Health In Tech, Inc. 10-K Cybersecurity GRC - 2025-03-17

Page last updated on March 17, 2025

Health In Tech, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-17 16:30:25 EDT.

Filings

10-K filed on 2025-03-17

Health In Tech, Inc. filed a 10-K at 2025-03-17 16:30:25 EDT
Accession Number: 0001213900-25-024561

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Health In Tech prioritizes a proactive and comprehensive approach to risk management and cybersecurity, ensuring the protection of our Operational Technology (OT) environment and critical infrastructure from evolving cyber threats. Our security framework is built on robust, adaptive measures, which are regularly refined to incorporate industry best practices and cutting-edge technologies. Through strategic oversight, advanced threat detection, and frequent improvement, we maintain a high level of protection for our systems and data. Risk Management and Strategy : Below is an overview of our processes for assessing, identifying, and managing material risks from cybersecurity threats, all of which are conducted in-house. Network/System Security ● Isolation of OT from IT and User Networks: We ensure our OT systems are physically or logically separated from corporate IT networks, reducing the risk of cross-contamination. ● OT Device Hardening: We enhance security by disabling unnecessary ports, services, and protocols, minimizing potential attack surfaces. ● We ensure data Encryption in transit and at rest. ● Patch Management: We maintain a controlled patch management process, ensuring OT systems receive regular updates while considering their unique lifecycle and operational requirements. ● We conduct continuous vulnerability scanning to internal and external networks. ● Endpoint Protection: We implement best-practice security baselines and hardening measures, supported by next-generation security agents EDR for monitoring and automated remediation. Additionally, our Security Information and Event Management (SIEM) system enables autonomous remediation and real-time threat alerting our security team. ● Anti-Malware Solutions: Recognizing that traditional antivirus may not always be applicable, we deploy specialized security software to detect and prevent malware threats. Ransomware Detection and Response ● Behavioral Analysis: We utilize advanced behavioral analysis tools to detect ransomware threats by identifying unusual encryption activity, unauthorized file modifications, and abnormal network communications. ● Backup and Recovery: We perform regular backups of critical systems, ensuring they are securely isolated from the production environment to safeguard against ransomware attacks. Additionally, our disaster recovery plans undergo routine testing of backups to ensure rapid and effective recovery when needed. Access Control ● Principle of Least Privilege (PoLP): We enforce strict access controls, granting system access only to individuals who require it for their roles. Regular audits ensure compliance and minimize security risks. ● Multi-Factor Authentication (MFA): We require MFA for all system access, adding an extra layer of security to protect against unauthorized access. ● Role-Based Access Control (RBAC): Access to sensitive systems is governed by users’ roles, ensuring only authorized personnel can perform specific actions on critical systems with regular user access audits. 34 Secure Remote Access ● VPN and secure tunneling: We utilize secure VPNs and tunneling technologies with strong encryption to protect remote access to our systems. These connections are continuously monitored to ensure security and integrity . Incident Response and Recovery Plans ● We have a comprehensive incident response plan with detailed procedures for addressing ransomware attacks and other cyber threats, in an effort to provide a swift and effective response. ● Cross-Team Coordination: Our IT and security teams collaborate seamlessly during incidents to respond quickly, contain threats, and minimize impact. Security Audits and Risk Assessments ● Regular security audits: We conduct frequent security audits and vulnerability assessments to identify potential weaknesses and keep our defenses up to date. Additionally, we engage a third-party penetration testing firm for annual assessments to identify and address security vulnerabilities/misconfigurations. ● Regular risk management: We regularly evaluate and adapt our security measures to respond to emerging threats, including new ransomware strains and the evolving cyber threat landscape. ● We incorporate threat intelligence into our security operations to proactively identify and mitigate potential cyber risks. Employee and Contractor Required Training and Awareness ● Ongoing cybersecurity awareness training, encompassing phishing awareness and sensitive data handling, is required for all employees and contractors. In addition, all IT and IT security staff are required to complete secure coding and data hygiene training. ● We conduct simulated phishing tests monthly with required retraining on any failures. ● Simulated exercises: We regularly run simulated attack exercises to ensure our teams are prepared to act swiftly and effectively during an actual cyberattack. Risk Management and Oversight Committee ● We conduct comprehensive risk assessments to identify vulnerabilities across systems, processes, and third-party dependencies. ● We use of semi-quantitative risk assessment as a tool for evaluating the probability (likelihood) and severity (impact) of potential risks. ● We perform comprehensive vendor risk assessments to verify third-party security measures effectively meet our organization’s security policies and ensure vendor compliance with all relevant regulatory requirements and review on an annual basis. ● Our Governance, Risk, and Compliance (GRC) applications enable continuous, automated testing and real-time monitoring of infrastructure and user compliance. ● We have strong executive and board oversight of regulatory and compliance risks, including changes in laws and regulations that could affect the company’s business. ● We maintain a materiality assessment process designed to ensure compliance with all applicable securities laws and regulations, including the SEC’s cybersecurity disclosure rules. We also consider industry-specific regulations and standards, such as HIPAA for healthcare organizations. 35 To date, we have not identified any cybersecurity incidents or threats that have materially impacted our business strategy, operations, or financial condition. Our materiality assessment process is designed to ensure compliance with all applicable securities laws and regulations, including the SEC’s cybersecurity disclosure rules. We also consider industry-specific regulations and standards. However, there can be no assurances that such a cybersecurity incident will occur or that such incident will materially impact our business. Any breach of our security measures, or those of our third-party service providers, could result in unauthorized access to and misappropriation of our information, corruption of data or disruption of systems, operations or transactions, any of which could have a material adverse effect on our business strategy, results of operations or financial condition. See “Item 1A. Risk Factors” of this Annual Report on Form 10-K for further discussion of the risks related to cybersecurity threats. Governance : Our Vice President of Security and Compliance leads our cybersecurity program and is responsible for implementing and maintaining our cybersecurity controls and provides regular updates to the Audit Committee and our executive management team on the status of our cybersecurity program and any cybersecurity incidents. Our Audit Committee and our executive team maintain rigorous oversight of our enterprise-wide risk management and cybersecurity strategy. Our dedicated security and compliance team, leveraging over two decades of expertise, ensures consistent implementation, refinement, and resilience of these programs, utilizing a framework incorporating NIST, HIPAA, SOC 2, and SOX, providing assurance that our defenses remain robust against emerging threats and evolving regulatory mandates.

Company Information