American Well Corp 10-K Cybersecurity GRC - 2024-02-15

Page last updated on July 16, 2024

American Well Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-15 17:09:24 EST.

Filings

10-K filed on 2024-02-15

American Well Corp filed a 10-K at 2024-02-15 17:09:24 EST
Accession Number: 0000950170-24-015995

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity risk management is an integral part of our enterprise risk management program. Our cybersecurity program is designed to align with industry best practices and provide a framework for handling cybersecurity threats and incidents, including threats and incidents associated with the use of services provided by third-party service providers. Our Board has overall oversight responsibility for our risk management and is briefed periodically on cybersecurity risk management and any material cybersecurity incidents by our Chief Information Officer, or CIO, and General Counsel. The Board is responsible for ensuring that management has processes in place designed to (i) identify and evaluate cybersecurity risks to which the company is exposed and (ii) manage cybersecurity risks and mitigate cybersecurity incidents. Management is responsible for identifying, considering and assessing material cybersecurity risks on an ongoing basis, establishing processes to ensure that such potential cybersecurity risk exposures are monitored, putting in place appropriate mitigation measures and maintaining cybersecurity programs. Specifically, our Security Steering Committee (“SSC”), a cross-functional team of employees chaired by our CIO, is responsible for providing strategic guidance and execution oversight to Amwell’s privacy, risk and security programs and policies. Management has instituted an Information Security Management System (“ISMS”). The ISMS establishes risk-based safeguards that are designed to adequately protect the Company and information acquired through business operations. Amwell maintains its ISMS in accordance with ISO 27001 standards. Amwell is audited annually by a third-party assessment firm that determines the effectiveness of the procedures and processes of its ISMS. Amwell also self-assesses the performance and effectiveness of the ISMS through monitoring, measurement, analysis, and evaluation of controls and control objectives. The SSC ensures the workforce complies with the ISMS policies, procedures and controls through many channels, including annual review of audit and risk assessment results, multifactor authentication, annual employee training and company-wide communications. Our team of cybersecurity focused employees, under the direction of our CIO, is responsible for assessing our cybersecurity risk and detecting, mitigating and remediating cybersecurity incidents. Our CIO and dedicated personnel are certified and experienced information systems security professionals and information security managers. Personnel with significant security responsibilities receive specialized education and training on their roles and responsibilities prior to being granted access to systems and resources. The pre-employment process for these roles is designed to ensure that security responsibilities are specifically defined. Our CIO has over 25 years of technology leadership experience. Amwell’s cybersecurity team has implemented processes to: - assess the severity of a cybersecurity threat through continuous monitoring and determine the nature, scope and timing of the event to assess whether it is material; - identify the source of a cybersecurity threat, including whether the cybersecurity threat is associated with a third-party service provider, utilizing our Information Security Incident Response Plan; - implement cybersecurity countermeasures and mitigation strategies; - and inform our board of directors of material cybersecurity threats and incidents. In 2023, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced an undetected cybersecurity incident. For more information about these risks, please see “Risk Factors - Risks Related to Our Business and Industry” and “Risk Factors - Risks Related to Government Regulation” in this annual report on Form 10-K. 53


Company Information

NameAmerican Well Corp
CIK0001393584
SIC DescriptionServices-Business Services, NEC
TickerAMWL - NYSE
Website
CategoryLarge accelerated filer
Fiscal Year EndDecember 30