Privia Health Group, Inc. 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

Privia Health Group, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 08:54:39 EST.

Filings

10-K filed on 2025-02-27

Privia Health Group, Inc. filed a 10-K at 2025-02-27 08:54:39 EST
Accession Number: 0001759655-25-000018

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Item 106(b) Cybersecurity Risk Management and Strategy Information and Cybersecurity Risk Management and Strategy Our approach to risk management, including cybersecurity risk, is designed to identify, assess, prioritize and manage major risk exposures that could affect our ability to execute our corporate strategy and fulfill our business objectives. Our cybersecurity risk management program is designed based on industry standards and informed by the National Institute of Standards and Technology Cybersecurity Framework. We perform risk assessments in which we map and prioritize identified cybersecurity risks, including risks associated with our use of third- and fourth-party vendors, Medical Groups, Privia Providers and Affiliated Practices, based on probability, immediacy and potential magnitude. These assessments inform our cybersecurity risk management strategies and oversight processes, and we view cybersecurity risks as one of the key risk categories we face . Our processes for assessing, identifying and managing cybersecurity risks and vulnerabilities are embedded across our business as part of our enterprise risk management (“ERM”) program. Among other things, we regularly engage with internal and external cybersecurity assessors, consultants and auditors to enhance our cybersecurity risk management strategies, review compliance with evolving standards and evaluate the effectiveness and maturity of our controls and perform regular internal and external risk assessments including those required by HIPAA; provide annual mandatory privacy and security training for all employees; perform technical testing and penetration testing to validate the effectiveness of our cybersecurity program; and perform simulated breach testing and tabletop exercises to simulate responses to information security incidents. We have established processes to oversee and manage risks associated with our third- and certain fourth-party service providers, including regular security assessments and compliance reviews. We use the findings from these and other processes to assess our information and cybersecurity practices, procedures and technologies, including for potential enhancements to our risk mitigation strategies. Our Cybersecurity Incident Response Plan (“CSIRP”), which includes processes to detect triage, assess the severity of, escalate, contain, investigate and resolve or mitigate cybersecurity incidents, as well as to comply with applicable legal obligations and mitigate brand and reputational damage. In addition, we maintain cyber liability insurance to protect against potential losses arising from cybersecurity incidents. In 2024, we did not identify any cybersecurity threats or incidents, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats or incidents or provide assurances that we have not experienced an undetected cybersecurity threat or incident. For more information about these risks, please see “Item 1A - Risk Factors” under the caption " Security threats, cybersecurity incidents or other forms of data breaches, catastrophic events and other disruptions to our, our Medical Groups’, our business partners’ or our vendors’ information technology and related systems could compromise sensitive information related to our business, the Medical Groups or patients, prevent access to critical information, harm patients, require remediation and other corrective action, which can be expensive, and expose us to liability, which could adversely affect our business, operations and reputation. " of this Annual Report on Form 10-K . Information and Cybersecurity Governance and Oversight Our Board of Directors (“Board”) is responsible for overseeing risk management at Privia and, as part of this responsibility, the Board, assisted by its committees, exercises oversight over our ERM program which is designed and implemented by management. As part of its broader risk oversight activities, the Board oversees risks from cybersecurity threats, both directly and through the Audit Committee of the Board (“Audit Committee”) and Compliance Committee of the Board (“Compliance Committee”). The Compliance Committee is responsible for reviewing data security programs, including cybersecurity and procedures regarding disaster recovery and critical business continuity. The Compliance Committee is also responsible for reviewing Privia’s programs and plans established by management to monitor compliance with data security compliance programs and test preparedness. The Audit Committee assists our Board in fulfilling its oversight responsibilities with respect to risk management in the areas of internal control over financial reporting, disclosure controls and procedures, and legal and regulatory compliance, and discusses with management policies and practices with respect to risk assessment and risk management. T he Compliance Committee receives quarterly reports from the Chief Information Security Officer (“CISO”) and Privacy Officer on information security risks, including cybersecurity incidents or privacy events, relevant information about the cybersecurity threat landscape, and updates on our cybersecurity risk management strategy and any potential issues . The Compliance Committee reports to the Audit Committee at each regularly scheduled meeting of the Audit Committee, and the Compliance and Audit Committee meet periodically in joint session to discuss matters of joint interest and responsibility, such as cybersecurity risks. In addition, the full Board receives periodic briefings on cybersecurity risks from the CISO . Our CISO, who leads our information security team and reports to our Chief Technology Officer, is responsible for day-to-day identification, assessment and management of the information security risks we face. The CISO provides monthly information and cybersecurity updates to a cross-functional team of executive leaders, who prioritize risks and risk mitigation activities. The CISO has held executive technology leadership roles within health systems and physician groups for over 15 years, including Chief Technology Officer, Chief Information Officer, and Chief Information Security Officer. The information security team works with our broader technology team, as well as our compliance and legal teams, to align operations and technology developments with cybersecurity program objectives. In addition, we maintain processes for managing incident assessment and internal escalation. We have established a Cybersecurity Incident Response Team (“CSIRT”), which is responsible for (1) responding to cybersecurity incidents, (2) maintaining our CSIRP that is regularly updated in response to organizational changes, technical changes, changes to the threat landscape or in response to active or previous cybersecurity incidents, and (3) monitoring the prevention, detection, mitigation, and remediation of cybersecurity incidents. The CSIRT is comprised of the CISO and other key members of management, including the Privacy Officer, Chief Technology Officer, Chief Audit and Compliance Officer, General Counsel and other members of management and our technical response teams as necessary to appropriately respond to an incident, including mitigation, remediation and any required or recommended disclosure of an incident. Furthermore, as part of management’s oversight of information and cybersecurity risks, we maintain a Third Party Access Committee, comprised of our CISO, Privacy Officer, and colleagues drawn from across the organization, including our technology, compliance and legal teams, which is responsible for reviewing and monitoring compliance for third- and certain fourth-party requests for and access to certain Company data and information.

Company Information