Medpace Holdings, Inc. - (MEDP)

10-K Filing Date: February 13, 2024
Item 1C. Cybersecurity
The Company has adopted standard operating procedures and processes designed to monitor, detect, evaluate and respond to cybersecurity incidents that impact and jeopardize sensitive data stored on the Company’s internal systems or on third party systems utilized by the Company. Because the importance and sensitivity of information utilized by the Company varies, the Company applies different levels of protection according to a defined data classification matrix. The Company has implemented a data classification policy to ensure that all data utilized, or housed by or on behalf of the Company, is identified, classified, labeled, properly handled and protected in accordance with its risk profile and as may be required by applicable law. A Data Classification Steering Committee comprised of the Chief Executive Officer (CEO), the President and General Counsel oversees and approves this classification policy. The Company’s Information Security team, a group with expertise in cybersecurity that is within the Information Technology function, operating under direction of the Company’s Chief Information Officer (CIO), is responsible for monitoring data classification ratings and implementing control solutions to protect data in accordance with the classification assigned. The Company's Information Security team has appropriate experience in information technology roles. The Information Security team also evaluates third party service providers that store sensitive Company data to ensure reputability and the Company reviews service auditor reports annually as may be available. The Company engages third-party services to conduct evaluations of security controls, whether through penetration testing, automated vulnerability scanning, independent audits or consulting on best practices to address new challenges. These evaluations include testing both the design and operational effectiveness of security controls. The Company regularly tests defenses by performing simulations and drills at both a technical level (including through penetration tests) and by reviewing operational policies and procedures with third-party experts. The Company also shares and receives threat intelligence with its defense industrial base peers, government agencies, information sharing and analysis centers and cybersecurity associations. Third parties are expected to communicate cybersecurity incidents to the Company within a timely manner.

We have adopted several measures aimed to protect against cybersecurity breaches and to minimize disruption if a data breach were to occur. Such measures include documenting, among other things: (i) incident response plans; (ii) procedures for identifying and reporting an incident; and (iii) procedures for containing and eradicating known threats and restoring service to the impacted systems. Upon identification of a cybersecurity event, our policies guide how to handle the incident based on the incident severity and includes information about the required response times, communication protocols and preparation and dissemination of reporting to management. The severity of an incident is classified as “high”, “medium” or “low” based on the sensitivity and type of data compromised, the criticality of the system to the Company’s operations and its ability to function for users, and the anticipated recovery time and remediation resources required. Incidents classified as “high” must be communicated immediately along with regular progress updates to the CEO, the President, Chief Financial Officer (CFO), General Counsel, CIO and various members of the Information Technology team. High severity events require a sustained response effort using all available resources, which may include engaging third parties to assist in the resolution process as necessary, until resolved.

Once the Company gathers sufficient information about a high severity incident, it is evaluated for materiality, both individually and in the aggregate with any other incidents, by a management sub-committee comprised of the President, CFO, CIO and General Counsel. This sub-committee may engage or consult with third parties. Criteria used to evaluate materiality include both quantitative and qualitative factors, including, but not limited to, financial loss, risk to reputation and competitiveness, harm to customer or vendor relationships and the potential for litigation or regulatory investigations. Incidents determined to be material are then communicated immediately to the CEO and then to the Board of Directors after such determination and disclosed in an 8-K within 4 business days upon such determination.

As a part of the Company's overall integrated approach to risk management, the Company assesses, identifies and manages cybersecurity related risks. The full Board of Directors provides an additional level of cybersecurity risk oversight.
- 28 -

Medpace assesses and evaluates cybersecurity risk using the framework established by the National Institute of Standards and Technology (NIST). Bi-annually, at meetings of the Board of Directors, utilizing the NIST framework standards as a guide, the Information Technology Team discusses the Company’s cybersecurity mitigation and resolution maturity and readiness. The Information Technology team’s reports to the Board also include reviews and evaluations of key cybersecurity risk focus areas and initiatives, as well as quantitative incident occurrence information.

See Item 1A. “Risk Factors” of Part I of this Annual Report on Form 10-K for discussion of cybersecurity risks that are reasonably likely to materially affect the Company.