Zscaler, Inc. 10-K Cybersecurity GRC - 2024-09-12

Page last updated on September 12, 2024

Zscaler, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-09-12 16:02:21 EDT.

Filings

10-K filed on 2024-09-12

Zscaler, Inc. filed a 10-K at 2024-09-12 16:02:21 EDT
Accession Number: 0001713683-24-000109

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity As a leading cybersecurity provider, we understand the importance of robust cybersecurity practices, and safeguarding and certifying our solutions to internationally recognized commercial and government standards. Trust is the foundation of everything we do, and we earn that trust through a comprehensive approach to identifying, managing and mitigating cybersecurity risk to our business and operations. Risk Management and Strategy Our platform was built leveraging guidance from leading industry frameworks to effectively manage and mitigate cybersecurity risks. Our rigorous risk management processes, which include data privacy, product security and information security, are overseen by the audit committee of our board of directors and our internal security committee, and are designed to ensure confidentiality, integrity and availability of our platform. These processes have been integrated into our overall enterprise risk management framework, which is overseen by our board of directors. Our internal security committee identifies and prioritizes protective measures across our enterprise and products, continuously driving improvements to our security approach as threats evolve. The committee members are key functional leaders from across the Company who share critical information and use data-driven strategies to manage cyber risks. The committee is led by our chief security officer and includes representatives from our security team, information technology, information security, incident response, engineering, enterprise risk, product management, cloud operations, legal and compliance teams. Our internal security committee has the primary responsibility for assessing, monitoring and managing our cybersecurity risks, including the prevention, detection, mitigation and remediation of cybersecurity incidents. The personnel comprising our internal security committee are certified and experienced cybersecurity professionals and information security managers with many years of experience across a variety of technology sub-specialties. As a provider of cybersecurity products and services, it is critical for us to identify and implement protective measures across our enterprise and products, continuously driving improvements to our security approach. Our in-house global threat research team, Zscaler ThreatLabZ, a team of more than 150 security experts, collectively works to identify and prevent emerging threats, using malware reverse engineering, behavior analytics, data science and AI. We use the threat intelligence generated by ThreatLabz and other sources to implement security checks and reviews throughout our product development lifecycle. Our internal security teams and external cybersecurity auditors continuously evaluate our products, including by performing regular penetration tests and risk assessments to identify potential vulnerabilities. We regularly review our cybersecurity policies, standards and procedures to account for changes in the threat landscape, as well as in response to legal and regulatory developments. Our cybersecurity efforts also include mandatory training for all employees and contractors on our security and privacy policies. Our cybersecurity risk management approach provides a framework for identifying, monitoring, evaluating and responding to risks from cybersecurity threats and incidents. This framework includes steps for identifying the sources of potential cybersecurity threats or incidents, including potential threats and incidents associated with a third-party vendor or service provider, assessing the severity and risk of potential threats and incidents and implementing cybersecurity countermeasures and mitigation strategies. We recognize that our relationships with third parties may pose significant risks, and therefore we have implemented practices for building vendor diligence, onboarding and monitoring capabilities to assess those risks. These efforts can include internal briefings from our security and technical personnel, as well as external reports and threat intelligence from governmental, public and private sources, including external consultants and reports produced by security tools deployed in our technical environment. Our incident response plan includes processes and procedures for assessing potential internal and external threats, activation and notification, crisis management and post-incident analysis designed to safeguard the confidentiality, availability and integrity of our platform and assets. A cross-functional incident response team, comprised of representatives from our internal security committee including information technology, information security, engineering, cloud operations, compliance, privacy, legal and members of our executive leadership team, is responsible for the monitoring and disposition of potential incidents, such as data breaches, intrusions and other security events, and implementing our detailed incident response plan. Our approach includes procedures to appropriately inform management, the audit committee of the board of directors and the full board of directors, as applicable, about cybersecurity threats and incidents. In fiscal 2024, we did not identify any cybersecurity incidents that materially affected, or are reasonably likely to materially affect, our business, results of operations or financial condition. For more information about these risks, please see “Risk Factors - Risks Related to Our Business” in this Annual Report on Form 10-K. Governance Our board of directors has oversight responsibility for our overall enterprise risk management. The audit committee of the board of directors oversees cybersecurity risk, with input from our internal security committee, based on its oversight of our risk management processes. In accordance with our incident response plan, the internal security committee meets at least monthly, provides cybersecurity updates to the audit committee quarterly and apprises the full board of directors as needed.

Company Information