Cybersecurity Risk Management and Strategy Disclosure

12 Months Ended

Dec. 31, 2025

Cybersecurity Risk Management, Strategy, and Governance [Line Items]

Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Item 1C. Cybersecurity

We maintain an information security program grounded in the HITRUST, NIST, and ISO frameworks to safeguard our information and systems and to support the security of third parties that create, receive, transmit, or have access to our information, or that are critical to our operations. Our controls are periodically reviewed and updated to address technological developments, evolving regulatory requirements, and operational needs, reflecting our ongoing focus on the confidentiality, integrity, and availability of our information assets.

During the fourth quarter of 2025, NRC obtained HITRUST i1 and AI Security certifications, including completion of the AI Risk Management Framework (RMF) Insight Report. These third-party assessments form part of the Company’s cybersecurity risk management processes and are used, together with other industry standards, to inform the design of controls and to support ongoing evaluation of cybersecurity and data protection practices.

Risk management & strategy

Our information security program, including cybersecurity risk management, is integrated into our overall Enterprise Risk Management Program (“ERMP”) framework. Our ERMP assesses strategic, operational, and environmental factors to identify key and emerging risks across the organization including cybersecurity risks. A key risk matrix is maintained to evaluate the potential impact of key risks and monitor the effectiveness of mitigation and controls. We, our customers, suppliers, and subcontractors face cybersecurity risks such as phishing, ransomware, zero-day exploits, malware attacks, and social engineering attacks. A cybersecurity incident impacting us or our subcontractors could materially adversely affect our performance and results of operations. For more information about the cybersecurity risks we face, see the factors set forth under the caption “Risk Factors” in Part I, Item 1A of this Annual Report on Form 10-K.

Our cybersecurity risk management procedures encompass comprehensive administrative, technical, and physical security measures. Our Security Team meets, subscribes to intelligence sources, and actively participates in professional organizations to stay informed and have reliable access to the latest information on emerging threats and vulnerabilities. We utilize both internal tools and third-party resources to perform risk and vulnerability assessments, as well as penetration testing. This includes a comprehensive managed security service that operates 24/7, dedicated to scanning and analyzing potential threats. Our Contractors and Third Parties Policy require certain vendors to undergo annual reviews including security assessments and site visits. Additionally, our subcontractor agreements require that they report any security incidents. Risk assessment results and recommendations are documented in our risk register, reported, and closely monitored by our security team. Annually, we engage independent auditors to issue a System and Organization Control (SOC) 2 - Type II report based on their examination of our critical systems used to provide services to our customers for the suitability of design and operating effectiveness of controls.

Cybersecurity Risk Management Processes Integrated [Flag]

true

Cybersecurity Risk Management Processes Integrated [Text Block]

Our information security program, including cybersecurity risk management, is integrated into our overall Enterprise Risk Management Program (“ERMP”) framework. Our ERMP assesses strategic, operational, and environmental factors to identify key and emerging risks across the organization including cybersecurity risks. A key risk matrix is maintained to evaluate the potential impact of key risks and monitor the effectiveness of mitigation and controls. We, our customers, suppliers, and subcontractors face cybersecurity risks such as phishing, ransomware, zero-day exploits, malware attacks, and social engineering attacks. A cybersecurity incident impacting us or our subcontractors could materially adversely affect our performance and results of operations. For more information about the cybersecurity risks we face, see the factors set forth under the caption “Risk Factors” in Part I, Item 1A of this Annual Report on Form 10-K.

Cybersecurity Risk Management Third Party Engaged [Flag]

true

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Board of Directors Oversight [Text Block]

Governance

The Board of Directors has the responsibility to oversee our enterprise risk management framework and associated policies and procedures. The Audit Committee of the Board has been assigned the responsibility to inquire of management, the independent accountants, and the internal auditor about significant risks and exposures, including risks and exposures relating to data privacy, information security, and cybersecurity, and assess the steps management has taken to minimize such risks and exposures; and to make recommendations to the Board, as and when appropriate, as to the scope, direction, investment levels, and execution of the our data privacy, information security, and cybersecurity initiatives.

Our Enterprise Risk Management Committee (ERMC), which includes certain associates with data privacy, information security, and cybersecurity experience, supports our Board of Directors in this oversight. The ERMC reports to the Audit Committee of the Board of Directors. The ERMC manages the ERMP and provides regular updates to the Audit Committee regarding our key risks and ERMP developments. Our Vice President of Privacy Compliance (VP of Privacy) also reports to the Audit Committee on a regular basis, providing an Information Security Report, which includes information such as our information system risk profile, our top risk challenges, and security initiatives and strategies. Additionally, the ERMC communicates emerging risks and the mitigation of those risks to the Audit Committee, among other things. Significant cybersecurity matters and strategic risk management decisions are elevated to the overall Board of Directors to enable oversight and guidance on critical cybersecurity issues.

Our VP Privacy is an ERMC member and has primary responsibility for our Information Security Program, including the maintenance and enforcement of our security policies, overseeing and executing the strategic plan for our data protection program, conducting organizational-wide training, advising our leadership team, and assisting in optimizing security measures, mitigating risks, fortifying defenses, and minimizing vulnerabilities. Additionally, the VP Privacy actively participates in project management duties and manages information security integration efforts, working closely with internal teams, vendors, subcontractors, and customers. Our VP Privacy has over twenty years of experience in cybersecurity, privacy, and compliance, with an eMBA and a master’s in science in IT Security from the Rochester Institute of Technology, as well as several industry certifications. Prior to NRC Health, our VP Privacy was the CIO/CISO/CPO for the Rochester RHIO and Manager of Information Security and GRC with Excellus Health Plan.

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]

Our information security program, including cybersecurity risk management, is integrated into our overall Enterprise Risk Management Program (“ERMP”) framework. Our ERMP assesses strategic, operational, and environmental factors to identify key and emerging risks across the organization including cybersecurity risks. A key risk matrix is maintained to evaluate the potential impact of key risks and monitor the effectiveness of mitigation and controls. We, our customers, suppliers, and subcontractors face cybersecurity risks such as phishing, ransomware, zero-day exploits, malware attacks, and social engineering attacks. A cybersecurity incident impacting us or our subcontractors could materially adversely affect our performance and results of operations. For more information about the cybersecurity risks we face, see the factors set forth under the caption “Risk Factors” in Part I, Item 1A of this Annual Report on Form 10-K.

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

Our information security program, including cybersecurity risk management, is integrated into our overall Enterprise Risk Management Program (“ERMP”) framework. Our ERMP assesses strategic, operational, and environmental factors to identify key and emerging risks across the organization including cybersecurity risks. A key risk matrix is maintained to evaluate the potential impact of key risks and monitor the effectiveness of mitigation and controls. We, our customers, suppliers, and subcontractors face cybersecurity risks such as phishing, ransomware, zero-day exploits, malware attacks, and social engineering attacks. A cybersecurity incident impacting us or our subcontractors could materially adversely affect our performance and results of operations. For more information about the cybersecurity risks we face, see the factors set forth under the caption “Risk Factors” in Part I, Item 1A of this Annual Report on Form 10-K.

Cybersecurity Risk Role of Management [Text Block]

Our information security program, including cybersecurity risk management, is integrated into our overall Enterprise Risk Management Program (“ERMP”) framework. Our ERMP assesses strategic, operational, and environmental factors to identify key and emerging risks across the organization including cybersecurity risks. A key risk matrix is maintained to evaluate the potential impact of key risks and monitor the effectiveness of mitigation and controls. We, our customers, suppliers, and subcontractors face cybersecurity risks such as phishing, ransomware, zero-day exploits, malware attacks, and social engineering attacks. A cybersecurity incident impacting us or our subcontractors could materially adversely affect our performance and results of operations. For more information about the cybersecurity risks we face, see the factors set forth under the caption “Risk Factors” in Part I, Item 1A of this Annual Report on Form 10-K.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Positions or Committees Responsible [Text Block]

Our Enterprise Risk Management Committee (ERMC), which includes certain associates with data privacy, information security, and cybersecurity experience, supports our Board of Directors in this oversight. The ERMC reports to the Audit Committee of the Board of Directors. The ERMC manages the ERMP and provides regular updates to the Audit Committee regarding our key risks and ERMP developments. Our Vice President of Privacy Compliance (VP of Privacy) also reports to the Audit Committee on a regular basis, providing an Information Security Report, which includes information such as our information system risk profile, our top risk challenges, and security initiatives and strategies. Additionally, the ERMC communicates emerging risks and the mitigation of those risks to the Audit Committee, among other things. Significant cybersecurity matters and strategic risk management decisions are elevated to the overall Board of Directors to enable oversight and guidance on critical cybersecurity issues.

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

The Board of Directors has the responsibility to oversee our enterprise risk management framework and associated policies and procedures. The Audit Committee of the Board has been assigned the responsibility to inquire of management, the independent accountants, and the internal auditor about significant risks and exposures, including risks and exposures relating to data privacy, information security, and cybersecurity, and assess the steps management has taken to minimize such risks and exposures; and to make recommendations to the Board, as and when appropriate, as to the scope, direction, investment levels, and execution of the our data privacy, information security, and cybersecurity initiatives.

Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

The Board of Directors has the responsibility to oversee our enterprise risk management framework and associated policies and procedures. The Audit Committee of the Board has been assigned the responsibility to inquire of management, the independent accountants, and the internal auditor about significant risks and exposures, including risks and exposures relating to data privacy, information security, and cybersecurity, and assess the steps management has taken to minimize such risks and exposures; and to make recommendations to the Board, as and when appropriate, as to the scope, direction, investment levels, and execution of the our data privacy, information security, and cybersecurity initiatives.

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true