Guardian Pharmacy Services, Inc. 10-K Cybersecurity GRC - 2025-03-26

Page last updated on March 26, 2025

Guardian Pharmacy Services, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-26 16:15:20 EDT.

Filings

10-K filed on 2025-03-26

Guardian Pharmacy Services, Inc. filed a 10-K at 2025-03-26 16:15:20 EDT
Accession Number: 0001193125-25-064082

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy We recognize the importance of identifying, assessing, and managing material risks associated with cybersecurity threats , which include, among other things, operational risks, intellectual property theft, fraud, extortion, harm to employees or patients, and violation of data privacy or security laws. We employ multiple levels of protection designed to minimize the risks associated with cybersecurity, ransomware and data breaches, including firewalls, data loss prevention, email filtering for ransomware, proactive threat-hunting, cloud-based backups, multifactor authentication, encryption software, intrusion testing and SIEM networking monitoring to ensure the integrity of our data and systems. In addition, we maintain recovery and other business continuity procedures. Our cybersecurity risk management program is informed by prevailing security standards and is designed to provide a framework for evaluating and responding to cybersecurity risks. This includes processes for assessing the severity of a cybersecurity threat, identifying the source of a cybersecurity threat, implementing cybersecurity countermeasures and mitigation strategies, and informing and updating management and, as needed, the audit committee and our board of directors of cybersecurity incidents that may pose a significant risk for the business. Security events and data incidents are evaluated, ranked by severity, and prioritized for response and remediation. Incidents are evaluated to determine materiality, as well as operational and business impact, and reviewed for privacy impact. We deploy technical safeguards that are designed to protect our information systems, products, operations and sensitive information from cybersecurity threats. These include including firewalls, data loss prevention, email filtering for ransomware, proactive thread-hunting, cloud-based backups, multifactor authentication, encryption software, intrusion testing and SIEM networking monitoring to ensure the integrity of our data and systems. In addition, we maintain recovery and other business continuity procedures, including cloud-based backups, electrical generators, critical systems housed at hardened data centers and geographic redundancy, intended to minimize disruptions to our operations in the event of disaster or other interruptions to our information systems. Our security events are logged to a central source and monitored by a third party security operations management provider. We provide periodic training for all personnel regarding cybersecurity threats, with such training appropriate to the roles, responsibilities and access of the relevant Company personnel. Recognizing the complexity and evolving nature of cybersecurity threats, incidents and risks, we engage third-party experts, including cybersecurity consultants, to evaluate and support our risk management systems. We also rely on software support from third-party vendors to assist with evaluating, monitoring, and testing our information technology systems. These relationships enable us to leverage specialized knowledge and insights, to help ensure our cybersecurity strategies and processes remain effective. Our collaboration with these third parties includes regular audits, routine system monitoring, threat assessments, incident response, and consultation on potential security enhancements. We require third-party service providers with access to personal, confidential, or proprietary information to implement and maintain comprehensive cybersecurity practices consistent with applicable legal standards and industry best practices. As of the date of this Annual Report on Form 10-K, we are not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition. For further discussion of the risks associated with cybersecurity incidents, see " Risk Factors-Risks Related to Our Business-Interruptions to our information systems may materially and adversely affect our operating results " as well as “- Cybersecurity attacks or other data security incidents could disrupt our operations and expose us to regulatory fines or penalties, liability or reputational harm. " Governance Our board of directors has overall oversight responsibility for our risk management, and delegates data protection and cybersecurity risk oversight to the audit committee. The audit committee receives regular briefings on cybersecurity risks and risk management practices, including, for example, recent developments in the external cybersecurity threat landscape, evolving standards, vulnerability assessments, third-party and independent reviews, technological trends, as well as how management is addressing or mitigating those risks. The audit committee may also promptly receive information regarding any material cybersecurity incident that may occur, including any ongoing updates regarding the same. The audit committee periodically discusses our approach to cybersecurity risk management with our VP of Technology & Senior Security Officer. Our VP of Technology & Senior Security Officer is responsible for overseeing our cybersecurity risk management program. Our VP of Technology & Senior Security Officer has over 20 years of extensive experience in information technology and security, and works in coordination with other members of the management team. Our VP of Technology & Senior Security Officer, along with leaders from our privacy and corporate compliance functions, collaborate to implement a program designed to manage our exposure to cybersecurity risks and to promptly respond to cybersecurity incidents. Response to incidents is delivered by multi-disciplinary teams in accordance with our incident response plan. Through ongoing communications with these teams during incidents, the VP of Technology & Senior Security Officer monitors the triage, mitigation and remediation of cybersecurity incidents, and reports such incidents to executive management, the audit committee and other colleagues in accordance with our cybersecurity policies and procedures, as appropriate.

Company Information