Huron Consulting Group Inc. 10-K Cybersecurity GRC - 2024-02-27

Page last updated on April 11, 2024

Huron Consulting Group Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-27 16:46:59 EST.

Filings

10-K filed on 2024-02-27

Huron Consulting Group Inc. filed an 10-K at 2024-02-27 16:46:59 EST
Accession Number: 0001289848-24-000036

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. Cybersecurity Risk Management and Strategy We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things: operational risks, malicious attacks, improper employee or contractor access, harm to employees or customers and violation of data privacy, intellectual property or security laws. Although, as of the date of this Form 10-K, Huron has not experienced a cybersecurity incident that resulted in a material adverse impact to our business or operations, there can be no guarantee that we will not experience such an incident in the future. Further details about the cybersecurity risks we face are described under Item 1A. Risk Factors. We have an enterprise-wide cybersecurity strategy that focuses on implementing risk-based controls, technologies, and other processes. We aim to incorporate industry best practices throughout our cybersecurity program, including the frameworks established by the National Institute of Standards and Technology ( NIST ), the Cybersecurity and Infrastructure Security Agency ( CISA ), and other applicable industry standards. To augment our in-house capabilities, we leverage expertise from professional services firms and/or outside counsel, as needed, to assess our cybersecurity controls, and collaborate on an ever-changing landscape. Our cybersecurity program is verified as conforming with ISO/IEC 27001:2013 and our most recent recertification was in 2023. We use various mechanisms to preempt, detect and monitor cybersecurity threats, including monitoring unusual network activity, conducting annual security awareness training for employees, deploying phishing test campaigns, maintaining containment and incident response tools, and reviewing, updating and improving our Incident Response Plan annually. We also conduct tabletop exercises to simulate responses to cybersecurity incidents. During these exercises, our team of cybersecurity professionals collaborate with technical and business stakeholders across the organization to further analyze the risk to the company and form detection, mitigation, and remediation improvements. Our risk management program also assesses risks associated with third-party service providers. S uch providers are subject to an onboarding process and may be reevaluated periodically, such as upon detection of an increase in risk profile. We use a variety of inputs in such risk assessments, including information supplied by providers and third parties. In addition, our service providers adhere to mutually agreed upon security requirements, controls and responsibilities. Cybersecurity Governance Our cybersecurity program is overseen by the leaders of our Information Security functional team, which is led by our Chief Information Officer ( CIO ) who has nearly 30 years of relevant work experience. Prior to joining Huron in 2018, our CIO served in various information security and information technology roles in the professional services industry for several large, public companies and executed large-scale, global implementations of business applications and infrastructure technologies in a way that mitigates cybersecurity risks. Our CIO reports on a quarterly basis to Huron’s internal Information Security Management System ( ISMS ) Committee, which has primary responsibility for assessing and managing material cybersecurity risks. The ISMS Committee, which includes members of our executive and senior leadership teams, our CIO and other functional team leaders, reviews, approves and establishes ISMS specific goals and objectives, reviews policy updates and approves the annual IT risk assessment, which identifies impacts, threats and controls related to IT assets utilized across the enterprise. Our board of directors, in coordination with the board of director s Technology and Information Security ( T&IS ) Committee, oversees the governance of the Company s technology-related risks, including information security, data protection, cybersecurity, vendor, fraud, and business continuity risks, and technology-related strategies. The T&IS Committee receives quarterly updates from the CIO, including existing and new cybersecurity risks, the management and/or mitigation of such risks, material cybersecurity incidents (if any), and status on key cybersecurity initiatives. Our board also actively participates in discussions with management on cybersecurity-related news events and discusses any updates to our cybersecurity risk management and strategy programs on a timely basis. 18 Table of Contents

Company Information