Montrose Environmental Group, Inc. 10-K Cybersecurity GRC - 2025-03-03

Page last updated on March 3, 2025

Montrose Environmental Group, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-03 16:00:38 EST.

Filings

10-K filed on 2025-03-03

Montrose Environmental Group, Inc. filed a 10-K at 2025-03-03 16:00:38 EST
Accession Number: 0000950170-25-030806

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy Our cybersecurity risk management program is designed to assess, identify, and manage material risks from potential unauthorized breaches of or access to our electronic information systems, and the information we store on our systems. Our program includes a wide variety of mechanisms, controls, technologies, methods, systems and other processes as further described below that are designed to prevent, detect, or mitigate unauthorized access, data loss, theft, misuse or other security incidents and vulnerabilities affecting our systems and the information we store on our systems. The information we store includes confidential, proprietary, business, and personal information of ours, our customers, our employees and other third parties that we collect, process, store and transmit as part of our business. Our program is aligned with the National Institute for Standards and Technology Risk Management Framework (NIST RMF), other industry-recognized standards and our contractual requirements. We also leverage government partnerships, industry and government associations, third-party benchmarking, the results from regular internal and third-party audits, threat intelligence feeds and other similar resources to inform and guide our cybersecurity processes and resource allocation. Additionally, we use processes and third-party technologies to oversee and minimize impact to our data, including two-factor authentication, encryption, Company secured email and dedicated cybersecurity support personnel. Our cybersecurity risk management strategy is led by our Chief Information Security Officer (CISO) and a team of information security and other professionals, as detailed further below, who are responsible for implementing and maintaining our cybersecurity data protection practices. This team works in close coordination with the Audit Committee of our Board of Directors, which is responsible for oversight of cybersecurity risk, senior management and other business functions and teams across the Company to identify threats by performing risk assessments and analyzing effectiveness of controls against identified risks. As part of our risk management process, our cybersecurity risk management team oversees our vulnerability management practices and conducts routine application security assessments, yearly penetration testing, periodic security audits and ongoing risk assessments designed to identify cybersecurity risks to our environment. We continue to leverage third-party services for security operations through a dedicated managed security service provider to monitor and respond to cyber threats. This provider plays a critical role in, mitigating threats to our environment, as well as alerting and responding to events and incidents in close coordination with our internal team. For example, this provider performs searches across live and historical data to provide analysis based on threat intelligence and use cases to develop trends and data models to reduce false positives and enhance search criteria for future use. In addition to our routine practices, we also conduct testing, audits and assessments in connection with acquisitions, the implementation of new software, processes or activities requiring changes in our information technology environment, new cybersecurity events or developments and receipt of new risk intelligence. Further, we have adopted an enterprise-wide cybersecurity training and awareness program requiring all employees to complete annual cybersecurity training. The program is supported with monthly education and simulations with remedial training assignments to increase user awareness. We maintain an incident response plan (IRP) aligned with NIST RMF when responding to incidents. The IRP sets out a coordinated approach to investigating, containing documenting and mitigating incidents. Our CISO, with oversight from our Chief Information Officer (CIO), is responsible for executing the relevant cybersecurity incident response plan, which includes response criteria for materiality, applicable requirements for incident disclosure and reporting and escalation procedures to various individuals and departments, including our Audit Committee, key 39 stakeholders, and senior management, including our General Counsel, Chief Financial Officer and Chief Executive Officer, for risks with a potentially material impact for responding to cybersecurity incidents. In addition to our in-house team and third-party security operations services, we also engage assessors, consultants, auditors and other third parties from time to time to assist with assessing, identifying, and managing cybersecurity risks. For example, we leverage third-party security and compliance companies with subject matter expertise in these areas for threat identification and remediation. We continue to work with the U.S. Department of Defense on assessing cybersecurity risk and on policies and practices aimed at mitigating these risks, including through participation in the Department of Defense’s collaborative information sharing. We also partner with other work groups to support understanding and deployment of the Cybersecurity Maturity Model Certification (CMMC) to promote readiness in complying with cybersecurity requirements for handling CUI and federal contract requirements. As of December 31, 2024, we were not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. Cybersecurity and Data Privacy Oversight Montrose maintains a dedicated cybersecurity team, led by our CISO and reporting to our CIO . Our CIO has deep expertise in cybersecurity and data management, as well as technical strategy and infrastructure, as part of his over 20 years of experience serving in this and similar roles across multiple organizations. Furthermore, our CISO is a Certified Information Security Manager (CISM) and brings over 25 years of experience in information technology, governance, compliance, and risk management. The CISO is responsible for developing and deploying Montrose’s overall cybersecurity and data privacy strategy, policies, procedures, and threat detection and response actions, with the support of Montrose’s cybersecurity team. The cybersecurity team implements Montrose’s cybersecurity and data privacy policies and procedures, including governance, compliance, and risk management practices, to safeguard Montrose’s information systems and data. Collectively, the CISO and the cybersecurity team manage and evolve Montrose’s cybersecurity posture with the objective of preventing cybersecurity incidents and increasing system resiliency to minimize business impact should an incident occur. At the management level, Montrose’s Enterprise Cybersecurity Council, consisting of our CIO, CISO, Director of Information Security, Director of Infrastructure, and senior security architects and engineers, meets monthly to review and assess cybersecurity risks and evaluate performance metrics to identify areas for continual improvement and system strengthening. Furthermore, the Council reviews project implementation status for targeted cybersecurity measures and tracks employee cybersecurity training completion and phishing email response rates. Council members have extensive cybersecurity experience and hold certifications including CISM, Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH) and Cisco Certified Network Associate (CCNA). The Board of Directors oversees management’s processes for identifying and mitigating risks, including cybersecurity risks. The Audit Committee maintains delegated oversight of cybersecurity risks, bringing in third-party expertise as needed to advise on cybersecurity infrastructure, policies, and practices. Our CIO and CISO brief the Audit Committee quarterly, at a minimum, on Montrose’s cybersecurity risks, business-impacting incidents, and ongoing and future cybersecurity project implementations. In addition, the Audit Committee’s third-party cybersecurity advisor meets regularly with the CIO and CISO to review our cybersecurity strategy and our continued progress toward meeting our objectives. The full Board of Directors receives quarterly updates from the Audit Committee regarding its oversight of cybersecurity risks and is also periodically briefed on our cybersecurity risk management program directly by our CIO and CISO. In accordance with our Incident Response Plan, in the event of a potentially material cybersecurity event, the Audit Committee as well as our General Council, Chief Financial Officer, and CEO would be notified, briefed, and involved in oversight of mitigation, reporting, and recovery measures as appropriate. 40

Company Information