CVS HEALTH Corp - (CVS)
10-K Filing Date: February 07, 2024
Item 1C. Cybersecurity.
Cybersecurity Risk Management
Securing the Company’s business information, intellectual property, customer, patient and employee data and technology systems is essential for the continuity of its businesses, meeting applicable regulatory requirements and maintaining the trust of its stakeholders. Cybersecurity is an important and integrated part of the Company’s enterprise risk management function that identifies, monitors and mitigates business, operational and legal risks.
To help protect the Company from a major cybersecurity incident that could have a material impact on operations or the Company’s financial results, the Company has implemented policies, programs and controls, including technology investments that focus on cybersecurity incident prevention, identification and mitigation. The steps the Company takes to reduce its vulnerability to cyberattacks and to mitigate impacts from cybersecurity incidents include, but are not limited to: establishing information security policies and standards, implementing information protection processes and technologies, monitoring its information technology systems for cybersecurity threats, assessing cybersecurity risk profiles of key third-parties, implementing cybersecurity training and collaborating with public and private organizations on cyber threat information and best practices. The Company is currently in material compliance with applicable information privacy and cybersecurity standards.
The Company has implemented a Cybersecurity Incident Response Plan (the “Plan”), which is integrated into its overall crisis management program. The Plan provides a framework for responding to cybersecurity incidents. The Plan identifies applicable requirements for incident disclosure and reporting as well as provides protocols for incident evaluation, including the use of third-party service providers and partners, processes for notification and internal escalation of information to the Company’s senior management, the disclosure committee, the Board and appropriate Board committees. The Plan also addresses requirements for the Company’s external reporting obligations. The Plan is reviewed and updated, as necessary, under the leadership of the Company’s Chief Information Security Officer (“CISO”) and Chief Privacy Officer (“CPO”).
The Company’s information technology systems and processes are assessed by independent third parties, as appropriate to their business requirements, for compliance with the following standards: HIPAA; NIST 800-53; System and Organization Controls (“SOC”) 1; SOC 2 Type 2; HI-TRUST; Payment Card Industry Data Security Standards; and the National Association of Insurance Commissioners. The Company annually purchases a cybersecurity risk insurance policy that would help defray the costs associated with a covered cybersecurity incident if it occurred.
Although the Company did not experience a material cybersecurity incident during the year ended December 31, 2023, the scope and impact of any future incident cannot be predicted. See “Item 1A. Risk Factors” for more information on the Company’s cybersecurity-related risks.
67
Governance
Management has responsibility to manage risk and bring to the Board’s attention the most material near-term and long-term risks to the Company. The Company’s CISO leads management’s assessment and management of cybersecurity risk. The CISO reports to the Company’s Chief Digital, Data, Analytics & Technology Officer (the “CDDATO”), who reports directly to the Company’s Chief Executive Officer. The CDDATO, CISO and the CPO, regularly review cybersecurity matters with management. The current CDDATO, CISO and CPO each has more than 10 years of experience managing risks or advising on cybersecurity issues.
The Board is actively engaged in overseeing and reviewing the Company’s strategic direction and objectives, taking into account, among other considerations, the Company’s risk profile and related exposures, as part of this oversight the Board has delegated certain of these responsibilities to committees of the Board. The Board has delegated the responsibility for the oversight of the Company’s cybersecurity risks program to the Nominating and Corporate Governance Committee. As part of this oversight, the Nominating and Corporate Governance Committee reviews the Company’s cybersecurity program periodically, and at least annually. The Company’s CDDATO and CISO update the Nominating and Corporate Governance Committee periodically, and at least annually, and the full Board as needed, on the Company’s cybersecurity program, including with respect to particular cybersecurity threats, incidents or new developments in the Company’s risk profile. The CISO is a member of the Company’s disclosure committee, and the CPO advises the disclosure committee on cybersecurity matters on an as-needed basis. During 2023, the Board conducted a review of its overall committee structure, membership and responsibilities in an effort to enhance its oversight. As part of this review, the Board has determined that it will shift the delegation of the oversight of the Company’s cybersecurity risks program to the Audit Committee effective March 2024.