IQVIA HOLDINGS INC. - (IQV)

10-K Filing Date: February 15, 2024
Item 1C. Cybersecurity

Our Board actively oversees our enterprise risk management program. Our Board’s role in risk oversight is consistent with our overall leadership structure: management is responsible for assessing and managing our short- and long-term risk exposures, and our Board and its committees provide effective oversight through independent monitoring of strategic risks and regularly scheduled meetings with management to discuss in-depth the strategic objectives of the Company and associated risks. In order to maintain effective Board oversight across the entire enterprise risk management program, the Board delegates to the individual committees certain elements of its oversight function. The Audit Committee of the Board has oversight of cybersecurity risk and receives regular updates on any developments from our Chief Information Security Officer (“CISO”), including biannual updates on strategies and action plans, with periodic reports provided to our full Board.

We have an Enterprise Risk Council made up of leaders from our principal functional areas and business units that meets on a quarterly basis to update our enterprise risk framework used to identify and manage our key risks, including cybersecurity. Cybersecurity is a standing item on our Enterprise Risk Council agenda and our cybersecurity team regularly presents its work to the Enterprise Risk Council to enable evolving risks to be integrated into our management processes. All cybersecurity processes and frameworks are created by the Global Information Security team, led by our CISO. Our CISO has a Systems Engineer degree in Computer Science from St. Petersburg University of Information Technology and gained experience in the manufacturing, consultancy, and energy industries prior to joining the Company in 2012. Our CISO is a Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Information Technology Infrastructure Library (ITIL) v3 Expert, and Certified in Risk and Information Systems Control (CRISC).

Our Integrated Information Security Framework ("IISF") defines the policies and processes we have in place to safeguard proprietary and confidential information. Our IISF is based on relevant industry frameworks and laws, including, but not limited to National Institute of Standards and Technology ("NIST"), Good Practices Quality Guidelines (GxP), Health Information Trust Alliance (HITRUST), the ISMS Family of Standards (ISO 27000 family), Control Objectives for Information Technologies (COBIT), the EU General Data Protection Regulation (GDPR), and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The framework consists of policies, standards, procedures, work instructions and documentation. Information is classified into four categories to help individuals apply the right level of controls and safeguards to information, applications and systems. In 2023, we conducted a mapping with the NIST to align our procedures with industry standards in an effort to create a first-in-class approach. Our global data centers and IT controls are included in an annual SOC2 Type II attestation program carried out by an independent audit firm who performs control testing and issue reports. Our set of SOC2 controls is aligned with ISO27001 specification and therefore provides an equivalent level of assurance on a global level. Additionally, our cybersecurity controls are regularly assessed as part of our global Internal Audit plan, and the maturity of our Information Security program is also regularly assessed on at least an annual basis with the help of independent consultants.

Our internal Business Information Security Office ("BISO"), established in 2022, continues to streamline communications between our IT function and business units. The BISO connects several key functions, including Chief Information Officer Business Partnership, business continuity, governance, risk, and compliance.

Our cybersecurity program focuses on all areas of our business, including cloud-based environments, data centers, devices used by employees and contractors, facilities, networks, applications, vendors, disaster recovery / business continuity and controls and safeguards enabled through business processes and tools. We continuously monitor for threats and unauthorized access. We learn of security threats through automated detection solutions as well as reports from users and business partners. We draw on the knowledge and insight of external cybersecurity experts and vendors and employ an array of third party tools to secure IQVIA information infrastructure and protect systems and information from unauthorized access. We manage risk in our supply chain through engagement with suppliers and vendors, including vendor on-boarding risk assessments, ongoing oversight, and independent cyber-reputation score monitoring for key suppliers.

45


Our business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats, including as a result of previously identified cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents. To protect against such threats, we employ an array of data security technologies, processes and methods across our infrastructure to protect systems and sensitive information from unauthorized access. We maintain comprehensive identity and access management practices (e.g., roles and access privileges for each user; multi-factor authentication, privileged user accounts, single sign-on, user lifecycle management) and employ a variety of security information and event management tools. Non-technical safeguards also play an important role in our cybersecurity program. We provide various training programs and tools to employees so they can avoid risky practices and help us promptly identify potential or actual issues. We also have global incident response procedures, global service tools to log incidents and issues for investigation, and an ethics line to report concerns and follow-up on matters already reported. For more information on our cybersecurity related risks, see Item 1A Risk Factors in this Annual Report on Form 10-K.