Enhabit, Inc. 10-K Cybersecurity GRC - 2025-03-06

Page last updated on March 6, 2025

Enhabit, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-06 16:53:30 EST.

Filings

10-K filed on 2025-03-06

Enhabit, Inc. filed a 10-K at 2025-03-06 16:53:30 EST
Accession Number: 0001803737-25-000049

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We take a holistic, multi-layered approach to management and oversight of cybersecurity risks. Our board of directors has ultimate oversight responsibility but has delegated to the board’s Care, Compliance, & Cybersecurity Committee focused and pertinent oversight duties, which have been integrated into our overall enterprise risk management program, as described below. Our Chief Information Officer provides quarterly reports on our cybersecurity program to the Care, Compliance, & Cybersecurity Committee. These reports include details and metrics on, among other things, our routine vulnerability assessments, internal and external threat intelligence, company-wide phishing exercises and training, device encryption, device patching, routine resilience efforts including quarterly disaster recovery exercises, tabletop incident response and business continuity exercises. The chairperson of the Care, Compliance, & Cybersecurity Committee briefs the full board of directors on such quarterly reports. The Chief Information Officer and our Chief Information Security Officer also serve on management’s Enterprise Risk Committee, along with our executive management team, the Chief Compliance Officer, and internal audit personnel. The Enterprise Risk Committee meets regularly during the year to assess various significant risks-including cybersecurity risks-and receives cybersecurity updates in connection with those assessments and the development and implementation of any risk mitigation plans. Our President and Chief Executive Officer presents the report of the Enterprise Risk Committee quarterly to the full board of directors. We also maintain an inter-departmental privacy and security committee which oversees programs and initiatives to protect and secure patient information as well as our data and information systems. This committee reports to our executive management team and has responsibility for our IT-security incident response plan and various training and awareness programs that promote patient privacy and system security practices by employees. We have structured our cybersecurity program around the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Our cybersecurity strategy focuses on implementing effective and efficient controls, technologies, and processes to assess, identify and manage cybersecurity risks. Key components of our strategy include annual and ongoing security awareness training for employees, advanced detection and monitoring systems, and robust incident response and containment. We actively monitor and investigate both internally discovered and externally reported issues that may compromise our information systems, permitting quick and decisive action when necessary. We also have engaged third-party service providers and have implemented cybersecurity risk management protocols for such parties. For example, all vendors are required to complete our Ongoing Monitoring Assessment Questionnaire, which helps monitor each vendor’s continuing compliance , and we subject our technology vendors to a separate vetting and approval process formally assessing each vendor from a cybersecurity perspective. Our Chief Information Security Officer, who reports to our Chief Information Officer, brings to bear more than two decades of experience implementing NIST cybersecurity frameworks, including most recently five years as chief information security officer for a Fortune 200 company. He also holds multiple certifications including the globally recognized Certificate Information Systems Security Professional designation since 2006. The Chief Information Security Officer leads a dedicated team of internal IT employees, along with multiple long-term third-party security vendors. Our board of directors, and the Care, Compliance, & Cybersecurity Committee of the board, supports our Chief Information Officer and Chief Information Security Officer by leveraging members’ experience with information technology and management, including information technology strategy and risks associated with cybersecurity matters, as part of its oversight function. Our policies and procedures concerning cybersecurity matters apply to all employees. These policies and procedures address encryption standards, antivirus protection, remote access, multi-factor authentication, confidential information, and the use of the internet, social media, email and wireless devices. We have experienced threats to our data and systems, including malware and computer virus attacks from time to time. To our knowledge, these threats have not materially affected us, our business, financial position, results of operations or cash flows to date. For more information about the cybersecurity risks we face, see Item 1A, " Risk Factors-Other Operational and Financial Risks ."

Company Information