HEALTHEQUITY, INC. 10-K Cybersecurity GRC - 2025-03-18

Page last updated on March 19, 2025

HEALTHEQUITY, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-18 16:22:42 EDT.

Company Summary

HealthEquity connects health and wealth by administering Health Savings Accounts (HSAs) and other consumer-directed benefits.

Filings

10-K filed on 2025-03-18

HEALTHEQUITY, INC. filed a 10-K at 2025-03-18 16:22:42 EDT
Accession Number: 0001428336-25-000009

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Overview Cybersecurity risk is the risk of compromising the confidentiality, integrity, or availability of our technology platforms, data, and other systems, which could have an adverse impact on us, our members, Clients, and Network Partners, and our relationships with them. As further described below, we take various steps designed to help ensure that our platforms, data, and other systems remain available, resilient, and secure in the face of risks presented both by inadvertent actions (e.g., software that fails to operate properly) and by malicious activities (e.g., threat actors deliberately seeking to steal data or otherwise cause disruption). In particular, our industry continues to be a target for increasingly sophisticated cyber threats, including those driven by the rapid advancement of AI, adoption of public cloud environments, and reliance on third parties. We take a security-by-design and risk-based approach to our cybersecurity program, which emphasizes continual improvement to safeguard non-public information and enable our business operations. Our cybersecurity program is structured to identify, assess, and mitigate risks through continuous monitoring, proactive threat intelligence, and a multi-layered defense strategy. We implement security controls, tools, and incident response procedures to prevent, detect, escalate, investigate, resolve, and recover from identified and reasonably anticipated vulnerabilities, including cybersecurity incidents. We emphasize fraud prevention, data protection, and securing our core platforms, while also prioritizing zero trust architecture, third-party risk management, immutable backups, training our staff and others who may have access to our data and systems, and improvement of our security personnel. In the event of a security risk or breach, we are prepared with response protocols aligned with National Institute of Standards & Technology (“NIST”) guidelines. Our Security Incident Response Plan defines roles and responsibilities, incident severity levels, key contacts, post-incident steps, and testing guidelines. Our procedures cover response steps for phishing attacks, ransomware, data breaches, and major vulnerabilities. In addition, we have an organic threat model to evaluate our security controls against attacker tactics, techniques, and procedures. -26- Table of Contents This adaptive approach strengthens our ability to anticipate and counter emerging threats. See “Risk Factors” in Part I, Item 1A of this Form 10-K for further information about cybersecurity risk. Risk management and strategy We have implemented the Three Lines of Defense Model as the foundation of our risk management approach. Our information security team serves as a First Line, working with our Enterprise Risk Management & Compliance functions as a Second Line, and our Internal Audit function as the Third Line. Cybersecurity is integrated into our operations, including through team member engagement, technology infrastructure, data fabric, and product development. Due to the sensitive nature of our customers’ data that we hold, we have a heightened focus on data security and protection. We maintain administrative, technical, and physical safeguards designed to protect confidential data. Our security team seeks to identify security risks by working with state and federal law enforcement, security information-sharing organizations, and 24/7 system surveillance through internal and external detection and response teams. Additionally, to help ensure our approach to customer privacy and security is effective and in line with industry standards, we publish Service and SOC 2 attestation reports on our risk management standards established by the Statement on Standards for Attestation Engagements 18. We regularly engage external and internal assessors and auditors to evaluate and audit our cybersecurity policies, procedures, standards, and practices. Results from these assessments are shared with management for remediation and with the Cybersecurity and Technology Committee of our board of directors on a regular basis. We have obtained, or are working toward obtaining, industry certifications and attestations and have aligned our cybersecurity program with the NIST Cybersecurity Framework and related controls. As part of our Third Party Risk Management program , we perform initial risk assessments prior to engaging third-party service providers and ongoing risk assessments annually thereafter, which follow an established process designed to identify, assess, and periodically review our exposure to risk through our partners. During the fiscal year ended January 31, 2025, no known cybersecurity threats materially affected , or we believe are reasonably likely to materially affect, our business, our business strategy, financial reporting, or results of operations. Governance The Cybersecurity and Technology Committee of our board of directors provides oversight of the Company’s cybersecurity threat landscape, risks and data security programs, and the Company’s management and mitigation of cybersecurity risks and potential breach incidents. The Audit and Risk Committee of our board of directors provides an additional layer of cybersecurity oversight, as it provides oversight of the Company’s enterprise risk management program, which includes management of cybersecurity risks and the potential fraud and privacy risks that could arise from a cybersecurity incident. The Chief Security Officer (“CSO”) and his delegates meet with the Cybersecurity and Technology Committee at least quarterly to, among other items, review any cybersecurity incidents, review key risks and metrics on the Company’s cybersecurity program and related risk management programs, and discuss the Company’s cybersecurity programs and goals. The Cybersecurity and Technology Committee also participates in cybersecurity tabletop exercises with management and receives training on cybersecurity trends and developments. The Cybersecurity and Technology Committee updates the full board of directors at each quarterly board meeting, or more frequently if needed. Our enterprise cybersecurity program is led by the CSO, who brings more than two decades of cybersecurity leadership experience and oversees both information technology and information security functions. In order to assess and manage our material risks from cybersecurity threats, our CSO works with cross-functional teams, which are staffed with subject matter experts and leaders from each of the following areas: - Threat & Vulnerability Management: We follow a defense-in-depth security model with a Joint Security Operations Center, Attack Surface Management, and Data Protection team working with security architects and engineers deploying controls designed to prevent or limit the success of an attack. - Governance, Risk, and Compliance: Our Security Governance, Risk, and Compliance team helps drive trust, compliance, and data protection by managing risks, including supply chain risks, to strengthen customer confidence, support innovation, and protect our reputation. - Fraud Prevention: Our Fraud Strategy and Prevention team seeks to employ industry best practices of fraud prevention, identity and access management (“IAM”), and cybersecurity monitoring to protect the -27- Table of Contents transactions of our members and Clients. We continue to invest in people, processes, and technology solutions to enhance our fraud prevention program. - Security Engineering & Architecture: Our Security Engineering & Architecture team designs and implements resilient security solutions, embedding security into cloud and on-premise environments while automating controls and integrating security into development lifecycles. - Identity & Access Management: Our IAM team enforces zero trust principles, least privilege access, and adaptive authentication, managing multi-factor authentication, privileged access management, and just-in-time access to protect critical systems while ensuring seamless and compliant user access.

Company Information