AMN HEALTHCARE SERVICES INC 10-K Cybersecurity GRC - 2025-02-20

Page last updated on February 21, 2025

AMN HEALTHCARE SERVICES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-20 18:04:35 EST.

Filings

10-K filed on 2025-02-20

AMN HEALTHCARE SERVICES INC filed a 10-K at 2025-02-20 18:04:35 EST
Accession Number: 0001142750-25-000011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity AMN Healthcare’s board of directors (the “Board”) is responsible for overseeing our enterprise-wide risk management program. The audit committee of the Board (the “Audit Committee”) has primary oversight responsibility for information and cybersecurity, including internal controls designed to mitigate risks related to these topics. This includes regular, and at least quarterly, review by the Audit Committee of reports on topics including, among others, significant cybersecurity risks, results from third-party assessments, training and vulnerability testing, and our incident response plan. Material breaches, if any, and any disclosure obligations arising from any such breach are also discussed separately with the Audit Committee as part of the Board’s risk oversight generally. AMN’s information and cybersecurity program reports up to our Chief Information & Digital Officer (“CIO”) and is managed by our Vice President, Information & Cyber Security , whose team is responsible for leading our enterprise-wide cybersecurity strategy. Through ongoing communications with the team, the CIO and the Vice President, Information & Cyber Security, are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents and progress on cybersecurity infrastructure initiatives. In the event of a material cybersecurity incident, the CIO, in coordination with AMN’s Chief Legal Officer, will escalate to the Audit Committee and the Board is made aware as appropriate and in accordance with AMN’s incident response plan. Our CIO and Vice President, Information & Cyber Security have proven experience as technology leaders establishing and overseeing enterprise information security programs in the healthcare industry. Our CIO has over 25 years of experience serving as Chief Information Officer, Senior Vice President of IT, and Director of IT at various healthcare services and technology companies. AMN’s Vice President, Information & Cyber Security has over 20 years of experience in various roles in information technology and information security. He holds a M.Sc. in Computer Information Systems and holds several relevant certifications, including Certified Information Security Manager and Zero Trust Certified Architect. AMN’s Privacy function, which reports up through our Chief Legal Officer, works collaboratively with the Information Security function to create and review policies, standards and processes. In addition to updating the Audit Committee, the CIO and Vice President, Information & Security, and Privacy team provide regular updates to the Corporate Governance and Compliance Committee, as well as our Chief Executive Officer and other members of our senior management as appropriate. AMN’s information and cybersecurity program has adopted policies, standards, processes, and practices that follow recognized frameworks established by the National Institute of Standards and Technology (“NIST”), the International Organization for Standardization, and other relevant standards. AMN Healthcare has also implemented certain controls and procedures that allow its management to assess, identify, and manage material risks from cybersecurity threats. Our processes are integrated into the overall enterprise risk management program, which includes financial risk, compliance risk and other strategic and operational risks that affect the Company. These processes complement our enterprise-wide risk assessment architecture, as implemented by the Company’s management and as overseen by the Board through its Audit Committee. To identify and assess material risks from cybersecurity threats, we engage in regular network and endpoint monitoring, vulnerability assessments, penetration testing, and periodic tabletop exercises. We have developed an incident response plan to manage identified vulnerabilities and further improve our cybersecurity preparedness and response infrastructure. The incident response plan sets forth the actions to be taken in responding to and recovering from cybersecurity incidents, which include triage, assessing the severity of incidents, escalation protocols, containment of incidents, investigation of incidents, and remediation. In addition to our in-house capabilities, we engage with key security and technology vendors, industry participants and intelligence communities to assess our program and test our technical capabilities and enhance the effectiveness of our information and cybersecurity policies and procedures. We use a combination of tools and technologies to protect AMN Healthcare’s assets and information. We maintain and operate a proactive threat intelligence program to identify and assess risk. We have implemented processes to identify, monitor and address material risks from cybersecurity threats associated with our use of third-party vendors , including those in our supply chain or who have access to our systems, data or facilities that house such systems or data. Our team members receive annual training to understand the behaviors necessary to protect company and personal information and receive annual training on privacy laws and requirements. We also offer ongoing practice and education for team members to recognize and report suspicious activity, including phishing campaigns. The Company has experienced cyber threats resulting in immaterial cyber incidents and expects cyber threats to continue with varying levels of sophistication.

Company Information