JOINT Corp 10-K Cybersecurity GRC - 2025-03-13

Page last updated on March 14, 2025

JOINT Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-13 20:07:44 EDT.

Filings

10-K filed on 2025-03-13

JOINT Corp filed a 10-K at 2025-03-13 20:07:44 EDT
Accession Number: 0001628280-25-012702

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Our Chief Technology Officer (“CTO”) is responsible for cybersecurity within our company, including information technology risks, controls, strategies and procedures. The Cybersecurity Subcommittee of the Board of Directors oversees cybersecurity for our company and meets with the CTO at least quarterly to discuss the status of cybersecurity efforts as well as any security incidents. Cybersecurity Subcommittee materials are provided to the Audit Committee as well as the full Board of Directors. The members of the Cybersecurity Subcommittee brings at least 40 years of expertise and executive-level experience in information technology and cybersecurity to successfully support the CTO to maintain strong a cybersecurity strategy within our company. The Board of Directors believes that a strong cyber strategy based on industry accepted best practices is vital to protect our business, customers and assets. Our CTO Leverages more than 20 years of technology experience in the healthcare and financial services industries involving managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity programs and managing within highly regulated global environments. He has managed technology compliance under the regulatory governance of frameworks such as HIPAA, GDPR, FDA, CCPA and TJC Hospital Accreditation. Management has responsibility to manage risk and bring to the Board’s attention the most material near-term and long-term risks to the Company. The Company’s CTO leads management’s assessment and management of cybersecurity risk. The CTO reports to the Company’s Chief Executive Officer. The CTO regularly reviews cybersecurity matters with management. A dedicated team of technology professionals works throughout the year to monitor all matters of risk relating to cybersecurity. We completed our ISO 27001 Information Security Management certification project culminating in a primary and secondary audit against the standard. We expect to complete the final remediation and updates to policies and procedures and achieve our certification in March 2025. Additionally, we operate and are compliant under the following provisions: HIPAA attestation for the HIPAA Security Rule and the Health Information Technology for Economic and Clinical Health Act (HITECH) Breach Notification requirements. Vendors that have access to our information are required to manage such information in accordance with laws and appropriate privacy and security standards. Standards are applied on a per-contract basis and include requirements to have an information security program and report to us any incidents in which its confidential information or systems are compromised. Depending on the nature of the vendors’ access to our information, we monitor and evaluate the controls and governance established with the vendors ranging from a continuous cadence to at least quarterly. We have not directly encountered any incidents from cybersecurity threats to date, but in November 2022, a breach was suffered by one of our vendors, which resulted in the release of certain information with respect to our patients and employees. This breach is discussed in more detail in Item 1. Business, under Regulatory Environment entitled “HIPAA and State Privacy and Breach Notification Rules”. Based upon our investigation and the cooperation with our vendor, we believe the data breach did not have a material adverse effect on our business or result in any material damage to us and do not believe are reasonably likely to materially affect our business strategy, results of operations, or financial condition. Although we have not yet been materially impacted by any cybersecurity incident, we are subject to cybersecurity threats, as discussed in Item 1A. Risk Factors, including in the risk factor entitled “If we fail to properly maintain the integrity of our data or to strategically implement, upgrade or consolidate existing information systems, our reputation and business could be materially adversely affected” and “If our security systems are breached, we may face civil liability and public perception of our security measures could be diminished, either of which would negatively affect our ability to attract and retain patients” . We annually assess our cybersecurity programs against third-party requirements, including HIPAA and the Sarbanes-Oxley Act (SOX). We test multiple aspects of cybersecurity regularly, including annual pen testing over our proprietary information systems and our technical recovery and incident response procedures annually. We maintain a robust privacy compliance program. Employees receive periodic email communications, which train them to detect and report malware, ransomware and other malicious software and social engineering attempts that may compromise our information technology systems. In the second quarter of 2024, we implemented the KnowBe4 security training system and completed our first annual training in August 2024. In 2025, we plan to move to a quarterly testing regimen. Currently, we rely on an established major incident management and communication process to address any potential cybersecurity incidents. This established process includes the use of third party partnerships to make available the distinct skill sets needed to assist in properly responding to any cybersecurity threat. We have established defined response procedures to effectively address any cyber threat that may occur regardless of the safeguards in place that minimize the chance of a successful cyberattack. The response procedures are designed to identify, analyze, contain and remediate such cyber incidents expeditiously. These procedures and approach to safeguard our information and assets will be continuously monitored by management and updated to evolve with the current cyber landscape in alignment with the ISO 27001 standard mentioned above.

Company Information