GoodRx Holdings, Inc. 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

GoodRx Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 16:30:44 EST.

Filings

10-K filed on 2025-02-27

GoodRx Holdings, Inc. filed a 10-K at 2025-02-27 16:30:44 EST
Accession Number: 0001809519-25-000040

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity . Cybersecurity Risk Management and Strategy We have established and implemented a cybersecurity risk management program and information privacy program (collectively, our “Cybersecurity and Privacy Programs”) that are collectively intended to protect the confidentiality, integrity, and availability of our critical information systems and the information residing therein. These programs are integrated into, and form a part of, our overall risk management program, and share similar methodologies, reporting channels and governance processes to those that apply across the broader risk management framework. Key elements of our Cybersecurity and Privacy Programs include, bu t are not limited to the following : - Teams responsible for managing security and privacy controls, risk assessments, and responding to cybersecurity incidents; - Security and privacy awareness training of our employees; - Privacy and security risk assessments designed to identify material privacy and/or cybersecurity risks to our systems, processes, and assets; - The use of external service providers to assist with privacy and security controls, including vulnerability management; - An incident response plan with trained personnel and personnel that are trained to execute the plan; and, - A third-party risk management process for service providers and vendors. We are subject to an evolving threat landscape that could pose various risks to our business, and such risks are regularly evaluated and managed via our Cybersecurity and Privacy Programs by internal and external experts. We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us , including our operations, business strategy, results of operations, or financial condition. For more information regarding risks related to cybersecurity matters, please see Part I, Item 1A, “Risk Factors-We depend on our information technology systems, and those of our third-party vendors, contractors and consultants, and any failure or significant disruptions of these systems, security breaches or loss of data could materially adversely affect our business, financial condition and results of operations.” Cybersecurity Governance Our Board and its committees have an active role in overseeing risk management and they have delegated to the Audit and Risk Committee oversight over our cybersecurity and data privacy risks, including oversight of management’s implementation of our Cybersecurity and Privacy Programs, except to the extent direct oversight by the Board is required by the FTC Order. The Audit and Risk Committee oversees management’s implementation of our Cybersecurity and Privacy Programs, except to the extent direct oversight by the Board is required by the FTC Order. The Audit and Risk Committee receives periodic reports from management regarding cybersecurity and privacy risks, any material updates thereto and a summary of any cybersecurity and/or privacy events or incidents that have occurred, in each case, since the most recent update provided to the Audit and Risk Committee. The Audit and Risk Committee reports to the full Board regarding its activities, including those related to cybersecurity and privacy. In addition, at least once every twelve months and promptly after the occurrence of certain specified cybersecurity/data privacy incidents, the Board and our Chief Executive Officer and President receive the written Cybersecurity and Privacy Program materials, which include the results of the most recent cybersecurity and privacy risk assessment and any evaluations thereof or updates thereto (collectively, the “Reporting Materials”). On an annual basis, management also leads the Board through a comprehensive review of the Reporting Materials, including, among other things, a review of the identified material cybersecurity and privacy risk exposures and the safeguards implemented to control such risk exposures. Our Security Team is responsible for assessing and managing our material risks from cybersecurity threats and is primarily responsible for our overall Cybersecurity and Privacy Programs and collaborates with other employees and third parties to identify and mitigate applicable risks. Our Security Team is composed of certified cybersecurity professionals responsible for assessing and managing cybersecurity risks, led by the Senior Director of Information Security & Compliance. The qualifications of our Security Team include the following industry-recognized certifications: ISC2 Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (C|EH), Certified Incident Handler (GCIH), Certified Intrusion Analyst (GCIA), GSEC, CompTIA Security+, A+ Network+, CISM, CCSK, MCSA, MCSE, MCP, MCT, and Cisco Certified Network Associate (CCNA). The Senior Director of Information Security & Compliance reports to our Chief Technology Officer, who has over 19 years of experience in information technology. The Senior Director of Information Security & Compliance brings over 13 years of experience in risk management, cybersecurity and compliance. The Security Team’s experience in information security and cybersecurity spans across various industries, including healthcare, technology, and critical infrastructure. Under the Cybersecurity and Privacy Programs, our Security Team monitors, prevents, detects, mitigates, and remediates cybersecurity risks and incidents via various means, including monitoring threat intelligence from various sources, internal and external vulnerability management, and alerts and reports produced by security tools. Reporting of such risks is regularly provided to the Board and the Audit and Risk Committee, as applicable.

Company Information