GoHealth, Inc. 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

GoHealth, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 16:04:59 EST.

Filings

10-K filed on 2025-02-27

GoHealth, Inc. filed a 10-K at 2025-02-27 16:04:59 EST
Accession Number: 0001808220-25-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY GoHealth’s services involve the collection, processing, use, storage and transmission of confidential and personal information of consumers and employees. Maintaining the integrity, confidentiality and availability of this information as well as the information technology systems in which the information resides is critical to the Company’s operations and business strategy. The Company takes a comprehensive, cross-functional approach to developing strategies for identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents. The Company maintains a business continuity and disaster recovery plan as well as a cybersecurity insurance policy. Risk Management and Strategy Cybersecurity risk management is integrated into the Company’s broader enterprise risk management (“ERM”) program. The ERM program, led by the Company’s Internal Audit and Legal teams, consolidates the collective input of executive management to prioritize enterprise-level risks, develop risk mitigation initiatives and establish monitoring functions. The cybersecurity program includes the development of a structured control framework and risk taxonomy that aligns with anticipated business risk. The Internal Audit and Legal teams perform an enterprise risk assessment annually and present the results to the Audit Committee of the Board of Directors. Further, our Chief Technology Officer (“CTO”) actively participates in the ERM program, including through diligence conducted as part of the broader ERM program. Our CTO has direct responsibility for cybersecurity and overseeing the Company’s cybersecurity strategy, policies, standards and processes. Our CTO has more than 25 years of experience developing user-centric consumer marketplaces and artificial intelligence products and has held various leadership roles in product development, product design and data science. The CTO is supported by two senior risk, compliance, and security leaders who engage regularly with the CTO to manage cybersecurity and compliance risks. Additionally, the Company’s cybersecurity team is comprised of experienced information security professionals dedicated to protecting the company’s assets. The CTO receives regular updates on security, compliance risks and initiatives and provides a quarterly cybersecurity risk and incident review to GoHealth’s Internal Compliance Committee. This committee includes cross-functional senior leadership members, including C-suite executives and personnel from legal, compliance and internal audit. GoHealth’s cybersecurity risk management program is based on industry standards and best practices, aligning with the Center for Internet Security and the National Institute of Standards and Technology (NIST) Cybersecurity Frameworks. The Company conducts control self-assessments and risk assessments in collaboration with assigned control owners and risk owners to evaluate the maturity and effectiveness of its cybersecurity processes. Based on prior third-party assessments, GoHealth has completed the majority of its Governance, Risk and Compliance (GRC) roadmap initiatives and is currently deploying various comprehensive security tools and programs to further strengthen its cybersecurity posture. GoHealth engages with a range of additional third-party cybersecurity service providers, assessors and auditors to evaluate and enhance the effectiveness of its cybersecurity program. Services provided by these third parties include endpoint and network monitoring, vulnerability scanning, penetration testing and security and compliance posture assessments. To mitigate risks associated with third-party sources, the Company requires third parties with access to personal, confidential or proprietary information to implement and maintain cybersecurity practices consistent with applicable legal standards and industry best practices and to enter into business associate agreements containing contractual provisions with respect to the handling of such information. GoHealth also conducts risk-based information security assessments of these third parties prior to engaging with them. The Company has established cybersecurity and information security awareness training programs. Formal training on topics relating to the Company’s cybersecurity, data privacy and information security policies and procedures is mandatory at least annually for all employees and contractors with access to the Company’s network. In addition to the annual security training requirement, employees participate in monthly phishing tests, and where appropriate, additional security awareness follow-up training in response to such tests. Training is supplemented through periodic Company communications encouraging all employees and contractors to promptly report security events, incidents and abnormal system behavior. As cybersecurity incidents occur, the Company’s cybersecurity team focuses on responding to and containing the threat and minimizing any business impact, as appropriate. In the event of an incident, the cybersecurity team assesses, among other factors, safety impact, data and personal information loss, business operations disruption, projected cost and potential for reputational harm, with support from external technical, legal and law enforcement support, as appropriate. As of the date of this 2024 Annual Report on Form 10-K, the Company is not aware of any material risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected the Company, its business strategy, results of operations or financial condition; however, we cannot provide assurance that these threats will not result in such an impact in the future, as discussed in the risk factors entitled “Risks Related to Our Business” and “Risks Related to Our Intellectual Property and Technology” in Part I, Item 1A. of this 2024 Annual Report on Form 10-K. Governance GoHealth, Inc. 2024 Form 10-K 41 The Board of Directors recognizes the importance of cybersecurity in safeguarding the Company’s sensitive data. The Board of Directors is responsible for overseeing overall risk management for the Company, including review and approval of the ERM approach and processes implemented by management to identify, assess, manage and mitigate risk. The Audit Committee is central to the Board of Director’s oversight of cybersecurity risks and bears the primary responsibility for assessing and managing the Company’s material risks from cybersecurity threats. Cybersecurity risk oversight is also a key area of focus for management. As discussed above, the CTO is primarily responsible for the cybersecurity program, strategy, policy, standards and processes. On a quarterly basis, or more frequently if a need arises, the CTO presents a briefing to the Audit Committee regarding the Company’s cybersecurity program. The presented topics include, but are not limited to, the status of ongoing cybersecurity initiatives, incident reports and compliance with industry standards. Potentially material cybersecurity matters are escalated to the Audit Committee and/or the full Board of Directors, as appropriate, for risk oversight .

Company Information