|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Cybersecurity Risk Management and Strategy
The Company adopted an Information Security Policy which governs the Company’s management of information technology (“IT”) systems, network, information, data and assets. HCSG’s Information Security Policy is periodically reviewed based on the National Institute of Standards and Technology Cybersecurity Framework. The Company regularly monitors and measures the performance of the IT Systems and Assets and the Information Security Policy. HCSG has procedures to ensure that any of its vendors and suppliers that create, utilize or process our data take a similar, risk-based approach to information security.
Management maintains the cybersecurity risk prevention program which includes ongoing employee education and procedures for cybersecurity incident prevention, detection and response. The Company retains third parties, including IT professionals and legal counsel, specializing in cybersecurity risk management to assist in implementing cybersecurity controls. The Company oversees and identifies material risks from cybersecurity threats associated with its use of third-party service providers by reviewing SOC 1 or SOC 2 reports (whichever is more applicable) for key outsourced systems, including all systems which house protected health information or personally identifiable information. The cybersecurity risk prevention program is part of the Company's overall risk management program.
Please refer to the risk factor titled “We have experienced cyber attacks and breaches, and may in the future experience cyber attacks and breaches which could cause operational disruptions, fraud or theft of sensitive information.” in “Risk Factors” in Part I, Item 1A of this Form 10-K for more information on risks posed by cybersecurity threats to the Company.
As previously disclosed in a Form 8-K filed on October 16, 2024, on October 9, 2024 we identified a cybersecurity incident, which involved unauthorized activity within some of our systems. We immediately activated the Company’s Cyber Incident Response Plan (“IRP”) to investigate such activity with the assistance of leading third-party cybersecurity experts. We also notified law enforcement authorities. We continue to monitor the situation and take appropriate actions consistent with our response protocols. As of the date of this filing, the incident has not caused, and is not expected to cause, disruption of the Company’s business operations. And although there can be no assurance, we do not believe the identified cybersecurity incident will have a material effect on our business, financial condition, results of operations or cash flows.
Management’s Role in Assessing and Managing Material Risks from Cybersecurity Threats
The Company’s day-to-day risk management is under the direction of Jason J. Bundick, the Company’s Executive Vice President, Chief Compliance Officer, General Counsel and Secretary. Jason Osbeck, the Company’s Senior Vice President of Information and Technology, is responsible for day-to-day cybersecurity risk management under the direction of Mr. Bundick. Mr. Osbeck has served in this role at the Company since 2012.The Company has an IRP which details the Company’s policies and procedures in the event of a cyber incident. The Company’s IT department, led by Mr. Osbeck, logs all potential cybersecurity incidents reported which are then reviewed by an Incident Response Team (“IRT”), a cross-functional internal team including IT, risk management, legal and other departmental representation as necessary to identify the potential impact of the cybersecurity incident. As needed, the IRT will consult with third party legal counsel and IT advisory firms to appropriately respond to existing cyber threats. In the event a material incident is identified, the Company will report such incidents in compliance with applicable law. Material cyber events, if any, are reported to the Board of Directors as they occur. Additionally, Mr. Bundick provides quarterly updates to the Audit Committee on all cybersecurity matters during the quarter.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
The Company adopted an Information Security Policy which governs the Company’s management of information technology (“IT”) systems, network, information, data and assets. HCSG’s Information Security Policy is periodically reviewed based on the National Institute of Standards and Technology Cybersecurity Framework. The Company regularly monitors and measures the performance of the IT Systems and Assets and the Information Security Policy. HCSG has procedures to ensure that any of its vendors and suppliers that create, utilize or process our data take a similar, risk-based approach to information security.Management maintains the cybersecurity risk prevention program which includes ongoing employee education and procedures for cybersecurity incident prevention, detection and response. The Company retains third parties, including IT professionals and legal counsel, specializing in cybersecurity risk management to assist in implementing cybersecurity controls. The Company oversees and identifies material risks from cybersecurity threats associated with its use of third-party service providers by reviewing SOC 1 or SOC 2 reports (whichever is more applicable) for key outsourced systems, including all systems which house protected health information or personally identifiable information. The cybersecurity risk prevention program is part of the Company's overall risk management program.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Our Board is responsible for overseeing the Company’s risk management process. The Board focuses on the Company’s general risk management strategy, including the most significant risks facing the Company, and ensures that appropriate risk mitigation strategies are implemented by management. The Audit Committee oversees the Company’s cybersecurity risk mitigation efforts. The Audit Committee reports to the full Board as appropriate, including when a matter rises to the level of a material risk.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Audit Committee reports to the full Board as appropriate, including when a matter rises to the level of a material risk.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Company has an IRP which details the Company’s policies and procedures in the event of a cyber incident. The Company’s IT department, led by Mr. Osbeck, logs all potential cybersecurity incidents reported which are then reviewed by an Incident Response Team (“IRT”), a cross-functional internal team including IT, risk management, legal and other departmental representation as necessary to identify the potential impact of the cybersecurity incident. As needed, the IRT will consult with third party legal counsel and IT advisory firms to appropriately respond to existing cyber threats. In the event a material incident is identified, the Company will report such incidents in compliance with applicable law. Material cyber events, if any, are reported to the Board of Directors as they occur. Additionally, Mr. Bundick provides quarterly updates to the Audit Committee on all cybersecurity matters during the quarter.
|Cybersecurity Risk Role of Management [Text Block]
|
Management’s Role in Assessing and Managing Material Risks from Cybersecurity Threats
The Company’s day-to-day risk management is under the direction of Jason J. Bundick, the Company’s Executive Vice President, Chief Compliance Officer, General Counsel and Secretary. Jason Osbeck, the Company’s Senior Vice President of Information and Technology, is responsible for day-to-day cybersecurity risk management under the direction of Mr. Bundick. Mr. Osbeck has served in this role at the Company since 2012.The Company has an IRP which details the Company’s policies and procedures in the event of a cyber incident. The Company’s IT department, led by Mr. Osbeck, logs all potential cybersecurity incidents reported which are then reviewed by an Incident Response Team (“IRT”), a cross-functional internal team including IT, risk management, legal and other departmental representation as necessary to identify the potential impact of the cybersecurity incident. As needed, the IRT will consult with third party legal counsel and IT advisory firms to appropriately respond to existing cyber threats. In the event a material incident is identified, the Company will report such incidents in compliance with applicable law. Material cyber events, if any, are reported to the Board of Directors as they occur. Additionally, Mr. Bundick provides quarterly updates to the Audit Committee on all cybersecurity matters during the quarter.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Jason Osbeck, the Company’s Senior Vice President of Information and Technology, is responsible for day-to-day cybersecurity risk management under the direction of Mr. Bundick. Mr. Osbeck has served in this role at the Company since 2012.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Mr. Osbeck has served in this role at the Company since 2012.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The Company has an IRP which details the Company’s policies and procedures in the event of a cyber incident. The Company’s IT department, led by Mr. Osbeck, logs all potential cybersecurity incidents reported which are then reviewed by an Incident Response Team (“IRT”), a cross-functional internal team including IT, risk management, legal and other departmental representation as necessary to identify the potential impact of the cybersecurity incident. As needed, the IRT will consult with third party legal counsel and IT advisory firms to appropriately respond to existing cyber threats. In the event a material incident is identified, the Company will report such incidents in compliance with applicable law. Material cyber events, if any, are reported to the Board of Directors as they occur. Additionally, Mr. Bundick provides quarterly updates to the Audit Committee on all cybersecurity matters during the quarter.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef