InnovAge Holding Corp. 10-K Cybersecurity GRC - 2024-09-10

Page last updated on September 10, 2024

InnovAge Holding Corp. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-09-10 17:26:13 EDT.

Filings

10-K filed on 2024-09-10

InnovAge Holding Corp. filed a 10-K at 2024-09-10 17:26:13 EDT
Accession Number: 0001834376-24-000074

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY Risk Management and Strategy Our Cybersecurity Program (“Program”) is designed from a risk- and compliance-based approach for resilience and protection across our operations and the appropriate access, use, and/or disclosure of PHI and PII. Our Program employs the National Institute of Standards Technology (NIST) cybersecurity framework and strategy to deliver multi-layered defenses and relevant technologies that are designed to control, audit, monitor, and protect access to sensitive information. We also leverage government partnerships, industry and government associations, third-party benchmarking, audits, threat intelligence feeds and other similar resources to inform our cybersecurity efforts and allocate resources. We maintain our Program with physical, administrative and technical safeguards, and we maintain plans and procedures whose objective is to help us prevent and respond to cybersecurity incidents. Elements of our Program include: (i) required training for our employees (including onboarding and annual training), exercises (including advanced phishing exercises), and awareness for our employees to promote vigilance of cybersecurity risks and (ii) compliance audits and assessments, which include routine technical and non-technical audits and assessments internally and in collaboration with independent third parties at least annually. In addition, we engage various third-party consultants to assist us in assessing, enhancing, implementing and monitoring our Program and responding to incidents. As a company managing the use and disclosure of PHI and PII, we annually undergo internal and/or third-party HIPAA Security Rule risk assessments of our administrative, physical, and technical safeguards. In addition, external assessors periodically evaluate our safeguards against multiple frameworks, including NIST Cyber Security Framework (CSF). Our Program is integrated into our Enterprise Risk Management (ERM) program and includes a vendor risk management program supported by our security and compliance teams. We assess vendor cybersecurity risks according to HIPAA and N IST CSF standards and have established an oversight process to manage cybersecurity risks related to the products and services we procure. During the fiscal year ended June 30, 2024, we did not identify risks from cybersecurity threats, including as a result of previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. While prior incidents have not had a material impact on us, future incidents could have a material impact on our business, operations, and reputation. See " Security breaches, loss of data and other disruptions have in the past and could in the future compromise sensitive information related to our business or our participants, or prevent us from accessing critical information and expose us to liability, and could adversely affect our business and our reputation " in Item 1A “Risk Factors” in this Annual Report. 46 Governance While our full Board of Directors has overall responsibility for risk oversight, it has delegated primary oversight of certain risks to its committees. Our Audit Committee monitors cybersecurity risks, and the steps our management has taken to monitor and control exposures. Our Chief Information Officer (CIO) and Chief Information Security Officer (CISO) brief the Audit Committee quarterly on cybersecurity risks, updates on the regulatory and cyber landscape and significant cybersecurity events, as needed. Our Audit Committee reports to the Board of Directors on cybersecurity matters quarterly, or more often as the need arises. We have an Information Security Team to strengthen our cybersecurity risk management activities across the Company. The Information Security Team reports to our CISO who works in collaboration with our CIO, Chief Compliance Officer and General Counsel. The Information Security Team is responsible for the oversight and operation of our Program, and the management our security standards and operating procedures. Cole Naus is our CISO. Mr. Naus has over 10 years of experience in the cybersecurity industry. Mr. Naus holds a degree in Cybersecurity and Information Assurance and holds other cybersecurity certifications. Mr. Naus reports directly to Cara Babachicos, our CIO. Ms. Babachicos has over 20 years of experience in the cybersecurity industry, having previously worked as Chief Information Officer at other companies in the healthcare industry.

Company Information