XML 50 R33.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. Accordingly, the company takes a comprehensive approach to identifying and managing cybersecurity risks that involves the company's Information Security functional team, senior management, and our board of directors in coordination with the Technology and Information Security (“T&IS”) Committee and the Audit Committee of our board of directors. Our cybersecurity risk management function is a component of our overall approach to risk management, including coordination with our Enterprise Risk Management Committee.
Our cybersecurity risks include, among other things: operational risks, malicious attacks, improper employee or contractor access, harm to employees or customers and violation of data privacy, intellectual property or security laws. Although, as of the date of this Form 10-K, Huron has not experienced a cybersecurity incident that resulted in a material adverse impact to our business or operations, there can be no guarantee that we will not experience such an incident in the future. Further details about the cybersecurity risks we face are described under Item 1A. “Risk Factors.”
We have a cybersecurity program that focuses on implementing risk-based controls, technologies, and other processes. We aim to incorporate industry best practices throughout our cybersecurity program, including the frameworks established by the National Institute of Standards and Technology (“NIST”), the Cybersecurity and Infrastructure Security Agency (“CISA”), and other applicable industry standards. To augment our in-house capabilities, we leverage expertise from professional services firms and/or outside counsel, as needed, to assess our cybersecurity controls, and collaborate on an ever-changing landscape. Our cybersecurity program conforms with ISO/IEC 27001:2022 and our most recent recertification was in 2024.
We use various mechanisms to detect and monitor cybersecurity threats, including monitoring unusual network activity, conducting annual security awareness training for employees, deploying phishing test campaigns, maintaining containment and incident response tools, and reviewing, updating and improving our Incident Response Plan annually. We also conduct tabletop exercises to simulate responses to cybersecurity incidents. During these exercises, our team of cybersecurity professionals collaborate with technical and business stakeholders across the organization to further analyze the risk to the company and form detection, mitigation, and remediation improvements. We also engage third parties, including assessors, consultants, and auditors to assess our cybersecurity control environment and to test the vulnerability of our cybersecurity infrastructure at least annually.
Our risk management program also assesses risks associated with third-party service providers. Such providers are subject to an onboarding process and may be reevaluated periodically. We use a variety of inputs in such risk assessments, including information supplied by the providers themselves and other third parties. In addition, our contracts with our service providers require them to adhere to mutually agreed upon security requirements, controls and responsibilities, as applicable.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]
We have a cybersecurity program that focuses on implementing risk-based controls, technologies, and other processes. We aim to incorporate industry best practices throughout our cybersecurity program, including the frameworks established by the National Institute of Standards and Technology (“NIST”), the Cybersecurity and Infrastructure Security Agency (“CISA”), and other applicable industry standards. To augment our in-house capabilities, we leverage expertise from professional services firms and/or outside counsel, as needed, to assess our cybersecurity controls, and collaborate on an ever-changing landscape. Our cybersecurity program conforms with ISO/IEC 27001:2022 and our most recent recertification was in 2024.
We use various mechanisms to detect and monitor cybersecurity threats, including monitoring unusual network activity, conducting annual security awareness training for employees, deploying phishing test campaigns, maintaining containment and incident response tools, and reviewing, updating and improving our Incident Response Plan annually. We also conduct tabletop exercises to simulate responses to cybersecurity incidents. During these exercises, our team of cybersecurity professionals collaborate with technical and business stakeholders across the organization to further analyze the risk to the company and form detection, mitigation, and remediation improvements.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block] Although, as of the date of this Form 10-K, Huron has not experienced a cybersecurity incident that resulted in a material adverse impact to our business or operations, there can be no guarantee that we will not experience such an incident in the future.
Cybersecurity Risk Board of Directors Oversight [Text Block]
Our cybersecurity program is overseen by the leaders of our Information Security functional team, which is led by our Chief Information Officer (“CIO”) who has over 30 years of relevant work experience. Prior to joining Huron in 2018, our CIO served in various information security and information technology roles in the professional services industry for several large, public companies and executed large-scale, global implementations of business applications and infrastructure technologies in a manner designed to mitigate cybersecurity risks. Our CIO reports on a quarterly basis to Huron's internal Information Security Management System (“ISMS”) Committee, which has the primary responsibility for assessing and managing material cybersecurity risks. The ISMS Committee, which includes members of our executive and senior leadership teams, our CIO and other functional team leaders, reviews, approves and establishes ISMS specific goals and objectives, reviews policy updates and approves the annual IT risk assessment, which identifies impacts, threats and controls related to IT assets utilized across the enterprise.
Our board of directors, in coordination with its T&IS Committee, oversees the governance of the Company’s technology-related risks, including information security, data protection, cybersecurity, vendor, fraud, and business continuity risks, and technology-related strategies. The T&IS Committee receives quarterly updates from the CIO, including existing and new cybersecurity risks, the management and/or mitigation of such risks, material cybersecurity incidents (if any), and status on key cybersecurity initiatives. Our board also actively participates in discussions with management on cybersecurity-related news events and discusses any updates to our cybersecurity risk management and strategy programs.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
Our cybersecurity program is overseen by the leaders of our Information Security functional team, which is led by our Chief Information Officer (“CIO”) who has over 30 years of relevant work experience. Prior to joining Huron in 2018, our CIO served in various information security and information technology roles in the professional services industry for several large, public companies and executed large-scale, global implementations of business applications and infrastructure technologies in a manner designed to mitigate cybersecurity risks. Our CIO reports on a quarterly basis to Huron's internal Information Security Management System (“ISMS”) Committee, which has the primary responsibility for assessing and managing material cybersecurity risks. The ISMS Committee, which includes members of our executive and senior leadership teams, our CIO and other functional team leaders, reviews, approves and establishes ISMS specific goals and objectives, reviews policy updates and approves the annual IT risk assessment, which identifies impacts, threats and controls related to IT assets utilized across the enterprise.
Our board of directors, in coordination with its T&IS Committee, oversees the governance of the Company’s technology-related risks, including information security, data protection, cybersecurity, vendor, fraud, and business continuity risks, and technology-related strategies. The T&IS Committee receives quarterly updates from the CIO, including existing and new cybersecurity risks, the management and/or mitigation of such risks, material cybersecurity incidents (if any), and status on key cybersecurity initiatives. Our board also actively participates in discussions with management on cybersecurity-related news events and discusses any updates to our cybersecurity risk management and strategy programs.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
Our board of directors, in coordination with its T&IS Committee, oversees the governance of the Company’s technology-related risks, including information security, data protection, cybersecurity, vendor, fraud, and business continuity risks, and technology-related strategies. The T&IS Committee receives quarterly updates from the CIO, including existing and new cybersecurity risks, the management and/or mitigation of such risks, material cybersecurity incidents (if any), and status on key cybersecurity initiatives. Our board also actively participates in discussions with management on cybersecurity-related news events and discusses any updates to our cybersecurity risk management and strategy programs.
Cybersecurity Risk Role of Management [Text Block] Our CIO reports on a quarterly basis to Huron's internal Information Security Management System (“ISMS”) Committee, which has the primary responsibility for assessing and managing material cybersecurity risks. The ISMS Committee, which includes members of our executive and senior leadership teams, our CIO and other functional team leaders, reviews, approves and establishes ISMS specific goals and objectives, reviews policy updates and approves the annual IT risk assessment, which identifies impacts, threats and controls related to IT assets utilized across the enterprise.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] Our cybersecurity program is overseen by the leaders of our Information Security functional team, which is led by our Chief Information Officer (“CIO”) who has over 30 years of relevant work experience. Prior to joining Huron in 2018, our CIO served in various information security and information technology roles in the professional services industry for several large, public companies and executed large-scale, global implementations of business applications and infrastructure technologies in a manner designed to mitigate cybersecurity risks. Our CIO reports on a quarterly basis to Huron's internal Information Security Management System (“ISMS”) Committee, which has the primary responsibility for assessing and managing material cybersecurity risks. The ISMS Committee, which includes members of our executive and senior leadership teams, our CIO and other functional team leaders
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] Our cybersecurity program is overseen by the leaders of our Information Security functional team, which is led by our Chief Information Officer (“CIO”) who has over 30 years of relevant work experience. Prior to joining Huron in 2018, our CIO served in various information security and information technology roles in the professional services industry for several large, public companies and executed large-scale, global implementations of business applications and infrastructure technologies in a manner designed to mitigate cybersecurity risks. Our CIO reports on a quarterly basis to Huron's internal Information Security Management System (“ISMS”) Committee, which has the primary responsibility for assessing and managing material cybersecurity risks. The ISMS Committee, which includes members of our executive and senior leadership teams, our CIO and other functional team leaders,
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] Our CIO reports on a quarterly basis to Huron's internal Information Security Management System (“ISMS”) Committee, which has the primary responsibility for assessing and managing material cybersecurity risks. The ISMS Committee, which includes members of our executive and senior leadership teams, our CIO and other functional team leaders, reviews, approves and establishes ISMS specific goals and objectives, reviews policy updates and approves the annual IT risk assessment, which identifies impacts, threats and controls related to IT assets utilized across the enterprise.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true