ICF International, Inc. - (ICFI)

10-K Filing Date: February 28, 2024
ITEM 1C. CYBERSECURITY

As discussed in the “Item 1A. Risk Factors – Privacy, Cybersecurity, Technology, and Data Protection Risks”, we face certain ongoing risks from cybersecurity threats and recognize the critical importance of effective cybersecurity risk management in today's interconnected digital landscape. As part of our commitment to safeguarding our operations, sensitive data, and stakeholder trust, we have implemented robust cybersecurity practices and governance.

Cybersecurity Risk Management Program

We regularly assess and identify potential cybersecurity risks that could impact our business, financial condition, or reputation. Our risk assessment process includes:

Enterprise Risk Management: We maintain an enterprise risk management process that embeds cybersecurity within the risk assessment strategy.
Threat Landscape Analysis: We monitor emerging threats, vulnerabilities, and attack vectors relevant to our industry and business operations.
Risk Scenarios: We evaluate potential scenarios, with considerations to both internal and external threats, to understand their potential impact.
Risk Quantification: We assess the likelihood and potential financial, operational, and reputational impact of identified risks.

Our risk mitigation strategy focuses on measures to prevent, detect, and respond to cybersecurity incidents. The primary components of our risk mitigation strategy include:

Security Controls: We maintain a comprehensive set of controls aligned with industry standards such as the National Institute of Standards and Technology (“NIST”) and the International Organization of Standards (“ISO”) 27001 to protect our systems, networks, and data.
Incident Response Plan: We have a well-defined incident response plan that outline roles, responsibilities, and procedures for handling cybersecurity incidents.
Employee Training and Awareness: We have training programs to ensure that our employees understand their role in maintaining a secure environment and recognize potential threats.
Third-party Risk Assessment and Management: We assess and manage cybersecurity risks associated with our vendors, partners, and service providers.

32


 

Our approach to information security follows a defense-in-depth methodology in which security is embedded throughout the system architecture. Technical controls rely on proven technologies, such as network-based intrusion detection systems, next generation firewalls with advanced threat detection, secure server networks, demilitarized zones, and endpoint detection and response capabilities. Security techniques, such as encryption at rest and encryption in transit, are used to incorporate relevant practices. We undergo annual third-party security assessments such as security control compliance reviews, incident response exercises, penetration testing, and red team drills to maintain the effectiveness of the security program.

Our critical corporate information systems are maintained in a commercial grade data center with climate controls, fire suppression, redundant power, and several telecommunication options. The data center is designed to host mission-critical computer systems with fully redundant subsystems and compartmentalized security zones. Our primary data center also undergoes independent assessment on an annual basis. Our computing infrastructures are protected by multiple independent layers of security measures managed by the corporate information security department. Our approach to accessing protected networks is based on the principle of least privilege.

Notwithstanding the vigorous approach we take to cybersecurity, we may not always be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. To date, we have not identified cybersecurity risks, threats, or incidents that have materially affected us, including our operations, business strategy, results of operations, or financial conditions.

Cybersecurity Governance and Oversight

Our Board, directly or through its committees, is responsible for the oversight of the Company's overall enterprise risk management program that includes cybersecurity risks. Our Audit Committee regularly reviews and evaluates cybersecurity risks and the procedures and policies implemented by management to identify, manage, and mitigate such risks.

Management is responsible for day-to-day assessment and management of cybersecurity risks. Our Chief Information Officer (the “CIO”) has primary oversight of material risks from cybersecurity threats. He has over 40 years of professional experience across various engineering, business and management roles. Directly reporting to our CIO is our Deputy Chief Information Officer (“the Deputy CIO”), with over 30 years of experience leading implementation of various IT infrastructure and systems, and our Chief Information Security Officer (the “CISO”), with over 20 years of specific cyber security experience and is responsible for maintaining compliance with applicable security requirements. The CIO and the CISO have a combined tenure of over 33 years with the Company in various progressive management roles in information systems and technology and information security.

The CIO and the CISO conducts regular meetings with the Audit Committee and the Board to communicate updates on cybersecurity risks, incidents, and mitigation efforts. The CISO and our security staff provides ongoing support to internal operations and oversight to our systems that offer services to our clients within our enterprise network. Our security staff is also augmented through an industry-recognized security operations center where systems are continuously monitored.