Managing responsibly

Protecting data privacy and ensuring cybersecurity

Safeguarding the confidentiality and integrity of data is paramount to Huron’s operations, both in our engagements and internal processes. We maintain a comprehensive enterprisewide privacy program that extends to all Huron entities and subsidiaries. This program is adaptable to evolving state and global privacy laws and our expanding business landscape. Oversight for this program is provided by the Huron board’s Technology & Information Security Committee, along with guidance from our chief compliance and privacy officer (CCO).

At Huron, our commitment to global data privacy aligns with applicable data protection laws in the jurisdictions where we operate. We provide a publicly accessible Privacy Statement that outlines the procedures for collecting, handling, storing, and safeguarding personal information acquired during our service delivery. This statement also offers individuals guidance on reaching out to Huron for inquiries regarding their privacy rights.

Compliance with data protection and confidentiality standards is a core requirement for all Huron employees and contractors, as specified in our Global Information Security Policy and the Huron Code of Business Conduct and Ethics (the Code). These guidelines mandate the secure handling of confidential information, compliance with data collection and processing policies, and the implementation of appropriate protective measures for confidential data.

Huron holds certification for ISO 27001, an internationally recognized standard for information security management systems. To uphold this certification, we undergo periodic audits conducted by an independent, accredited third-party certification body. Our cybersecurity program aligns with industry standards and remains dynamic to detect and counteract both existing and emerging threats to our data and our clients’ data. A dedicated team of IT security experts, led by the director of infrastructure and security, is responsible for implementing cybersecurity controls and practices, encompassing authentication, authorization, audit, and encryption controls.

Furthermore, we employ a robust threat and vulnerability management program, accompanied by penetration testing, to proactively identify and prioritize vulnerabilities for remediation.

The Information Security Management System (ISMS) Steering Committee, which comprises representatives from Huron’s executive leadership team, among others, serves as the governing body overseeing the company’s information security policies and practices. Daily ISMS activities are managed by a dedicated governance risk and compliance team. Reporting to the chief financial officer, the chief information officer (CIO) oversees the cybersecurity program and regularly updates the Technology and Information Security Committee on technology-related strategies, investments, operational impacts, and associated risks, including those related to information security, data protection, cybersecurity, and business continuity.

Huron’s commitment to data security extends to our entire workforce, with mandatory cybersecurity and privacy training during onboarding and annually. In addition, employees handling sensitive information, such as patient healthcare records, receive specialized training annually to ensure the highest standards of data protection.

Fostering ethical business conduct and compliance

We uphold ethics and integrity in everything we do. Our Code of Business Conduct and Ethics (the Code) serves as a crucial framework for guiding our workforce, helping our people understand expectations and standards governing individual and business conduct and supporting sound decision making.

Our commitment to ethical business practices is foundational to our standing as a premier consulting firm. Holding our employees to the highest ethical standards, we not only require compliance with applicable laws, rules, and regulations but also set forth additional standards that exceed legal requirements. This commitment extends to ethical leadership and cultivating a work environment characterized by integrity, transparency, responsibility, and trust.

The Code encompasses a range of requirements, including disclosing personal conflicts of interest, safeguarding confidential information entrusted to employees, and prohibiting the use of company resources for personal gain. It also includes other detailed policies that address specific issues, such as our Insider Trading Policy, Discrimination and Harassment Policy, and Global Information Security Policy.

We expect our vendors, contractors, and third-party representatives to uphold similar standards when interacting with our clients and representing our organization publicly. In line with our commitment to responsible business practices, we continuously monitor our supply chain to mitigate the risk of slavery, human trafficking, and unlawful child labor.

These expectations are explicitly detailed in our Supplier Code of Conduct. We also require all employees and business finders working on our behalf to adhere to the company’s Anti-Bribery and Corruption Policy, which prohibits activity that may attempt to secure an improper advantage in obtaining or retaining business. Charitable contributions made on behalf of the company must be reviewed and approved by the Charitable Contributions Committee to avoid any potential conflict of interest and ensure that the contribution will not be perceived as an attempt to improperly influence the recipient. In addition, Huron prohibits the use of company funds, assets, services, or facilities on behalf of a political party or candidate or for political lobbying, and the company does not reimburse employees or directors for any personal contributions the employee makes to a political party or candidate.

To reinforce our expectations, we engage in regular compliance communications and training programs, including mandatory courses on topics such as sexual harassment prevention, data security, and privacy. Additionally, comprehensive review exercises covering primary compliance policies and procedures are conducted throughout each year. Specialized training is provided to employees involved in high-risk areas, such as safeguarding protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) or managing client data and technology subject to U.S. export control laws.

We encourage our employees to seek guidance on our policies and provide them and other stakeholders with a 24-hour help line, hosted by a third party, where they can ask questions or report ethical concerns or policy violations anonymously, without fear of retaliation.

Reports received via the help line undergo investigation, and appropriate disciplinary actions are taken when necessary. Moreover, our Code emphasizes the responsibility of all individuals representing our organization to maintain a respectful workplace environment. Managers are particularly entrusted with fostering honesty, integrity, respect, and trust in the workplace. Furthermore, employees have a duty to strictly adhere to our workplace procedures, comply with health and safety regulations, and report any unsafe workplace conditions.

The administration of our Code falls under the purview of our chief compliance and privacy officer (CCO), who reports directly to our general counsel and indirectly to the Audit Committee of the board. The CCO provides quarterly reports to the Audit Committee, detailing investigations pertaining to policy violations or ethical concerns, along with any ensuing disciplinary actions. This commitment to ethical conduct is integral to our core values and underpins our approach to responsible business practices.