Ontrak, Inc. 10-K Cybersecurity GRC - 2025-04-14

Page last updated on April 14, 2025

Ontrak, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-04-14 16:05:48 EDT.

Filings

10-K filed on 2025-04-14

Ontrak, Inc. filed a 10-K at 2025-04-14 16:05:48 EDT
Accession Number: 0001628280-25-017681

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY The Company maintains a cybersecurity and risk management program called the Information Security Management Program (“ISMP”) designed to identify, assess, manage, mitigate and respond to cybersecurity threats and attacks. The ISMP is overseen by the Company’s Chief Compliance and Privacy Officer , who oversees the Company’s information technology security team as it relates to the ISMP and is responsible for assessing and managing the ISMP, informs senior management regarding the prevention, detection, mitigation and remediation of cybersecurity incidents and supervises such efforts. The cybersecurity team has decades of experience selecting, deploying, and operating cybersecurity technologies, initiatives, and processes, and relies on threat intelligence as well as other information obtained from governmental, public or private sources, including external consultants engaged by the Company. The ISMP was developed by the Company’s information security team in collaboration with cross functional stakeholders, and is designed to ensure the organization’s security posture and practices are in alignment with contractual, regulatory and industry requirements. Risk assessments against specified criteria are conducted no less than annually, and sooner if there are significant changes in the environment. Security services are delivered through a combination of internal and third party resources . Formal periodic meetings are held with Company’s executive leadership to review relevant components of the ISMP, formal annual reviews of the policies are conducted, formal reviews of the entire ISMP and risk register are conducted at least annually, and more frequently if there are significant changes to the environment. Also, an independent review of the ISMP is conducted in the following ways: (i) an annual Health Insurance Portability and Accountability Act (HIPAA) risk assessment conducted by a third party; and (ii) a Health Information Trust Alliance (HITRUST) risk based two year assessment conducted by a third party. The Audit Committee of the Board of Directors oversees the Company’s cybersecurity risk exposures and the steps taken by management to monitor and mitigate cybersecurity risks. The Company’s cybersecurity team briefs the Audit Committee on the effectiveness of the Company’s cybersecurity risk management program, typically on a quarterly basis. In addition, cybersecurity risks are reviewed by the Company’s Board of Directors, at least annually, as part of the Company’s corporate risk mapping exercise. We have, from time to time, experienced threats to and breaches of our data and systems, including breaches of our data within third party vendor’s system. As of the filing date of this report, we have not identified risks from known cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. There can be no assurance, however, that our cybersecurity risk management program and processes, including our policies, controls or procedures, will be fully implemented, complied with or effective in protecting our systems and information. For more information about the cybersecurity risks we face, see the risk factor entitled “Cybersecurity incidents, security breaches, loss of data and other disruptions could compromise sensitive information related to our business, prevent us from accessing critical information or expose us to liability, which could adversely affect our business and our reputation” in Part I, Item 1A of this report.

Company Information