Huron’s engagements and its internal operations often involve accessing, processing, handling, creating, or storing confidential and proprietary data. We have an enterprisewide privacy program that applies to all Huron entities and subsidiaries, which continues to evolve with changing privacy laws and our growing business. This program is directly overseen by the Huron board's Technology & Information Security Committee, as well as our chief compliance and privacy officer (CCO). Huron is committed to protecting data privacy globally in compliance with the applicable data protection laws where we operate around the world. Huron maintains a public Privacy Statement that outlines how we collect, handle, store, and protect personal information gathered as part of our services. It also provides individuals with information on how they can contact Huron with questions regarding their privacy rights. Under our Global Information Security Policy, as well as Huron’s Code of Business Conduct and Ethics (the Code), all employees, and contractors, are required to keep confidential information safe from loss, theft, or accidental exposure; comply with all Huron policies regarding data collection and processing; and implement appropriate safeguards to protect confidential information.
Huron is certified compliant with ISO 27001, the international standard for information security management systems. To achieve and maintain certification, Huron is regularly audited by an independent, accredited third-party certification body. Our cybersecurity program is aligned with industry standards and continuously evolves to detect and protect against existing and emerging threats to our data and our clients’ data. A dedicated team of Huron IT security experts, led by the director of infrastructure and security, implements our cybersecurity controls and practices, including authentication controls, authorization controls, audit controls, and encryption. In addition, the company utilizes a threat and vulnerability management and penetration testing program to detect new vulnerabilities and assign priority remediation.
Huron also has an Information Security Management System (ISMS) Steering Committee, which acts as the strategy and review body governing the company’s information security policies and practices. The Steering Committee comprises representatives from Huron’s executive leadership team. Huron’s daily ISMS activities are overseen by a dedicated governance risk and compliance team.
The company’s cybersecurity program is overseen by the chief information officer (CIO), who reports to the company’s chief financial officer. In addition, the CIO regularly updates the Technology and Information Security Committee on the company’s technology-related strategies, investments, and operational impacts and technology-related risks, including information security, data protection, cybersecurity, and business continuity.
Huron requires all employees to complete cybersecurity and privacy training at the time of onboarding and annually thereafter. Additional subject-matter-specific training is also provided to our employees who have access to patient healthcare records and similar sensitive information in the course of carrying out services for our clients.
Huron is committed to responsibly serving all stakeholders in a sustainable manner. More details on these efforts can be found in our SASB Addendum included in this report.
Our business depends on the reputation of each employee for integrity and principled business conduct. Huron’s Code of Business Conduct and Ethics (the Code) is designed to help our employees understand our standards and expectations regarding individual and business conduct and to help employees make good decisions. The Code highlights our ethical way of doing business, which we believe is essential to our reputation as a leading consulting firm. We hold our employees to the highest standards and expect all employees to comply with the laws, rules, and regulations that apply to our business. However, the requirements contained in the Code may go beyond the requirements of the law. We believe our conduct should also demonstrate ethical leadership and promote a work environment that upholds our reputation for integrity, transparency, responsibility, and trust. Among other things, the Code requires employees to disclose certain personal conflicts of interests and maintain the confidentiality of information entrusted to them by the company and prohibits the use of company property or information for improper personal gain.
The Code is supplemented by other policies that address specific issues in more detail, such as our Insider Trading Policy, Discrimination and Harassment Policy, and Global Information Security Policy. Huron expects that our vendors, contractors, and third-party representatives meet or exceed our standards when dealing with our clients and representing Huron to the public. We remain vigilant to minimize any exposure to the risk of slavery or human trafficking in our supply chain and will periodically assess our vendor contracts and sourcing processes to ensure that our zero tolerance towards slavery, unlawful child labor, and human trafficking is upheld. These expectations are reflected in our Supplier Code of Conduct. We also require all employees and business finders working on our behalf to adhere to the Company’s Anti-Bribery and Corruption Policy, which prohibits activity that may attempt to secure an improper advantage in obtaining or retaining business. Charitable contributions made on behalf of the company must be reviewed and approved by the Charitable Contributions Committee to avoid any potential conflict of interest and ensure that the contribution will not be perceived as an attempt to improperly influence the recipient. In addition, Huron prohibits the use of company funds, assets, services, or facilities on behalf of a political party or candidate, and the company does not reimburse employees for any personal contributions the employee makes to a political party or candidate.
We reinforce our expectations of all employees through regular compliance communications and training, including mandatory courses on preventing sexual harassment in the workplace and data security and privacy as well as a comprehensive review exercise covering our primary compliance policies and procedures. Additional training is provided to employees who may be engaged in more high-risk areas, such as the protection of protected health information (PHI) subject to the Health Insurance Portability and Accountability Act (HIPAA) or securing client data and technology subject to U.S. export control laws. Employees are strongly encouraged to ask questions if they need guidance on our policies. They are also encouraged to use Huron’s 24-hour help line, which is hosted by a third party, to ask questions or report any potential ethical concerns or violations of our policies, applicable laws, rules, or regulations without fear of retaliation. Employees can reach the help line via the internet or telephone and have the option to remain anonymous.
Reports received through the help line are thoroughly investigated, and if warranted, appropriate disciplinary action is taken against the violator. Further, our Code sets forth the responsibility that all individuals working on Huron’s behalf have to maintain a respectful environment, and employees in management positions have an enhanced responsibility to foster a workplace that supports diversity, honesty, integrity, respect, and trust. In addition, employees have a duty to strictly comply with our workplace procedures and practices and all laws, regulations, or other directives designed to ensure their health and safety; refrain from any conduct that they know is dangerous to their own health and safety or to others in the workplace; and advise the company of any dangerous or hazardous workplace conditions of which they are aware. Our Code is administered by our CCO, who reports directly to the company’s general counsel and indirectly to the Audit Committee of the Board. The CCO provides a quarterly report to the Audit Committee detailing investigations concerning violations of company policies or ethical concerns and any resulting disciplinary actions.
At Huron, we are committed to conducting our business in a manner that is environmentally, socially, and ethically responsible. We believe that by taking a holistic approach to sustainability, we are not only doing our part to protect the planet and support our communities, but also positioning ourselves for long-term success.