eHealth, Inc. 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

eHealth, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 17:24:12 EST.

Filings

10-K filed on 2025-02-27

eHealth, Inc. filed a 10-K at 2025-02-27 17:24:12 EST
Accession Number: 0001333493-25-000027

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy At eHealth, information security is everyone’s responsibility, and we value the trust consumers and business partners place in us to protect their sensitive information. We have established policies and processes for assessing, identifying, and managing risk from cybersecurity threats, and have integrated these processes into our overall risk management systems and processes. We are subject to various federal and state privacy and security laws, regulations, and requirements. These laws govern the collection, use, disclosure, protection, and maintenance of the individually identifiable information that we collect from consumers. We regularly assess our compliance with privacy and security requirements and conduct periodic risk assessments to identify cybersecurity threats, as well as assessments in the event of a material change in our business practices that may affect information systems that are vulnerable to such cybersecurity threats. Early on, we identified information security as a salient risk as described in Part I, Item 1A, Risk Factors , of this Annual Report on Form 10-K. We maintain data privacy and security through a robust program of safeguards, including responsible management, appropriate use, and protection that is designed to address applicable legal and regulatory requirements. Furthermore, all employees are required to complete annual privacy and security training. Our security policies and procedures are reviewed and updated regularly to address regulatory, industry, and contractual requirements and recommendations and address new and emerging security threats. We also conduct regular scans of our technical infrastructure and regular penetration audits to check for vulnerabilities and meet our governance and compliance requirements. Training our employees and contractors is crucial to eHealth’s governance and compliance requirements. All employees and contractors with access to an eHealth IT system are required to complete security awareness training during onboarding and annually thereafter. Due to the increased inherent risk associated with these roles, developers and privileged users are subject to additional security training requirements. Every person with access to eHealth IT systems is required to undergo periodic phishing simulations and receives personalized tools to improve their security behavior. Performance is measured both individually and by functional groups to manage the maturity and improvement of eHealth’s overall security posture. Employees must also acknowledge receipt and understanding of their responsibility to comply with eHealth’s Code of Business Conduct, including the eHealth Information Security and Acceptable Use Policies, during onboarding and annually thereafter. Despite our rigorous efforts, incidents may occur, and we are prepared to deal with them through our formal Incident Response Plan. Events such as human errors, computer viruses or other malicious code, unauthorized access, cyber-attacks, or phishing attempts concern all organizations. Our Incident Response Team is trained to contain incidents, mitigate impacts, resolve or remediate issues, and notify affected parties as appropriate. The team is made up of key security, privacy, and legal professionals who work with eHealth Technology and Business Teams and our managed security services. Additionally, eHealth has engaged a guided cyber crisis response platform and conducted a mock cyber-attack exercise to build crisis management experience for our senior leadership and cybersecurity teams. We believe this voluntary skill building exercise put our teams in a better position to manage a potential cybersecurity crisis. Our comprehensive data security strategy includes: - Regular critical security assessments such as advanced attack simulations and vulnerability scans. - A Software Development Life Cycle (SDLC) framework to assess applications and related infrastructure before implementation to ensure our security standards are met. - Use of a Role Based Access Control (RBAC) methodology, which defines the access a user receives to eHealth’s information systems based on job function. - Requirements that third-party vendors that host, transmit, or have access to eHealth data comply with our policies and undergo reviews. - Monitoring of security event data and the security industry to flag anomalies and be aware of potential threats. - Dedicated domestic and international liaisons who help ensure that business and functional area employees have easy access to experts for guidance and assistance in mitigating privacy and information protection risks. - Encryption of consumer data both in transit and at rest. - A broad spectrum of technical controls, including data loss prevention, role-based access, application/desktop logging, and data encryption as well as multi-factor authentication and enhanced web application firewall controls. We, like any technology company, have experienced cybersecurity incidents in the past. However, as of the date of this Annual Report on Form 10-K, we have not experienced any cybersecurity incidents that have been determined to be material. For additional information regarding whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our company, including our business, operating results and financial condition, please refer to Part I, Item 1A, Risk Factors , of this Annual Report on Form 10-K. Governance eHealth’s Board of Directors oversees our enterprise risk management process, including cybersecurity, information security, governance, risk management, and compliance programs and strategies. The Board is responsible for monitoring and assessing strategic risk exposure, and our senior leadership team is responsible for the day-to-day management of the risks that we face. The Board administers its cybersecurity risk oversight both directly and through its Audit Committee. The Audit Committee is regularly briefed on eHealth’s risk profile issues. These briefings are designed to provide visibility about identifying, assessing, and managing critical risks, audit findings, and management’s risk mitigation strategies. Management briefs the Audit Committee periodically about eHealth’s protection programs, focusing on current trends in the environment, incident preparedness, business continuity management, program governance, and program components, including updates on security processes, external testing, and employee training and awareness initiatives. eHealth’s Head of Information Security reports to our Chief Digital Officer (“CDO”) and, with respect to cybersecurity risks, to the Audit Committee of the Board of Directors. Our Head of Information Security focuses on information and systems technology, corporate governance, and behaviors to drive security best practices and safeguard information from unauthorized or inappropriate access, use, or disclosure. eHealth also has a Privacy Officer who advises the company on privacy-related laws and regulations, provides guidance on privacy compliance, drives privacy policy, and creates and oversees the privacy program. Our Head of Information Security is informed about and monitors prevention, detection, mitigation, and remediation efforts through regular communication and reporting from professionals in our information security team and through the use of technological tools and software and results from third-party audits. Our Head of Information Security and CDO have extensive experience assessing and managing cybersecurity programs and risks. Our Head of Information Security has served in that position since 2024 and, before eHealth, was the interim Chief Information Security Officer at Castlight Health where he led the company’s overall security program. Before that, our Head of Information Security was Senior Manager of Cyber Security at Secureworks. His security experience also includes a 12-year career at Banc of America Securities and subsequently at Merrill Lynch on their information security teams as Senior Consultant, Systems Engineering & Architecture. Our CDO joined eHealth in 2023 and was previously Chief Product Officer at M1 Finance, responsible for defining the company’s product vision, strategy and roadmap to drive growth and profitability, Prior to M1 Finance, our CDO was the Chief Product Officer at Roofstock, Head of Product at LifeLock (acquired by Symantec) and Sr. Director and Head of Product, D3 Incubation Unit at Capital One. Our Head of Information Security reports directly to the Audit Committee of the Board of Directors on our cybersecurity program and efforts to prevent, detect, mitigate, and remediate issues at least once annually or more frequently as determined to be necessary or advisable. In addition, we have an escalation process in place to inform senior management and the Board of Directors when it is appropriate to do so under the circumstances.

Company Information