ICF International, Inc. - (ICFI)
10-K Filing Date: February 28, 2024
As discussed in the “Item 1A. Risk Factors – Privacy, Cybersecurity, Technology, and Data Protection Risks”, we face certain ongoing risks from cybersecurity threats and recognize the critical importance of effective cybersecurity risk management in today's interconnected digital landscape. As part of our commitment to safeguarding our operations, sensitive data, and stakeholder trust, we have implemented robust cybersecurity practices and governance.
Cybersecurity Risk Management Program
We regularly assess and identify potential cybersecurity risks that could impact our business, financial condition, or reputation. Our risk assessment process includes:
Our risk mitigation strategy focuses on measures to prevent, detect, and respond to cybersecurity incidents. The primary components of our risk mitigation strategy include:
32
Our approach to information security follows a defense-in-depth methodology in which security is embedded throughout the system architecture. Technical controls rely on proven technologies, such as network-based intrusion detection systems, next generation firewalls with advanced threat detection, secure server networks, demilitarized zones, and endpoint detection and response capabilities. Security techniques, such as encryption at rest and encryption in transit, are used to incorporate relevant practices. We undergo annual third-party security assessments such as security control compliance reviews, incident response exercises, penetration testing, and red team drills to maintain the effectiveness of the security program.
Our critical corporate information systems are maintained in a commercial grade data center with climate controls, fire suppression, redundant power, and several telecommunication options. The data center is designed to host mission-critical computer systems with fully redundant subsystems and compartmentalized security zones. Our primary data center also undergoes independent assessment on an annual basis. Our computing infrastructures are protected by multiple independent layers of security measures managed by the corporate information security department. Our approach to accessing protected networks is based on the principle of least privilege.
Notwithstanding the vigorous approach we take to cybersecurity, we may not always be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. To date, we have not identified cybersecurity risks, threats, or incidents that have materially affected us, including our operations, business strategy, results of operations, or financial conditions.
Cybersecurity Governance and Oversight
Our Board, directly or through its committees, is responsible for the oversight of the Company's overall enterprise risk management program that includes cybersecurity risks. Our Audit Committee regularly reviews and evaluates cybersecurity risks and the procedures and policies implemented by management to identify, manage, and mitigate such risks.
Management is responsible for day-to-day assessment and management of cybersecurity risks. Our Chief Information Officer (the “CIO”) has primary oversight of material risks from cybersecurity threats. He has over 40 years of professional experience across various engineering, business and management roles. Directly reporting to our CIO is our Deputy Chief Information Officer (“the Deputy CIO”), with over 30 years of experience leading implementation of various IT infrastructure and systems, and our Chief Information Security Officer (the “CISO”), with over 20 years of specific cyber security experience and is responsible for maintaining compliance with applicable security requirements. The CIO and the CISO have a combined tenure of over 33 years with the Company in various progressive management roles in information systems and technology and information security.
The CIO and the CISO conducts regular meetings with the Audit Committee and the Board to communicate updates on cybersecurity risks, incidents, and mitigation efforts. The CISO and our security staff provides ongoing support to internal operations and oversight to our systems that offer services to our clients within our enterprise network. Our security staff is also augmented through an industry-recognized security operations center where systems are continuously monitored.