CORVEL CORP 10-K Cybersecurity GRC - 2024-05-24

Page last updated on July 16, 2024

CORVEL CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-05-24 16:31:07 EDT.

Filings

10-K filed on 2024-05-24

CORVEL CORP filed a 10-K at 2024-05-24 16:31:07 EDT
Accession Number: 0000950170-24-064645

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Our information security and cybersecurity program is based on a cybersecurity framework that is designed to protect against operational risks related to cybersecurity. Cybersecurity Risk Management and Strategy We recognize the importance of developing, implementing, and maintaining cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of company information, and data entrusted to us by our customers. We have implemented a cybersecurity program to assess, identify, and manage risks from cybersecurity threats that could adversely and materially affect the confidentiality, integrity, and availability of our information and information systems. We maintain administrative, technical, and physical controls designed to protect the security and privacy of confidential, personal, and proprietary information. We conduct regular assessments, measuring our exposure to cyber threats. These assessments form the basis for our cyber risk program. Threats and risks are identified from threat intelligence sources that include our vendors, industry, and government organizations. Our Chief Information Security Officer (“CISO”) is responsible for overseeing and implementing our cybersecurity program and enforcing our cybersecurity policy. We employ internal dedicated security personnel and also have contracted services delivered from a full-service Managed Security Service Provider. Our Chief Technology Officer (“CTO) oversees the day-to-day security operation, and our Chief Information Officer (“CIO”) oversees our secure development activities. Our CISO leads our enterprise information security, privacy, and cybersecurity program, which is designed to (i) ensure the security, confidentiality, integrity and availability of our information and information systems; (ii) protect against any anticipated threats or hazards to the security, confidentiality, integrity or availability of such information and information systems; and (iii) protect against unauthorized access to or use of such information or information systems that could result in substantial harm or inconvenience to us, our partners or our customers. We have implemented an industry adopted cybersecurity framework, which is continuously improving. We continuously test and assess our cybersecurity posture, including third-party risk assessments performed by reputable assessors, consultants, and auditors. Additionally, we perform an annual evaluation of our cybersecurity program. The Board of Directors and the Audit Committee maintain oversight of the cybersecurity program to ensure risks to the Company are managed appropriately. Our cybersecurity program leverages people, processes, and technology to identify and respond to cybersecurity threats. We have a Cybersecurity Incident Response Plan which contains processes and procedures related to security incident handling. We also have vendor assessment processes to oversee, identify, and reduce the potential impact of a security incident at a third-party vendor, service provider or customer or otherwise implicating the third-party technology and systems we use. Our agreements with third parties may include various compliance requirements, data protection terms, audit or monitoring rights, and notification requirements in the event the third party experiences its own cybersecurity event. We perform ongoing cybersecurity awareness training for our employees that reinforces our information security policies, standards and practices. In addition, employees receive periodic newsletters emphasizing awareness of new cybersecurity threats (e.g., phishing attempts, smishing, pretexting, and deep fakes). This training is mandatory for all employees and is supplemented with periodic social engineering tests. We engage consultants to review our cybersecurity program to help identify areas for continued focus, improvement and compliance. Our processes also address cybersecurity risks associated with third-party service providers, including those with access to our non-public or restricted data, including client data. In the last three fiscal years, we have not experienced any material cybersecurity incidents or costs. Cybersecurity Governance As stated above, the Board of Directors and the Audit Committee maintain oversight of the cybersecurity program to ensure risks to the Company are managed appropriately. Our CISO, who reports to the Chief Executive Officer (“CEO”), is responsible for providing annual updates to the Board of Directors and to executive leadership. In addition, our CISO partners closely with our CIO and CTO and their respective organizations to execute defined functions within our cybersecurity program. Our CISO, CIO, and CTO each report directly to the Chief Executive Officer (“CEO”) who, as appropriate, will escalate any cybersecurity issues to the Board. Our CISO and CIO both attend regular meetings with the executive officer team, including our CEO, Chief Financial Officer and other senior executive officers, and report on cybersecurity matters as appropriate. 20 Our cybersecurity and IT leaders have extensive relevant work experience in various roles which includes developing cybersecurity strategy, implementing effective information and cybersecurity programs, and implementing cybersecurity and privacy solutions. Such leaders in our organization hold industry recognized certifications such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM) and Global Information Assurance Certification (GIAC).

Company Information