IQVIA HOLDINGS INC. 10-K Cybersecurity GRC - 2025-02-13

Page last updated on February 13, 2025

IQVIA HOLDINGS INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-13 07:39:45 EST.

Filings

10-K filed on 2025-02-13

IQVIA HOLDINGS INC. filed a 10-K at 2025-02-13 07:39:45 EST
Accession Number: 0001478242-25-000045

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Our Board actively oversees our enterprise risk management program. Our Board’s role in risk oversight is consistent with our overall leadership structure: management is responsible for assessing and managing our short- and long-term risk exposures, and our Board and its committees provide effective oversight through independent monitoring of strategic risks and regularly scheduled meetings with management to discuss in-depth the strategic objectives of the Company and associated risks. In connection with Board oversight across the entire enterprise risk management program, the Board delegates to the individual committees certain elements of its oversight function. The Audit Committee of the Board has oversight of cybersecurity risk and receives regular updates on any developments from our Chief Information Security Officer (“CISO”) , including biannual updates on strategies and action plans, with periodic reports provided to our full Board. We have an Enterprise Risk Council made up of leaders from our principal functional areas and business units that meets on a quarterly basis to update our enterprise risk framework used to identify and manage our key risks, including cybersecurity. Cybersecurity is a standing item on our Enterprise Risk Council agenda and our cybersecurity team regularly presents its work to the Enterprise Risk Council to enable evolving risks to be integrated into our management processes. The Global Information Security team, led by our CISO, create cybersecurity processes and frameworks for use throughout IQVIA. Our CISO is an experienced cybersecurity leader with over 25 years of experience in security, technology and risk management, and has previously served as a public company CISO for a global financial services firm, where he spent 18 years serving in roles of increasing responsibility, leading large cross functional security and technology teams. The IQVIA cybersecurity program employs policies, procedures, guidelines, training, communications, tools, assessments and other methods and resources to identify and manage cybersecurity risks. Our Integrated Information Security Framework (“IISF”) defines minimum controls and safeguards used to safeguard proprietary and confidential information. Our IISF is based on relevant industry frameworks and laws, including, but not limited to National Institute of Standards and Technology (“NIST”), Good Practices Quality Guidelines (GxP), Health Information Trust Alliance (HITRUST), the ISMS Family of Standards (ISO 27000 family), Control Objectives for Information Technologies (COBIT), the EU General Data Protection Regulation (GDPR), and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The framework is integrated with IQVIA policies, standards, procedures, work instructions, documentation and development and oversight activities. Information is classified into four categories to help individuals apply the right level of controls and safeguards to information, applications and systems. In 2023, we conducted a mapping of the IISF with the NIST framework to make it easier for customers and other stakeholders to understand how IQVIA’s cybersecurity program aligns with published frameworks. Our global data centers and IT controls are included in an annual SOC2 Type II attestation program carried out by an independent audit firm who performs control testing and issues reports. Our set of SOC2 controls is aligned with ISO27001 specification and therefore provides an equivalent level of assurance on a global level. Additionally, our cybersecurity controls are regularly assessed as part of our global Internal Audit plan, and the maturity of our Information Security program is also regularly assessed on at least an annual basis with the help of independent consultants. Our internal Business Information Security Office (“BISO”), established in 2022, continues to streamline communications between our IT function and business units. The BISO connects several key functions, including the Chief Information Officer Business Partnership, business continuity, governance, risk management, and compliance. Our cybersecurity program focuses on all areas of our business, including cloud-based environments, data centers, devices used by employees and contractors, facilities, networks, applications, vendors, disaster recovery / business continuity and controls and safeguards enabled through business processes and tools. We continuously monitor for threats and unauthorized access. We learn of security threats through automated detection solutions as well as reports from users and business partners. We draw on the knowledge and insight of external cybersecurity experts and vendors and employ an array of third party tools to secure IQVIA information infrastructure and protect systems and information from unauthorized access. We manage risk in our supply chain through engagement with suppliers and vendors, including vendor on-boarding risk assessments, ongoing oversight, and independent cyber-reputation score monitoring for key suppliers. 45 Our business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats, including as a result of previously identified cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents. To protect against such threats, we employ an array of data security technologies, processes and methods across our infrastructure to protect systems and sensitive information from unauthorized access. We maintain comprehensive identity and access management practices (e.g., roles and access privileges for each user; multi-factor authentication, privileged user accounts, single sign-on, user lifecycle management) and employ a variety of security information and event management tools. Non-technical safeguards also play an important role in our cybersecurity program. We provide standard operating procedures, work instructions, guidelines, communications, training programs, tools and other documentation and resources to help employees avoid risky practices, help us promptly identify potential or actual issues and employ cybersecurity requirements in their day-to-day work We also have global incident response procedures, global service tools to log incidents and issues for investigation, and an ethics line to report concerns and follow-up on matters already reported. For more information on our cybersecurity related risks, see Item 1A Risk Factors in this Annual Report on Form 10-K.

Company Information