Spok Holdings, Inc 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

Spok Holdings, Inc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 16:02:12 EST.

Filings

10-K filed on 2025-02-27

Spok Holdings, Inc filed a 10-K at 2025-02-27 16:02:12 EST
Accession Number: 0001289945-25-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Spok’s enterprise risk management program includes our cybersecurity risk management program (“Cybersecurity Program”), which is designed to protect the confidentiality, integrity and availability of our critical systems and information. Our Cybersecurity Program is designed utilizing guidance from the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and includes security policies and procedures, security appliances and software, third-party vulnerability testing, business continuity plans, and other administrative, physical and technical measures. Executive management, including our Chief Information Officer (CIO)/Chief Information Security Officer (CISO) and VP Technology Operations , has overall responsibility for assessing and managing key cybersecurity risks; implementation of the Cybersecurity Program is led by key information technology and security management members, including the CIO/CISO and VP Technology Operations, who have specialized training, and various certifications in information technology and cybersecurity strategy, tools and governance. The CIO/CISO has over two decades of experience directing security programs, controls, policies and operationalizing them specific to the healthcare industry. The VP Technology Operations has over a decade of experience managing the Cybersecurity Program, SOC2 audits and security controls and policies. As part of the enterprise risk management program, our Cybersecurity Program shares similar methodologies, reporting channels and governance processes to other areas across the Company. The Cybersecurity Program includes, but is not limited to, the following processes that collectively help management to stay informed about and monitor the prevention, detection, mitigation and remediation of risks and incidents: - Risk assessment program to assess, track and address security risks. - Incident Response Plan to help identify, evaluate, remediate and report incidents, as appropriate. - Security testing by external third-party providers to identify potential threats and vulnerabilities. - Reviews of critical third-party connections, including a security assessment and restrictions based on the third-party’s risk profile. - Security training for employees and contractors, including alerts for new security developments, as warranted. Cybersecurity is part of our Board of Directors’ oversight function. Our Board of Directors has delegated oversight of cybersecurity and other information technology to its Audit Committee. Our Audit Committee receives regular reporting from executive management on our cybersecurity risks and, as necessary, updates on cybersecurity incidents. Our Audit Committee and executive management report to our Board of Directors regarding its activities, including the Cybersecurity Program. Our Board of Directors also receives continuing education on the cybersecurity risks that impact public companies. We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, which have materially affected us, including our operations, business strategy, results of operations, or financial condition. We face certain ongoing risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See “Item 1A. Risk Factors”.

Company Information