Montrose Environmental Group, Inc. 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

Montrose Environmental Group, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 16:02:43 EST.

Filings

10-K filed on 2026-02-26

Montrose Environmental Group, Inc. filed a 10-K at 2026-02-26 16:02:43 EST
Accession Number: 0001193125-26-076511

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We maintain a cybersecurity risk management program designed to assess, identify, and manage material risks from cybersecurity threats, including unauthorized access to our information systems and the confidential, proprietary, business, and personal information we process and store. Our cybersecurity risk management processes are integrated into our enterprise risk management framework and are aligned with the National Institute for Standards and Technology Risk Management Framework (NIST RMF), other industry-recognized standards, and contractual requirements. These processes are led under the oversight of our Chief Information Officer (CIO) and implemented by a dedicated information security team in coordination with senior management and other business functions. As part of our cybersecurity risk management processes, we periodically conduct ongoing risk assessments, vulnerability management activities, application security assessments, penetration testing, and security audits to identify and manage cybersecurity risks. We also maintain an enterprise-wide cybersecurity training and awareness program for employees. We engage third parties in connection with our cybersecurity risk management processes, including a managed security service provider that supports security monitoring and incident response in coordination with our internal team. We also engage assessors, consultants, and auditors from time to time to assist with cybersecurity risk assessment, threat identification, and remediation, and we participate in government and industry information-sharing initiatives. We have processes to oversee and manage cybersecurity risks associated with third-party service providers, including through monitoring activities and the use of security controls and technologies. We maintain an incident response plan aligned with NIST RMF that provides for the investigation, containment, escalation, and remediation of cybersecurity incidents, including procedures to assess materiality and escalate potentially material incidents to senior management and the Audit Committee. As of December 31, 2025 , we were not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. Governance In December 2025, Montrose welcomed a new Chief Information Officer (CIO) . Our CIO brings deep expertise in cybersecurity and data privacy, supported by more than 20 years of experience leading technology, security, and digital transformation functions across multiple organizations. His background includes overseeing enterprise security programs, implementing large-scale infrastructure modernization initiatives, and driving the adoption of industry-standard cybersecurity frameworks designed to enhance organizational resilience. 34 Montrose has a dedicated cybersecurity team under the oversight of our CIO that is responsible for defining and overseeing the implementation of Montrose's cybersecurity and data privacy strategies, policies, and procedures. Additionally, a third-party cybersecurity advisor meets with the CIO and cybersecurity team leaders to review strategies and progress. Montrose's Enterprise Cybersecurity Council, consisting of the CIO, Information Security Director, Infrastructure Director, and senior security architects and engineers, is responsible for identifying, assessing, and managing material risks from cybersecurity threats. The council meets monthly to review cybersecurity risks, evaluate performance metrics, and identify areas for improvement. The council monitors progress on cybersecurity-related projects, employee training completion, and phishing response rates. Additionally, the council monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents . Members possess extensive cybersecurity experience and hold certifications such as Certified Information Security Manager (CISM), Certified Information Systems Security Professional, Certified Ethical Hacker, and Cisco Certified Network Associate. The Board oversees Montrose's processes for assessing and mitigating risk, including cybersecurity risk. The Audit Committee maintains delegated oversight of cybersecurity risks, engaging third-party expertise as it determines is needed to advise on infrastructure, policies, and practices. Our CIO briefs the Audit Committee quarterly on cybersecurity and data privacy risks, incidents, and ongoing projects. The full Board receives quarterly updates from the Audit Committee and periodic briefings from the CIO on cybersecurity and data privacy risk management. In accordance with our Incident Response Plan, in the event of a potentially material cybersecurity event, the Audit Committee as well as our General Council, Chief Financial Officer, and CEO would be notified, briefed, and involved in oversight of mitigation, reporting, and recovery measures as appropriate.

Company Information