularly through phishing exercises.
GOVERNANCE
The CISO is responsible for developing, maintaining, and enforcing the Program's policies and procedures, as well as reporting on the Program's performance and material cybersecurity risks to the Audit Committee. The CISO has the relevant expertise and authority to carry out the Program's objectives and to coordinate with other key stakeholders within and outside the Company. The CISO’s expertise includes decades of information technology and cybersecurity as a subject matter expert, including more than a decade of executive management experience as a CISO for Fortune 500 companies.
Molina Healthcare, Inc. 2023 Form 10-K | 33
The Program is overseen by the Company’s Board of Directors through its Audit Committee which, pursuant to its charter, assists the Board with oversight of Company privacy, data security, and cybersecurity matters and risks. The Audit Committee meets regularly with the Company’s executive management, including the CISO and the Chief Information Officer, and receives updates on the status and overall effectiveness of the Program, changes to the Program, relevant information technology operations, any changes in material cybersecurity risks and any significant cybersecurity incidents consistent with the IRP. The Audit Committee also discusses with executive management the steps management has taken to monitor and mitigate privacy, data security, and cybersecurity risk exposures, the Company’s information governance policies and programs, and major legislative and regulatory developments that could materially impact the Company’s exposure regarding privacy, data security risk, and cybersecurity. The Audit Committee reports to the full Board regarding its activities, including those related to cybersecurity. The Audit Committee and the Board consider cybersecurity as part of the Company’s business strategy, financial planning, and capital allocation.
CYBERSECURITY RISK ASSESSMENT
The CISO is responsible for assessing and managing the Company’s material risks from cybersecurity threats. The Company conducts regular risk assessments to identify, evaluate, and prioritize material cybersecurity risks to the Company, including its health plans and state contracts, shared services and IT operations, or business strategy. The risk assessments are informed by various sources of information, such as internal and external audits, vulnerability scans, penetration tests, threat intelligence, incident reports, industry benchmarks, and accepted industry practices. The risk assessments consider the potential impact and likelihood of various cybersecurity threats, such as ransomware, malware, social engineering, third-party incidents, supply chain attacks and insider threats, and contemplates the adequacy of controls to detect, prevent, respond, and recover to reduce the possibility of an adverse material cybersecurity event. The Company has in place processes to identify material risks from cybersecurity threats associated with its use of third-party service providers and as such, conducts assessments of such third-party service providers with respect to their cybersecurity programs and risks and requires third-party service providers to notify the Company if they experienced a cybersecurity incident. The Company hires experienced security professionals to conduct advanced and realistic cybersecurity attack simulations to verify its Program, and conducts regular cybersecurity tabletop exercises with executive management, which are coordinated by a third-party.
We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition.