Montrose Environmental Group, Inc. 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

Montrose Environmental Group, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 16:01:02 EST.

Filings

10-K filed on 2024-02-29

Montrose Environmental Group, Inc. filed an 10-K at 2024-02-29 16:01:02 EST
Accession Number: 0000950170-24-023043

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy Our cybersecurity risk management program is designed to assess, identify and manage material risks from potential unauthorized breaches of or access to our electronic information systems and the information we store on our systems. Our program includes a wide variety of mechanisms, controls, technologies, methods, systems and other processes as further described below that are designed to prevent, detect or mitigate unauthorized access, data loss, theft, misuse or other security incidents and vulnerabilities affecting our systems and the information we store on our systems. The information we store includes confidential, proprietary, business and personal information of ours, our customers, our employees and other third parties that we collect, process, store and transmit as part of our business. Our program is aligned with the National Institute for Standards and Technology Risk Management Framework (NIST RMF), other industry-recognized standards and our contractual requirements. We also leverage government partnerships, industry and government associations, third-party benchmarking, the results from regular internal and third-party audits, threat intelligence feeds and other similar resources to inform and guide our cybersecurity processes and resource allocation. Additionally, we use processes and third-party technologies to oversee and minimize impact to our data, including two-factor authentication, encryption, Company secured email and dedicated cybersecurity support personnel. Our cybersecurity risk management strategy is led by our Chief Information Security Officer (CISO) and a team of information security and other professionals, as detailed further below, who are responsible for implementing and maintaining our cybersecurity data protection practices. This team works in close coordination with the Audit Committee of our Board of Directors, which is responsible for oversight of cybersecurity 36 risk, senior management and other business functions and teams across the Company to identify threats by performing risk assessments and analyzing effectiveness of controls against identified risks. As part of our risk management process, our cybersecurity risk management team oversees our vulnerability management practices and conducts routine application security assessments, yearly penetration testing, periodic security audits and ongoing risk assessments designed to identify cybersecurity risks to our environment. We also subscribe to third-party services for security operations through a dedicated managed security service provider responsible for mitigating threats to our environment and alerting and responding to events and incidents in coordination with our team. In addition to our routine practices, we also conduct testing, audits and assessments in connection with acquisitions, the implementation of new software, processes or activities requiring changes in our information technology environment, new cybersecurity events or developments and receipt of new risk intelligence. Further, we have adopted an enterprise-wide cybersecurity training and awareness program requiring all employees to complete annual cybersecurity training. The program is supported with monthly education and simulations with remedial training assignments to increase user awareness. We maintain an incident response plan (IRP) aligned with National Institute for Standards and Technology Risk Management Framework (NIST RMF) when responding to incidents. The IRP sets out a coordinated approach to investigating, containing documenting and mitigating incidents. Our CISO, with oversight from our Chief Information Officer (CIO), is responsible for executing the relevant cybersecurity incident response plan, which includes response criteria for materiality, applicable requirements for incident disclosure and reporting and escalation procedures to various individuals and departments, including our Audit Committee, Senior Management, Key Stakeholders, General Counsel, Chief Financial Officer and Chief Executive Officer, for risks with a potentially material impact for responding to cybersecurity incidents. In addition to our in-house team and third-party security operations services, we also engage assessors, consultants, auditors and other third parties from time to time to assist with assessing, identifying and managing cybersecurity risks. For example, we leverage third-party security and compliance companies with subject matter expertise in these areas for threat identification and remediation. We continue to work with the U.S. Department of Defense on assessing cybersecurity risk and on policies and practices aimed at mitigating these risks, including through participation in the Department of Defense s collaborative information sharing. We also partner with other work groups to support understanding and deployment of the Cybersecurity Maturity Model Certification (CMMC) to promote readiness in complying with cybersecurity requirements for handling CUI and federal contract requirements. As of December 31, 2023, we were not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. Cybersecurity Governance The Board of Directors takes an active role in overseeing management s processes for identifying and mitigating risks, including cybersecurity risks, to help align our risk exposure and our strategies for dealing with this risk with our long-term objectives. The Board has delegated the cybersecurity risk oversight function to the Audit Committee. To support our Audit Committee in this function, our Audit Committee has engaged a third-party expert to advise it and the Board on cybersecurity matters, including oversight of the Company s continued development, evolution and investments in cybersecurity infrastructure, policies and practices. Senior leadership, including our CIO and CISO, brief the Audit Committee quarterly, or more regularly, as needed, on the Company s cybersecurity program, including cybersecurity risks, business-impacting incidents and ongoing and future cybersecurity project status. In addition, the Audit Committee s third-party cybersecurity advisor meets regularly with the CIO and CISO to review our cybersecurity strategy and key initiatives and progress toward meeting our objectives. The Audit Committee reports to the full Board at least quarterly regarding its oversight of cybersecurity risks, events, developments and other related matters, as relevant. The full Board also periodically receives briefings from management on our cybersecurity risk management program. In the event of a potentially material cybersecurity event, pursuant to our incident response plan, in addition to notification and involvement of our General Counsel, Chief Financial Officer and Chief Executive Officer, among others, the Audit Committee would be notified and briefed, and meetings of the Audit Committee and/or full Board of Directors would be held as appropriate. In collaboration with third-party experts, our corporate cybersecurity organization is led by our CISO, reporting to our CIO. The CIO has more than 20 years of experience as a CIO and in technology leadership positions, with deep expertise in technical strategy, data management, infrastructure and cybersecurity. Our CISO has 25 years of experience in information technology, governance, compliance and risk management and is a Certified Information Security Manager (CISM), which is an advanced certification indicating an individual possesses the knowledge and experience required to develop and manage an enterprise information security (InfoSec) program. The CISO is responsible for our overall cybersecurity strategy, policies, security operations and threat detection and response. The cybersecurity organization manages and continually 37 enhances the maturity of our security posture with the goal of preventing or mitigating cybersecurity incidents to the extent feasible, while increasing system resiliency to minimize business impact. At the management level, we have established an Enterprise Cybersecurity Council, which includes our CIO, CISO, Director of Information Security, Director of Infrastructure, Senior Security Architects and Engineers, that meets monthly to identify opportunities to further strengthen our cybersecurity risk management program, including with respect to the prevention, detection, mitigation and remediation of cybersecurity incidents. This group is responsible for developing and coordinating risk identification and remediation, performance metrics and policy enforcement and providing guidance to management and oversight bodies. Members of the group have significant cybersecurity experience and hold a number of certifications, including CISM, Certified Information Systems Security Professionals (CISSP), Certified Ethical Hacker (CEH), and Cisco Certified Network Associate (CCNA).

Company Information