OptimizeRx Corp 10-K Cybersecurity GRC - 2025-03-20

Page last updated on March 20, 2025

OptimizeRx Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-20 16:46:13 EDT.

Filings

10-K filed on 2025-03-20

OptimizeRx Corp filed a 10-K at 2025-03-20 16:46:13 EDT
Accession Number: 0001213900-25-025576

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Our information security and risk management program is designed to identify , assess, and manage material risks from cybersecurity threats to our applications, computer networks, third-party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, strategic or competitive in nature, personal information, or protected health information (PHI) (collectively, “Information Systems”). Our information security program’s basis is a comprehensive set of policies and procedures covering various information security domains (collectively, “Information Security Policy”), including, but not limited to: ● Access control, ● Endpoint protection, ● Third-party oversight , ● Education, training, and awareness, ● Network security, ● Risk management, ● Incident response, ● Business continuity and disaster recovery, ● Data protection and privacy, and ● Other security domains. Our risk management process is based on a standard methodology, and risks are identified based on: ● Annual risk assessments, ● Information on past incidents, ● Internal audits, ● Security penetration tests, and ● Other security assessments. All risks are documented in a central Risk Register and tracked for mitigation and other treatment decisions. 18 Our information security program is audited annually against a well-known security framework, by an accredited third-party. In 2024, we allowed our HITRUST certification to lapse and we replaced it with System and Organization Controls (SOC) 2 assessment, which has more general applicability and covers the trust services criteria of security, confidentiality, privacy, and accessibility. In 2024 we stored certain PHI on behalf of customers on secure AWS managed servers in the contiguous United States, encrypted at rest and in transit. End users did not have permission to access PHI unless the end user’s account had the proper end user role permissions (e.g., HCPs or hub service providers). These end user roles were assigned according to the customer’s needs to see the information. At all times, such information was segregated so that one customer could not access records containing PHI that were associated with another customer. Our external audits and assessments identify and evaluate material risks from cybersecurity threats against our overall business objectives on a periodic basis and form the basis of internal reports, which can be shared with the management team, the Audit Committee of the Board of Directors, and the Board of Directors to evaluate our overall enterprise risk. Our incident response program consists of an Incident Response Plan document and a cross-functional Incident Response Team, which are defined in our Information Security Policies. All workforce members are trained on incident reporting procedures, and there is a single point of contact for reporting all incidents. Incident response training is conducted annually, followed by a tabletop exercise. Our Incident Response Plan instructs personnel on how to notify our Incident Response Team in case of an incident. The VP of Information Security is the point person for incident responses and coordinates mitigation and remediation of cybersecurity incidents. We log all incidents and response plans for purposes of internal documentation. We report critical incidents to the management team, the Audit Committee, and the Board of Directors. The Company’s VP of Information Security is responsible for implementing the Information Security Policy on a day-to-day basis along with the Security Committee (as defined in the Information Security Policy), which includes the heads of the following departments, at a minimum: Information Security, Technology, Compliance, Product Management, Internal Audit, and Legal. We use third-party service providers to perform a variety of functions throughout our business, including, but not limited to infrastructure support and maintenance, CRM, contract management, data hosting, and miscellaneous finance and accounting projects. We assess our vendors with respect to cybersecurity risk according to the services provided, the sensitivity of the Information Systems at issue, and the provider’s identity. In appropriate cases, we will seek enhanced contractual obligations or guarantees related to cybersecurity on the service provider. Vendor risk assessments are performed before each vendor is engaged, and annual reviews are conducted to ensure vendors continue to meet security requirements. We also maintain technical errors and omissions insurance which includes a cyber incident endorsement of up to $20 million. This endorsement provides coverage for Network Security and Privacy, Privacy Regulation Proceeding, Privacy Event Expense Reimbursement, Extortion Demand Reimbursement, Data Restoration, Network Restoration, Business Interruption and System Failure. This coverage reimburses the most common costs for information security incidents, including attorney’s fees, consumer notification costs, and regulatory fines. To our knowledge, during 2024, there were no material cybersecurity incidents or threats that materially affected or are reasonably likely to materially affect the Company’s business strategy, results of operations, or financial condition. For more information on risks from cybersecurity threats that may materially affect the Company, see Item 1A. “Risk Factors”. Governance The Board of Directors’ oversight function includes cybersecurity risk management. The Board of Directors has three members with skills and experience in information security and cybersecurity through their experience as current and former executives of digital technology companies. The Board of Directors has tasked the Audit Committee with overseeing the Company’s cybersecurity risk management processes and determining which threats are likely to impact the Company’s strategy, business operations, and financial condition. Pursuant to its charter, the Audit Committee of the Board of Directors reviews the Company’s policies regarding information technology security and protection from cyber risks. In particular, the Audit Committee reviews with management the Company’s key IT Systems and evaluates the adequacy of the Company’s information security program, compliance, and controls. Our cybersecurity risk assessment and management processes are implemented and maintained by our VP of Information Security and the Security Committee. For strategic decisions regarding cybersecurity, the VP of Information Security consults with the Chief Technology Officer, the Chief Financial Officer, the Chief Legal Officer, and the VP of Compliance. The VP of Information Security is responsible for hiring appropriate personnel, performing vendor risk assessments, and communicating information security priorities to relevant personnel, so that we can build cybersecurity risk considerations into our business practices. The VP of Information Security also plans related budgets, designs cybersecurity processes, and reviews security assessments and related reports. 19

Company Information