HEALTHCARE SERVICES GROUP INC 10-K Cybersecurity GRC - 2025-02-14

Page last updated on February 14, 2025

HEALTHCARE SERVICES GROUP INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-14 16:04:57 EST.

Company Summary

Healthcare Services Group has delivered exceptional housekeeping/laundry and dining/nutrition services to an ever-changing healthcare industry.

Filings

10-K filed on 2025-02-14

HEALTHCARE SERVICES GROUP INC filed a 10-K at 2025-02-14 16:04:57 EST
Accession Number: 0000731012-25-000032

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity Risk Management and Strategy The Company adopted an Information Security Policy which governs the Company’s management of information technology ( " IT") systems, network, information, data and assets. HCSG’s Information Security Policy is periodically reviewed based on the National Institute of Standards and Technology Cybersecurity Framework. The Company regularly monitors and measures the performance of the IT Systems and Assets and the Information Security Policy. HCSG has procedures to ensure that any of its vendors and suppliers that create, utilize or process our data take a similar, risk-based approach to information security. Management maintains the cybersecurity risk prevention program which includes ongoing employee education and procedures for cybersecurity incident prevention, detection and response. The Company retains third parties, including IT professionals and legal counsel, specializing in cybersecurity risk management to assist in implementing cybersecurity controls. The Company oversees and identifies material risks from cybersecurity threats associated with its use of third-party service providers by reviewing SOC 1 or SOC 2 reports (whichever is more applicable) for key outsourced systems, including all systems which house protected health information or personally identifiable information. The cybersecurity risk prevention program is part of the Company’s overall risk management program. Please refer to the risk factor titled “We have experienced cyber attacks and breaches, and may in the future experience cyber attacks and breaches which could cause operational disruptions, fraud or theft of sensitive information.” in “Risk Factors” in Part I, Item 1A of this Form 10-K for more information on risks posed by cybersecurity threats to the Company. As previously disclosed in a Form 8-K filed on October 16, 2024, on October 9, 2024 we identified a cybersecurity incident, which involved unauthorized activity within some of our systems. We immediately activated the Company’s Cyber Incident Response Plan (“IRP”) to investigate such activity with the assistance of leading third-party cybersecurity experts. We also notified law enforcement authorities. We continue to monitor the situation and take appropriate actions consistent with our response protocols. As of the date of this filing, the incident has not caused, and is not expected to cause, disruption of the Company’s business operations. And although there can be no assurance, we do not believe the identified cybersecurity incident will have a material effect on our business, financial condition, results of operations or cash flows. Management’s Role in Assessing and Managing Material Risks from Cybersecurity Threats The Company’s day-to-day risk management is under the direction of Jason J. Bundick, the Company’s Executive Vice President, Chief Compliance Officer, General Counsel and Secretary. Jason Osbeck, the Company’s Senior Vice President of Information and Technology , is responsible for day-to-day cybersecurity risk management under the direction of Mr. Bundick. Mr. Osbeck has served in this role at the Company since 2012. The Company has an IRP which details the Company’s policies and procedures in the event of a cyber incident. The Company’s IT department, led by Mr. Osbeck, logs all potential cybersecurity incidents reported which are then reviewed by an Incident Response Team (“IRT”), a cross-functional internal team including IT, risk management, legal and other departmental representation as necessary to identify the potential impact of the cybersecurity incident. As needed, the IRT will consult with third party legal counsel and IT advisory firms to appropriately respond to existing cyber threats. In the event a material incident is identified, the Company will report such incidents in compliance with applicable law. Material cyber events, if any, are reported to the Board of Directors as they occur. Additionally, Mr. Bundick provides quarterly updates to the Audit Committee on all cybersecurity matters during the quarter. Board of Directors’ Oversight of Cybersecurity Risks Our Board is responsible for overseeing the Company’s risk management process. The Board focuses on the Company’s general risk management strategy, including the most significant risks facing the Company, and ensures that appropriate risk mitigation strategies are implemented by management. The Audit Committee oversees the Company’s cybersecurity risk mitigation efforts. The Audit Committee reports to the full Board as appropriate, including when a matter rises to the level of a material risk.

Company Information