XML 22 R11.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity, Risk Management, Strategy and Governance
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Abstract]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Item 1C. Cybersecurity.

Cybersecurity risk management is an integral part of our enterprise risk management program. Our cybersecurity program is designed to align with industry best practices and provide a framework for handling cybersecurity threats and incidents, including threats and incidents associated with the use of services provided by third-party service providers.

Our Board has overall oversight responsibility for our risk management and is briefed periodically on cybersecurity risk management and any material cybersecurity incidents by our Chief Information Officer, or CIO, and General Counsel. The Board is responsible for ensuring that management has processes in place designed to (i) identify and evaluate cybersecurity risks to which the company is exposed and (ii) manage cybersecurity risks and mitigate cybersecurity incidents.

Management is responsible for identifying, considering and assessing material cybersecurity risks on an ongoing basis, establishing processes to ensure that such potential cybersecurity risk exposures are monitored, putting in place appropriate mitigation measures and maintaining cybersecurity programs. Specifically, our Security Steering Committee ("SSC"), a cross-functional team of employees chaired by our CIO, is responsible for providing strategic guidance and oversight to Amwell’s privacy, risk and security programs and policies. Management has instituted an Information Security Management System ("ISMS"). The ISMS establishes risk-based safeguards that are designed to adequately protect the Company and information acquired through business operations. Amwell maintains its ISMS in accordance with ISO 27001 standards. Amwell is audited annually by a third-party assessment firm that determines the effectiveness of the procedures and processes of its ISMS. Amwell also self-assesses the performance and effectiveness of the ISMS through monitoring, measurement, analysis, and evaluation of controls and control objectives. The SSC ensures the workforce complies with the ISMS policies, procedures and controls through many channels, including annual review of audit and risk assessment results, multifactor authentication, annual employee training and company-wide communications.

Our team of cybersecurity focused employees, under the direction of our CIO, is responsible for assessing our cybersecurity risk and detecting, mitigating and remediating cybersecurity incidents. Our CIO and dedicated personnel are certified and experienced information systems security professionals and information security managers. Personnel with significant security responsibilities receive specialized education and training on their roles and responsibilities prior to being granted access to systems and resources. The pre-employment process for these roles is designed to ensure that security responsibilities are specifically defined. Our CIO has over 15 years of technology leadership experience.

Amwell’s cybersecurity team has implemented processes to:

assess the severity of a cybersecurity threat through continuous monitoring and determine the nature, scope and timing of the event to assess whether it is material;
identify the source of a cybersecurity threat, including whether the cybersecurity threat is associated with a third-party service provider, utilizing our Information Security Incident Response Plan;
implement cybersecurity countermeasures and mitigation strategies;
and inform our board of directors of material cybersecurity threats and incidents.

In 2024, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. Despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced an undetected cybersecurity incident. For more information about these risks, please see “Risk Factors – Risks Related to Our Business and Industry” and “Risk Factors – Risks Related to Government Regulation" in this annual report on Form 10-K.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]

Cybersecurity risk management is an integral part of our enterprise risk management program. Our cybersecurity program is designed to align with industry best practices and provide a framework for handling cybersecurity threats and incidents, including threats and incidents associated with the use of services provided by third-party service providers.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]

Our Board has overall oversight responsibility for our risk management and is briefed periodically on cybersecurity risk management and any material cybersecurity incidents by our Chief Information Officer, or CIO, and General Counsel. The Board is responsible for ensuring that management has processes in place designed to (i) identify and evaluate cybersecurity risks to which the company is exposed and (ii) manage cybersecurity risks and mitigate cybersecurity incidents.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] Our Board has overall oversight responsibility for our risk management and is briefed periodically on cybersecurity risk management and any material cybersecurity incidents by our Chief Information Officer, or CIO, and General Counsel.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] The Board is responsible for ensuring that management has processes in place designed to (i) identify and evaluate cybersecurity risks to which the company is exposed and (ii) manage cybersecurity risks and mitigate cybersecurity incidents.
Cybersecurity Risk Role of Management [Text Block] Management is responsible for identifying, considering and assessing material cybersecurity risks on an ongoing basis, establishing processes to ensure that such potential cybersecurity risk exposures are monitored, putting in place appropriate mitigation measures and maintaining cybersecurity programs. Specifically, our Security Steering Committee ("SSC"), a cross-functional team of employees chaired by our CIO, is responsible for providing strategic guidance and oversight to Amwell’s privacy, risk and security programs and policies. Management has instituted an Information Security Management System ("ISMS"). The ISMS establishes risk-based safeguards that are designed to adequately protect the Company and information acquired through business operations. Amwell maintains its ISMS in accordance with ISO 27001 standards. Amwell is audited annually by a third-party assessment firm that determines the effectiveness of the procedures and processes of its ISMS. Amwell also self-assesses the performance and effectiveness of the ISMS through monitoring, measurement, analysis, and evaluation of controls and control objectives. The SSC ensures the workforce complies with the ISMS policies, procedures and controls through many channels, including annual review of audit and risk assessment results, multifactor authentication, annual employee training and company-wide communications.

Our team of cybersecurity focused employees, under the direction of our CIO, is responsible for assessing our cybersecurity risk and detecting, mitigating and remediating cybersecurity incidents. Our CIO and dedicated personnel are certified and experienced information systems security professionals and information security managers. Personnel with significant security responsibilities receive specialized education and training on their roles and responsibilities prior to being granted access to systems and resources. The pre-employment process for these roles is designed to ensure that security responsibilities are specifically defined. Our CIO has over 15 years of technology leadership experience.

Amwell’s cybersecurity team has implemented processes to:

assess the severity of a cybersecurity threat through continuous monitoring and determine the nature, scope and timing of the event to assess whether it is material;
identify the source of a cybersecurity threat, including whether the cybersecurity threat is associated with a third-party service provider, utilizing our Information Security Incident Response Plan;
implement cybersecurity countermeasures and mitigation strategies;
and inform our board of directors of material cybersecurity threats and incidents.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] Specifically, our Security Steering Committee ("SSC"), a cross-functional team of employees chaired by our CIO, is responsible for providing strategic guidance and oversight to Amwell’s privacy, risk and security programs and policies. Management has instituted an Information Security Management System ("ISMS"). The ISMS establishes risk-based safeguards that are designed to adequately protect the Company and information acquired through business operations.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] Our CIO and dedicated personnel are certified and experienced information systems security professionals and information security managers. Personnel with significant security responsibilities receive specialized education and training on their roles and responsibilities prior to being granted access to systems and resources. The pre-employment process for these roles is designed to ensure that security responsibilities are specifically defined. Our CIO has over 15 years of technology leadership experience.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] Management is responsible for identifying, considering and assessing material cybersecurity risks on an ongoing basis, establishing processes to ensure that such potential cybersecurity risk exposures are monitored, putting in place appropriate mitigation measures and maintaining cybersecurity programs.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true