Page last updated on July 16, 2024
MSP Recovery, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-12 20:03:00 EDT.
Filings
10-K filed on 2024-04-12
MSP Recovery, Inc. filed a 10-K at 2024-04-12 20:03:00 EDT
Accession Number: 0000950170-24-044197
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
Item 1C. Cybers ecurity. Overview The Company maintains robust processes for assessing, identifying, and managing material risks from cybersecurity threats. We are subject to federal and state laws and regulations governing privacy, security, and breaches of patient information and the conduct of certain electronic health care transactions, including, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and other health information privacy and security requirements. We rely on information technology networks and systems to process and store electronic information. We collect and store sensitive data, including personal identifiable information on our information technology networks. As we collect and manage large quantities of data, it is possible that hardware failures or errors in our systems could result in data loss or corruption or cause the information that we collect to be incomplete or contain inaccuracies that our partners regard as significant. Increased global cybersecurity vulnerabilities, threats, computer viruses, ransomware and phishing attacks, and more sophisticated and targeted cyber-related attacks, as well as cybersecurity failures resulting from human error and technological errors, pose a risk to the security of the Company’s systems and networks and the confidentiality, availability, and integrity of data on these products, systems, and networks. We have implemented security measures designed to prevent disruptions and shutdowns of our information technology networks due to attacks by hackers or breaches due to malfeasance by contractors, employees and others who have access to our networks and systems. We expect to continue to invest in long-term solutions to protect against cybersecurity risks and threats. Except as otherwise provided herein, this Item 1C reflects the Company’s cybersecurity policies and procedures as of December 31, 2023. In 2023, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced undetected cybersecurity incidents. For additional information about these risks, see Part I, Item 1A, “Risk Factors” in this Annual Report. Risk Management and Strategy The Company employs an IT Security Team that is responsible for assessing and managing cybersecurity risks. The Company has a designated IT Security Team to maintain its cybersecurity program and oversee third-party service providers that provide cybersecurity protection. The IT Security Team is tasked with the prevention, detection, mitigation, and remediation of cybersecurity incidents through a variety of technical and operational measures, and reports to our DevOPS/Security Manager. The team is comprised of personnel with a broad range of experience across the business and information technology industries, including our DevOPS/Security Manager, a DevOPS Security Administrator, and employees in senior legal and administrative roles. The IT Security Team relies on the advice of the Manager DevOPS/Security related to the security of our data and any mitigation steps necessary. Our DevOPS/Security Manager leads our cybersecurity program and is tasked with supporting our security functions of identifying, preventing, detecting, responding to, and recovering from cybersecurity threats and incidents. The DevOPS/Security Manager has 27 years of experience in IT networking, administration, and security related roles, including nine years at the Company. Prior to joining the Company, our DevOPS/Security Manager served for 15 years in a senior leadership role in the IT department of a large, publicly traded Fortune 500 company. The DevOPS/Security Manager provides quarterly updates to the Cybersecurity Committee on the Company’s cybersecurity program, including cybersecurity risks, incidents, and mitigation strategies. Our DevOPS Security Administrator has experience developing and maintaining an IT security program for a Fortune 500 company, has a bachelor’s degree in information technology, and maintains a Comptia Security+ certification. The Company has established processes for assessing, identifying, and managing material risks from cybersecurity threats. The Company utilizes a hybrid platform consisting of a local and cloud environment. Our local environment connects to the cloud environment via an encrypted virtual private network (“VPN”) connection. Our Site-to-Site connection consists of a firewall in our local environment which responds to a connection from a firewall in our cloud. Our networks have segregated subnets, and only allow designated staff access to our cloud environment, which is only accessible from one of our local office segments. All firewalls are configured with intrusion detection systems and intrusion prevention systems, strict firewall rules, denial of service, spoof protection, advanced threat protection, and zero-day protection. Our firewalls are configured to receive definition updates as they are released, and firmware updates are automatically installed when available. We secure our local network by not utilizing any wireless access points connected to any of our networks or firewalls, enabling port security on switches, following a principle of least privilege policy, and implementing Security Information & Event Management (“SIEM”) to capture all network traffic & security events from both networking equipment, endpoints, and servers. We enforce a strict password policy with multi-factor authentication. All computers and servers utilized by the Company are protected by endpoint protection, which provides real-time protection of local and network files, internet activity, and utilizes ransomware protection, application protection, malicious behavior protection, anti-malware scan interface protection, file integrity monitoring, and data loss prevention. Our endpoint protection software updates immediately upon definition releases. This endpoint has live protection and performs a deep system scan daily. Our endpoint protection 52 products are managed by our IT Security Team via a dashboard that provides our team with immediate alerts, device isolation, and investigation features, and also contracted the use of a Managed Detection and Response (“MDR”) service. The MDR service monitors our protected endpoints, servers, and network equipment at all times. This service also investigates, eliminates, and mitigates any critical alerts, while notifying our IT Security Team issues identified. All endpoints and servers are updated with security patches and application updates to our systems from a Patch Management system. Our IT Security Team reviews security logs daily, and performs quarterly audits of device access, building access, outages, application access, and IT & Development tickets. We employ data loss prevention policies to enforce HIPAA rules and also use stringent encryption controls. In addition, a Vulnerability Scanning system performs vulnerability detection on a quarterly basis. An independent third-party company conducts annual penetration and vulnerability detection as well. Our offices are physically secured with key card access controls for parking, first floor access, and elevator access. In addition, security guards monitor building reception areas and parking garages, and receptionists are located in our lobbies to greet visitors. The Company engages assessors, consultants, auditors, or other third parties in connection with its cybersecurity processes. The Company engages third party vendors in connection with our cybersecurity processes, including penetration and vulnerability scanning, auditing of our information security management program (ISMP); and a provider of products and services to secure users, networks, and endpoints against ransomware, malware, exploits, phishing and the wide range of other cyber attacks. In addition, the Company engaged national accounting and advisory services firms to audit the operating effectiveness of our security program, which incorporates cybersecurity in our processes. On an annual basis, the Company conducts a SOC 2 Type II audit and a HITRUST assessment. SOC 2 Type II audits assess risks from interactions with the Company’s systems, particularly information about system controls that the Company has designed, implemented, and operated to provide reasonable assurance that its service commitments and system requirements were achieved based on the SOC 2 trust services criteria. A HITRUST assessment address the need for a continuously relevant cybersecurity assessment that incorporates best practices and leverages the latest threat intelligence to maintain applicability with information security risks and emerging cyber threats, such as ransomware and phishing. HITRUST assessments also provide a level of assurance that delivers full transparency, accuracy, consistency, and integrity. In April 2022, an AICPA member firm and HITRUST authorized External Assessor Organization (the “Assessor”) completed an independent assessment of the Company’s systems. These independent assessments verified that we met the healthcare industry’s highest standards in protecting healthcare information and mitigating this risk, including compliance with HIPAA rules and regulations. On March 2, 2023, the Assessor reported that the Company’s data recovery system’s commitments and system requirements meet or exceed the stringent SOC 2 Type II applicable trust services criteria. On October 13, 2023, HITRUST certified that the platforms, facilities, and supporting infrastructure of our organization meet the HITRUST CSF(R) v11.1.0 Implemented, 1-year (i1) certification criteria. For our cloud computing services, we currently use a cloud service provider who is also HITRUST certified for the contracted services. The Company has processes to oversee and identify risks from cybersecurity threats associated with its use of third-party service providers. The Company maintains specific policies and practices governing our third-party security risks, including our third-party assessment (“TPA”) process. Under our TPA process, we gather information from certain third parties who contract with the Company and share or receive data, or have access to or integrate with our systems, in order to help us assess potential risks associated with their security controls. We also generally require third parties to, among other things, utilize encrypted secure file transfer protocols to exchange data. We require counterparties to enter into Business Associate Agreements and Non-Disclosure Agreements that, among other things, require them to maintain security controls to protect our confidential information and data, and notify us of material data breaches that may impact our data. 53 Governance The Board has established a Cybersecurity Subcommittee of the Audit Committee responsible for the oversight of risks from cybersecurity threats. On February 7, 2024, the Board established the Cybersecurity Subcommittee of the Audit Committee (the “Cybersecurity Committee”) to assist the Board in fulfilling its oversight responsibilities with respect to assessing and mitigating the Company’s cybersecurity risks. The Company’s management, under the guidance of the IT Security Team, is responsible for the preparation, presentation, and self-assessment of the Company’s cybersecurity policies and practices. The Cybersecurity Subcommittee shall be comprised of at least one independent director, and is tasked with reviewing and providing high level guidance on cybersecurity-related issues of importance to the Company. The IT Security Team reports to the Cybersecurity Subcommittee on a quarterly basis to inform the committee about and monitoring, prevention, detection, mitigation, and remediation of cybersecurity incidents, and is tasked with notifying the Cybersecurity Subcommittee of a cybersecurity incident upon discovery.
Item 1C reflects the Company’s cybersecurity policies and procedures as of December 31, 2023. In 2023, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced undetected cybersecurity incidents. For additional information about these risks, see Part I, Item 1A, “Risk Factors” in this Annual Report. Risk Management and Strategy The Company employs an IT Security Team that is responsible for assessing and managing cybersecurity risks. The Company has a designated IT Security Team to maintain its cybersecurity program and oversee third-party service providers that provide cybersecurity protection. The IT Security Team is tasked with the prevention, detection, mitigation, and remediation of cybersecurity incidents through a variety of technical and operational measures, and reports to our DevOPS/Security Manager. The team is comprised of personnel with a broad range of experience across the business and information technology industries, including our DevOPS/Security Manager, a DevOPS Security Administrator, and employees in senior legal and administrative roles. The IT Security Team relies on the advice of the Manager DevOPS/Security related to the security of our data and any mitigation steps necessary. Our DevOPS/Security Manager leads our cybersecurity program and is tasked with supporting our security functions of identifying, preventing, detecting, responding to, and recovering from cybersecurity threats and incidents. The DevOPS/Security Manager has 27 years of experience in IT networking, administration, and security related roles, including nine years at the Company. Prior to joining the Company, our DevOPS/Security Manager served for 15 years in a senior leadership role in the IT department of a large, publicly traded Fortune 500 company. The DevOPS/Security Manager provides quarterly updates to the Cybersecurity Committee on the Company’s cybersecurity program, including cybersecurity risks, incidents, and mitigation strategies. Our DevOPS Security Administrator has experience developing and maintaining an IT security program for a Fortune 500 company, has a bachelor’s degree in information technology, and maintains a Comptia Security+ certification. The Company has established processes for assessing, identifying, and managing material risks from cybersecurity threats. The Company utilizes a hybrid platform consisting of a local and cloud environment. Our local environment connects to the cloud environment via an encrypted virtual private network (“VPN”) connection. Our Site-to-Site connection consists of a firewall in our local environment which responds to a connection from a firewall in our cloud. Our networks have segregated subnets, and only allow designated staff access to our cloud environment, which is only accessible from one of our local office segments. All firewalls are configured with intrusion detection systems and intrusion prevention systems, strict firewall rules, denial of service, spoof protection, advanced threat protection, and zero-day protection. Our firewalls are configured to receive definition updates as they are released, and firmware updates are automatically installed when available. We secure our local network by not utilizing any wireless access points connected to any of our networks or firewalls, enabling port security on switches, following a principle of least privilege policy, and implementing Security Information & Event Management (“SIEM”) to capture all network traffic & security events from both networking equipment, endpoints, and servers. We enforce a strict password policy with multi-factor authentication. All computers and servers utilized by the Company are protected by endpoint protection, which provides real-time protection of local and network files, internet activity, and utilizes ransomware protection, application protection, malicious behavior protection, anti-malware scan interface protection, file integrity monitoring, and data loss prevention. Our endpoint protection software updates immediately upon definition releases. This endpoint has live protection and performs a deep system scan daily. Our endpoint protection 52 products are managed by our IT Security Team via a dashboard that provides our team with immediate alerts, device isolation, and investigation features, and also contracted the use of a Managed Detection and Response (“MDR”) service. The MDR service monitors our protected endpoints, servers, and network equipment at all times. This service also investigates, eliminates, and mitigates any critical alerts, while notifying our IT Security Team issues identified. All endpoints and servers are updated with security patches and application updates to our systems from a Patch Management system. Our IT Security Team reviews security logs daily, and performs quarterly audits of device access, building access, outages, application access, and IT & Development tickets. We employ data loss prevention policies to enforce HIPAA rules and also use stringent encryption controls. In addition, a Vulnerability Scanning system performs vulnerability detection on a quarterly basis. An independent third-party company conducts annual penetration and vulnerability detection as well. Our offices are physically secured with key card access controls for parking, first floor access, and elevator access. In addition, security guards monitor building reception areas and parking garages, and receptionists are located in our lobbies to greet visitors. The Company engages assessors, consultants, auditors, or other third parties in connection with its cybersecurity processes. The Company engages third party vendors in connection with our cybersecurity processes, including penetration and vulnerability scanning, auditing of our information security management program (ISMP); and a provider of products and services to secure users, networks, and endpoints against ransomware, malware, exploits, phishing and the wide range of other cyber attacks. In addition, the Company engaged national accounting and advisory services firms to audit the operating effectiveness of our security program, which incorporates cybersecurity in our processes. On an annual basis, the Company conducts a SOC 2 Type II audit and a HITRUST assessment. SOC 2 Type II audits assess risks from interactions with the Company’s systems, particularly information about system controls that the Company has designed, implemented, and operated to provide reasonable assurance that its service commitments and system requirements were achieved based on the SOC 2 trust services criteria. A HITRUST assessment address the need for a continuously relevant cybersecurity assessment that incorporates best practices and leverages the latest threat intelligence to maintain applicability with information security risks and emerging cyber threats, such as ransomware and phishing. HITRUST assessments also provide a level of assurance that delivers full transparency, accuracy, consistency, and integrity. In April 2022, an AICPA member firm and HITRUST authorized External Assessor Organization (the “Assessor”) completed an independent assessment of the Company’s systems. These independent assessments verified that we met the healthcare industry’s highest standards in protecting healthcare information and mitigating this risk, including compliance with HIPAA rules and regulations. On March 2, 2023, the Assessor reported that the Company’s data recovery system’s commitments and system requirements meet or exceed the stringent SOC 2 Type II applicable trust services criteria. On October 13, 2023, HITRUST certified that the platforms, facilities, and supporting infrastructure of our organization meet the HITRUST CSF(R) v11.1.0 Implemented, 1-year (i1) certification criteria. For our cloud computing services, we currently use a cloud service provider who is also HITRUST certified for the contracted services. The Company has processes to oversee and identify risks from cybersecurity threats associated with its use of third-party service providers. The Company maintains specific policies and practices governing our third-party security risks, including our third-party assessment (“TPA”) process. Under our TPA process, we gather information from certain third parties who contract with the Company and share or receive data, or have access to or integrate with our systems, in order to help us assess potential risks associated with their security controls. We also generally require third parties to, among other things, utilize encrypted secure file transfer protocols to exchange data. We require counterparties to enter into Business Associate Agreements and Non-Disclosure Agreements that, among other things, require them to maintain security controls to protect our confidential information and data, and notify us of material data breaches that may impact our data. 53 Governance The Board has established a Cybersecurity Subcommittee of the Audit Committee responsible for the oversight of risks from cybersecurity threats. On February 7, 2024, the Board established the Cybersecurity Subcommittee of the Audit Committee (the “Cybersecurity Committee”) to assist the Board in fulfilling its oversight responsibilities with respect to assessing and mitigating the Company’s cybersecurity risks. The Company’s management, under the guidance of the IT Security Team, is responsible for the preparation, presentation, and self-assessment of the Company’s cybersecurity policies and practices. The Cybersecurity Subcommittee shall be comprised of at least one independent director, and is tasked with reviewing and providing high level guidance on cybersecurity-related issues of importance to the Company. The IT Security Team reports to the Cybersecurity Subcommittee on a quarterly basis to inform the committee about and monitoring, prevention, detection, mitigation, and remediation of cybersecurity incidents, and is tasked with notifying the Cybersecurity Subcommittee of a cybersecurity incident upon discovery.
Company Information
Name | MSP Recovery, Inc. |
CIK | 0001802450 |
SIC Description | Services-Computer Processing & Data Preparation |
Ticker | LIFW - NasdaqLIFWW - NasdaqLIFWZ - Nasdaq |
Website | |
Category | Emerging growth company |
Fiscal Year End | December 30 |