Waystar Holding Corp. 10-K Cybersecurity GRC - 2025-02-18

Page last updated on February 18, 2025

Waystar Holding Corp. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-18 06:46:45 EST.

Filings

10-K filed on 2025-02-18

Waystar Holding Corp. filed a 10-K at 2025-02-18 06:46:45 EST
Accession Number: 0001410578-25-000148

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy We have developed a cybersecurity risk management program to regularly assess risks from cybersecurity threats and monitor our systems to manage those risks. Our cybersecurity risk management program is an important component of, and integrated with, our overall enterprise risk management framework, which addresses legal, compliance, operational, and financial risks, alongside cybersecurity risks. Through this integration, we aim to optimize resource allocation, improve risk identification, and strengthen our cybersecurity governance. Our cybersecurity risk management program is based on the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF 2.0) and is aimed to assess, identify, and manage risks from cybersecurity threats. The processes comprising our cybersecurity risk management program include risk assessments, vulnerability scanning and penetration testing, threat intelligence monitoring, and employee training and awareness programs. To respond to and handle cybersecurity incidents, we have implemented and maintain a comprehensive incident response process that is regularly tested and updated. To protect our information systems from cybersecurity threats, we employ technical processes as a crucial component of our multi-layered cybersecurity risk management program. These processes include firewalls, intrusion detection and prevention systems, access controls, endpoint protection, data encryption, vulnerability management, security information event management, data loss prevention, regular security assessments, and penetration testing. Our technical processes are regularly reviewed and updated. As part of our cybersecurity risk management program, we undergo regular assessments and audits by external and independent auditors. These include assessments following the Health Information Trust Alliance (HITRUST) Common Security Framework. We also undergo independent System and Organization Controls 2 (SOC 2) Type 2 audits and assessments to validate compliance with the Payment Card Industry Data Security Standard (PCI DSS) requirements. We carry a HITRUST certification and PCI certification. The results of these audits and assessments are reported to our Board of Directors, and we adjust our cybersecurity policies, standards, processes, and practices as necessary or appropriate based on the information provided by these assessments and audits. Our cybersecurity team, which is led by our Digital Information & Cybersecurity Officer (DISO), implements and maintains our cybersecurity risk management program and is dedicated to mitigating risks and protecting the confidentiality, integrity, and availability of our systems and data. Our cybersecurity team’s functions include security operations, vulnerability management, security engineering and architecture, compliance and audit support, threat intelligence, security awareness training, and policy development. Our cybersecurity team is also responsible for developing and executing the incident response plan. Because we rely on third-party vendors, including for information technology services , we have processes to oversee and identify risks from cybersecurity threats associated with our third-party vendors. These processes include vendor screening and due diligence, contractual requirements, security assessments and audits, incident response planning requirements, and ongoing monitoring. We are not aware of any risks from cybersecurity threats, including as a result of previously identified cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. As discussed more fully under Item 1A “Risk Factors,” there is a risk that we could experience a security incident and a compromise of our information technology systems and data. There is no assurance that our cybersecurity program will in all cases prevent such security incidents. We also maintain cybersecurity insurance that we regularly review to assess for appropriate coverage. Cybersecurity Governance Role of the Board Our Board of Directors plays an active role in overseeing our cybersecurity risk management program. The Board of Directors or the Audit, Compliance, and Risk Committee receives a quarterly update on cybersecurity-related topics. The Board of Directors receives materials every quarter and presentations on alternating quarters from our Chief Technology Officer (CTO) on topics including significant cyberattacks and emerging threats, cybersecurity program performance, results of risk assessments, incident response updates, cybersecurity strategy, and cybersecurity program maturity. We have also established procedures for promptly informing the Board of Directors of any material cybersecurity incidents outside of these scheduled briefings . Role of Management Our DISO is responsible for developing and implementing our cybersecurity program and holds certifications including ISO/IEC 27001:2002 Certified Information Security Executive, Cyber Security Executive Certification from Cornell University, Risk & Compliance Executive Certification from William & Mary University, and Healthcare Risk & Compliance Certification from American College of Medical Practice Executives (ACMPE). Our DISO’s responsibilities include managing cybersecurity risk, leading the cybersecurity team, staying informed about threats, reporting on cybersecurity performance, promoting a culture of security, and compliance and audit support. Our DISO regularly updates senior management and the Board of Directors on the performance of the cybersecurity program and the state of cybersecurity risk. Our DISO reports directly to our CTO who provides executive leadership and support for the overall technology and cybersecurity strategy. To promote strong governance and oversight in managing cybersecurity risk, we have established a Cyber Risk Council, which is composed of our CTO, DISO, Chief Privacy Officer, Chief Financial Officer, Chief Legal & Administrative Officer, and representatives of our technology and cybersecurity teams. The Cyber Risk Council is responsible for overseeing cybersecurity risk, monitoring performance of the cybersecurity risk management program, providing strategic guidance, and direction of the cybersecurity risk management program, among other oversight and monitoring functions .

Company Information