Premier, Inc. 10-K Cybersecurity GRC - 2024-08-20

Page last updated on August 22, 2024

Premier, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-08-20 18:18:16 EDT.

Filings

10-K filed on 2024-08-20

Premier, Inc. filed a 10-K at 2024-08-20 18:18:16 EDT
Accession Number: 0001577916-24-000009

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management Strategy We have a comprehensive cybersecurity risk management strategy to assess, identify, and manage material risks from cybersecurity threats. The core of this strategy is our digital risk and security program, which is integrated into our overall enterprise risk framework and is based on industry standards and established frameworks such as National Institute of Standards and Technology (NIST) and other guidelines. Our program is designed to help protect our systems, data, and operations from potential cyber threats, ensure the continuity of business operations, ensure we comply with applicable privacy and other laws and regulations, and meet our commitments to our members, customers, suppliers, employees, and other stakeholders. We employ a comprehensive, cross-functional approach to our cybersecurity strategy across our technology, legal, compliance, risk, finance, and other teams to assess, identify, and manage cybersecurity threats and respond to cybersecurity incidents when they occur. This integration helps ensure that the breadth of potential impacts from cybersecurity risks are considered and that our approach to managing these risks is consistent and coordinated across teams within our business. Through our digital risk and security program, our cybersecurity risk is regularly evaluated, and we regularly report this assessment of our cybersecurity risk to our executive management team and to the Audit and Compliance Committee and the Board of Directors. We have devoted, and expect to continue devoting, significant financial and personnel resources to maintain and improve our digital risk and security program. Cybersecurity Tools Our digital risk and security program deploys technical safeguards designed to help protect our information systems from cybersecurity threats. Such safeguards are regularly evaluated and improved based on vulnerability assessments, cybersecurity threat intelligence and incident response experience. Risk Assessment; Third Party Assessments and Audits We use a combination of internal resources and external assessors, consultants, and auditors to conduct our cybersecurity risk assessments. At least annually, we conduct cybersecurity risk assessments that take into account information from internal stakeholders, known information security vulnerabilities, and information from external sources (e.g., reported security incidents that have impacted other companies, industry trends, and evaluations by third parties and consultants). We examine our cybersecurity controls, capabilities, programs, operating effectiveness, and incident response preparedness against industry standards and established frameworks, such as NIST and other guidelines. These assessments, which include third party audits for certain aspects of our cybersecurity, examine our end-to-end security practices, including data centers, infrastructure, and operations, and cover both physical as well as digital environments. Material results of assessments and audits are reported to our executive management team, the Audit and Compliance Committee, and the Board of Directors. The results of the assessment and audits are used to drive alignment on, and prioritization of, initiatives to enhance our cybersecurity, and we seek to adjust our cybersecurity strategies and resources accordingly. We have also obtained certain industry certifications and attestations that demonstrate our dedication to protecting the data our members, customers, suppliers, employees, and other stakeholders. Incident Response Planning We have established an Incident Response Policy for identifying, responding to, containing, eradicating, and recovering from security breaches and other cybersecurity incidents, as well as communicating with relevant stakeholders. Our Incident Response Policy sets forth incident response and communication responsibilities for our employees, management, and Board of 49 Directors. We regularly test and evaluate the effectiveness of the policy as part of our cybersecurity assessments described above. Third-Party Vendors We have implemented controls designed to identify and mitigate cybersecurity threats associated with our use of third-party service providers, suppliers, and other vendors. We use a variety of inputs in such risk assessments, including information supplied by vendors and in some cases attestations from objective, reputable, and licensed assessors. Where appropriate, our contracts with vendors require agreement and adherence to commercially reasonable security, confidentiality, and privacy contractual terms. Vendors are subject to security risk assessments at the time of onboarding and are thereafter periodically monitored and reassessed depending on risk level and our cybersecurity practices and in light of evolving cybersecurity standards and legal and regulatory requirements. Education and Awareness We promote a culture of security awareness among our employees, and our policies require each of our employees to contribute to our cybersecurity efforts. We regularly remind employees of the importance of handling and protecting the data of members, customers, suppliers, employees and others, including through our Security Awareness Training Program delivered to new hires and on an annual basis. This training, which includes “phishing” exercises, is designed to enhance employee awareness of how to detect, respond to, and report potential cybersecurity threats as well as best behavioral practices to mitigate the risk of becoming subject to a cybersecurity incident. Governance Board of Directors Oversight The Board of Directors considers cybersecurity risk as part of its risk oversight function and has delegated oversight of cybersecurity and other information technology risks to the Audit and Compliance Committee. The Audit and Compliance Committee oversees the development, implementation, and effectiveness of our strategies to monitor, mitigate, and respond to cybersecurity risks, as well as our procedures, policies and resources for risk assessment and risk management. In this role, the Audit and Compliance Committee receives updates from management on these matters, including the results of risk assessments and audits and the progress of risk reduction initiatives, on a quarterly basis or more frequently as needed. In addition, management updates the Audit and Compliance Committee, as necessary, regarding any material cybersecurity incidents, as well as any incidents with lesser potential impact. The full Board of Directors receives updates from the Audit and Compliance Committee on its oversight of cybersecurity risk on a quarterly basis or more frequently as needed. In addition, the full Board of Directors also receives periodic briefings from management on the digital risk and security program. Management’s Role Our Chief Information Security Officer, Chief Privacy Officer, and Vice President, Risk Management and Compliance work in collaboration as our Digital Risk Management (“DRM”) group and have primary responsibility for our digital risk and security program. These individuals have extensive experience in their roles at the Company and in prior roles at other companies in the areas of information technology and security, data protection and privacy, and risk management and compliance, respectively. The members of the DRM group, among other things, continuously review and evaluate our cybersecurity risks to: identify technical and business risks; assess the potential impacts of identified risks; develop mitigation strategies to control or reduce risk where needed; communicate to others to ensure that risk owners and stakeholders as well as executive leadership have visibility into identified risks; and monitor identified risks and applicable risk response efforts. On a daily basis, our information technology team monitors, identifies, and classifies potential cybersecurity incidents or threats and is responsible for notifying members of the DRM group of such matters as appropriate based on risk to our organization. Upon learning of any material incidents or threats, the members of the DRM group are responsible for informing our executive leadership, other functional teams, and the Audit and Compliance Committee or Board of Directors, as appropriate. Risks from Cybersecurity Threats As of the date of this report, we are not aware of any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition; however, see “Item 1A. Risk Factors” in this Annual Report for a discussion of effects that a cybersecurity threat or incident could have on our business strategy, results of operations or financial condition. We cannot provide assurances that we will not experience cybersecurity incidents in the 50 future or that any future cybersecurity incidents will not materially affect us, including our business strategy, results of operations, or financial condition.

Company Information