Our focus on security and protection
Safeguarding the privacy and data of our members, clients, and teams is a core commitment at HealthEquity. We invest heavily in cybersecurity and have developed strong privacy and data governance frameworks to ensure sensitive information remains secure.
Protecting data through strategic oversight
Board governance
Our board’s Cybersecurty and Technology Committee guides oversight of cybersecurity programs, including HealthEquity’s risk mitigation and threat detection. They provide updates to the full board every quarter, with more frequency as needed.
The Audit and Risk Committee adds another layer of cybersecurity oversight by managing HealthEquity’s enterprise risk program. Their focus includes identifying and managing cybersecurity, fraud, and privacy risks that could arise from a cyber incident.
Management/executive governance
The Chief Security Officer (CSO) leads the cybersecurity program at HealthEquity, overseeing the IT and information security functions. The CSO works closely with cross-functional teams comprised of subject matter experts in the areas of:
- Cyber defense and engineering
- Governance, risk, and compliance
- Fraud prevention
- Product security
- Identity and access management
The CSO and delegates meet with the Cybersecurity and Technology Committee at least once per quarter.
How we manage risk and protect customer privacy
Our operations incorporate cybersecurity at every level, with oversight from the Information Security Team and collaborative support from Enterprise Risk Management, Compliance, and Internal Audit teams.
Here are some of the measures we use to proactively manage risk:
- To safeguard sensitive data, we employ comprehensive administrative, technical, and physical protections.
- To identify risks, our security team partners with law enforcement agencies, participates in security information exchanges, and ensures around-the-clock surveillance through internal and external detection and response efforts.
- Our cybersecurity policies, procedures, and standards are assessed by internal and external auditors to ensure they meet rigorous criteria.
- We assess risks before working with third-party service providers through our Third-Party Risk Management program. Each year we perform additional evaluations to ensure continued oversight of vendor risk.
In addition, HealthEquity protects customer privacy and security by following industry-leading risk management standards, such as:
- Service and Organization Controls (SOC 2) reporting
- Statement on Standards for Attestation Engagements 18 (SSAE-18)
- National Institute of Standards and Technology (NIST) Cybersecurity and Private frameworks
Our ongoing commitment to cybersecurity
All HealthEquity team members—part-time and full-time—complete privacy and security training both when hired and yearly through our Annual Compliance Training Program. This includes acknowledgement and review of central policies like the Acceptable Use Policy, Information Security Policy, and Privacy Policy.
We also offer advanced training for IT, privacy, and security teams while engaging the entire organization with bi-weekly Cyber Newsletters, monthly security awareness campaigns, and phishing simulation exercises.
HealthEquity is proud to participate as a Champion for Cybersecurity Awareness Month—a global initiative led by Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA) to encourage safer digital practices. Visit our Security & IT and Privacy pages for more details.
Follow us