Elevance Health, Inc. 10-K Cybersecurity GRC - 2025-02-20

Page last updated on February 20, 2025

Elevance Health, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-20 15:58:57 EST.

Filings

10-K filed on 2025-02-20

Elevance Health, Inc. filed a 10-K at 2025-02-20 15:58:57 EST
Accession Number: 0001156039-25-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We operate in a highly regulated industry. Federal, state and international laws and contractual commitments guide our collection, use and disclosure of confidential information such as protected health information, personal financial information and personally identifiable information. Our success depends on maintaining a high level of trust among our stakeholders, including our consumers, clients, business partners, providers, regulators and associates. Failure to effectively secure, maintain and upgrade our information systems, or the availability and integrity of our data, could adversely affect our business, including our business strategy, cash flows, financial condition and results of operations. Cybersecurity Risk Assessment Our cybersecurity and risk management programs are part of our continuously evolving enterprise-wide risk management practices. Aligned and measured against the National Institute of Standards and Technology (NIST) Cybersecurity Framework, recognized best practices and standards for cybersecurity and information technology, industry and government standards and other guidelines, our cybersecurity and risk management programs utilize policies, processes, and technologies to identify, assess, manage and mitigate cybersecurity risks and threats we face. We also conduct periodic reviews and updates to uphold our security standards, including implementation of tabletop crises exercises. Our management implements ongoing and annual risk assessment processes to identify and manage risks that could affect our ability to safeguard sensitive data or provide reliable transaction processing and to minimize financial risk exposure. These risks include, but are not limited to, regulatory compliance; third-party management , including risks from business partners and software providers; mergers and acquisitions; system availability and disruption of business operations; data use and security; vulnerability and configuration management; fraud and extortion; and reputation risk. The steps we take to reduce vulnerability to cyber-attacks and to mitigate and remediate the impact of cybersecurity incidents in a timely and coordinated manner include, but are not limited to: establishing information security policies and standards, implementing information protection processes, tools and technologies, monitoring information technology systems for cybersecurity threats, coordinating internal reporting, assessing cybersecurity risk profiles of key third-parties, implementing cybersecurity training and collaborating with public and private organizations on cyber threat information and best practices. In addition to our internal Information Security teams, we also utilize trusted third-party auditors and recognized cybersecurity consultants and certified assessors, to assess cybersecurity risks, related controls, and alignment to relevant regulatory and legal requirements. A third party evaluates our information security policies, standards and control environment at least annually. Assessments and testing protocols are performed against industry best practices and widely recognized security frameworks. We face many cybersecurity risks in connection with our business. As of December 31, 2024, no known cybersecurity threats have materially affected, or are reasonably likely to materially affect, the Company, including our business strategy, cash flows, financial condition or results of operations; however, future cybersecurity incidents or threats may materially affect us, including by affecting our business strategy, results of operations or financial conditions. See Part I, Item 1A. “Risk Factors” for more information on the Company’s cybersecurity-related risks. -38- Management and Governance of Cybersecurity Risk To manage our cybersecurity risk, we employ a cross-organizational steering committee, the Information Security Steering Committee (“ISSC”), that supports the direction and governance of our enterprise-wide Information Security Program. The ISSC is chaired by our Chief Information Security Officer (“CISO”) and is comprised of accountable senior business leaders including our Chief Compliance Officer (“CCO”), Chief Risk Officer (“CRO”), legal counsel, and human resources, procurement and business segment leaders. In addition to the ISSC, we have defined risk functions to cover overall enterprise risks and information technology and cybersecurity risks within our enterprise risk management framework, including, but not limited to: our IT Risk Management program, led by our CISO; our Responsible Artificial Intelligence (“RAI”) Program, led by our Chief Digital Information Officer; Compliance, led by our CCO; Internal Audit, led by our Chief Audit Executive (“CAE”); Enterprise Risk Management programs led by our CRO; Third-Party Risk Management, comprised of business and information security leaders; IT due diligence processes, led by business, technology and information security leaders; and our Corporate Insurance Program, including cybersecurity insurance, led by our Treasurer. To evaluate cybersecurity and privacy incidents and enable us to comply with public disclosure requirements, we have a Privacy and Security Incident Response and Reporting Policy and Procedure (the “Policy”) with defined escalation criteria (the “Plan”) in support of our incident response processes. The Plan provides a framework to our Cyber Incident Response Taskforce, comprised of our Chief Privacy Officer (“CPO”), CISO and applicable legal counsel and business and corporate services leaders, for responding to cybersecurity incidents. The Policy, together with the Plan, identifies applicable requirements for incident disclosure and reporting and also provides protocols for incident evaluation based on facts and circumstances of each incident, including the use of third-party service providers and partners, processes for notification and internal escalation of information to our senior management, including to our chief legal officer and CEO, a subcommittee of our SEC disclosure committee, and ultimately, our Board of Directors and appropriate Board committees. The Policy also addresses requirements for our external reporting obligations. The Policy is reviewed and updated, as necessary, under the leadership of our CISO and CPO. Our Board oversees and guides our business and oversees our exposure to major risks, including steps taken by management to monitor and mitigate cybersecurity risks. The Board receives and reviews periodic reports from management on various risks, and delegates to its Audit Committee certain oversight responsibilities. The Board monitors cybersecurity risks and receives a report at least quarterly from our CISO regarding our Information Security Program. In addition, certain cybersecurity incidents are escalated to the Board in accordance with our Plan as described above. Periodically, the Board also receives third party assessments of our information security. The Audit Committee receives regular updates on both information security and data privacy matters, and oversees data privacy, integrity, incident and breach risks. Cybersecurity Expertise Our Information Security Program has been established with the mission of minimizing risk to our member, client and associate data and it is managed by our CISO. Our current CISO has over 30 years of experience in information security and technology and has held a wide variety of technical and strategic leadership positions. He holds advanced certifications including Certified Information Systems Security Professional and Certified Secure Software Lifecycle Professional. Our associates, including those responsible for cybersecurity, are evaluated for competence, including the knowledge and skills necessary to accomplish tasks that define associates’ roles and responsibilities and undergo regular training regarding security-awareness, privacy, ethics and compliance. Our job summaries contain specific educational and knowledge requirements necessary for cybersecurity jobs. In addition, a criminal background check is completed for all new associates and performance reviews are conducted annually to measure performance results and achievements and to assess the job competency of our associates.

Company Information