ZILLOW GROUP, INC. 10-K Cybersecurity GRC - 2025-02-11

Page last updated on February 11, 2025

ZILLOW GROUP, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-11 16:21:09 EST.

Filings

10-K filed on 2025-02-11

ZILLOW GROUP, INC. filed a 10-K at 2025-02-11 16:21:09 EST
Accession Number: 0001617640-25-000016

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cyber-attacks, malicious internet-based activity, online and offline fraud, administrative or technical failures and other cybersecurity threats present risks to the confidentiality, integrity and availability of our information systems, including those of the third parties upon which we rely, and our data residing in those systems. We take seriously our responsibility to protect sensitive consumer, customer and employee information and continually align our cybersecurity program with our overall business strategy. As of the date of this Annual Report on Form 10-K, we have not identified material risks from known cybersecurity threats that have materially affected Zillow Group. Given the data-driven nature of our business and the prevalent use of technology in operating our business, we face cybersecurity risks inherent to our normal course of operation that, if realized, are reasonably likely to materially affect our business strategy, results of operations and financial condition. For further details on the exposures related to these risks, see the section titled “Risk Factors” within this Annual Report on Form 10-K. Risk Management, Strategy and Management Oversight We have an enterprise risk management function responsible for the oversight and assessment of ongoing and emerging risks to our business operations and the integrity of our data, including the impact of cybersecurity risks. Our enterprise risk management team maintains a steering committee that oversees and opines on our processes to identify, prioritize and assess key risks, including risks related to cybersecurity. The steering committee is composed of senior leaders with visibility into our key risks. Such members have expertise in the areas of risk management, business strategy, information technology, cybersecurity, legal and compliance, finance, and business products, among others. In partnership with other stakeholders, this steering committee monitors risk exposures, promotes risk-management strategies, and implements acceptance and notification criteria. The activities of the steering committee are overseen by the Audit Committee of our Board (the “Audit Committee”). We also maintain an information security function that oversees the protection of our information assets through a program informed by standards promoted by the National Institute of Standards and Technology cybersecurity framework and the Cyber Risk Institute’s Cyber Profile. These frameworks guide our information security function in designing programs to assess cybersecurity risks and respond to cybersecurity incidents. The information security team is led by a designated Chief Information Security Officer (“CISO”) who is responsible for leading enterprise-wide cybersecurity strategy, including assessing and managing risks from cybersecurity threats, and implementing technical security controls by maintaining policies, standards and processes. With more than 20 years of experience in the field of technology and cybersecurity, our CISO has had extensive involvement with the information security function and the maintenance of a robust cybersecurity program. Our CISO has held data privacy and information security roles with increasing responsibility in heavily regulated industries such as financial services, technology and gaming and is a certified information systems security professional. The information security team maintains incident response policies and procedures designed to help protect the integrity, availability and confidentiality of information and help prevent loss of service. Additionally, we conduct an annual cybersecurity awareness training to educate our employees and empower them to help prevent and respond to cybersecurity events and incidents. Cybersecurity events and incidents may be reported or detected through a variety of means, including emails to centralized information security addresses, our online information technology ticketing system, automatic alerts and incident detection systems, direct discovery by our information security team, or reports from employees or other third parties. Additionally, our incident response policies and procedures specify the process for initial investigation and containment procedures, remediation tactics, retention of documentation and internal and external communications. Our incident response policies and procedures also specify processes for analyzing the severity of an identified incident. In response to cybersecurity incidents, we may involve external advisors to assist with remediation efforts and communications and we may seek to mitigate associated liabilities through our insurance coverage. Such third parties may include external legal counsel, forensic investigators and public relation firms, among others. These vendors serve to support our existing processes and procedures and operate as an extension of our enterprise risk management and information security functions. Our internal audit team conducts security controls testing over systems in scope for various regulatory and compliance requirements. In addition, management performs periodic third-party risk assessments, vulnerability testing, system and cloud security assessments against our information technology environment. Management also engages third-party external auditors to perform independent testing against all systems in scope for our regulatory and customer-driven compliance obligations. We engage a variety of third-party service providers to process and store data, including certain customer information, some of which may include personally identifiable information. We also depend on third-party service providers to host many of the systems and infrastructure used to provide our products and services. A limited number of third-party services support essential functions of our business, including the use of cloud-based technology. We rely on these third parties to implement their own cybersecurity programs and cannot ensure their effectiveness. To manage cybersecurity risks arising from our use of third parties, we have a third-party service provider management program which includes the use of security questionnaires, review of statements of work and related information security addenda, procuring results of audits and compliance reviews and obtaining overviews of network infrastructure, among others. Depending on the nature of the services provided, the sensitivity of the data at issue and the identity of the third-party, our third-party service provider management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider. Governance The Audit Committee oversees major enterprise risks and the steps management has taken to monitor and control such exposure, including risks to our information technology infrastructure and security. Members of our legal, compliance, enterprise risk management and information security management teams provide information and updates on any significant issues related to these topics at Audit Committee meetings, which are typically held at least quarterly. The Audit Committee is responsible for ensuring independent examination of management’s programs to identify, assess, respond to and monitor risks, which include those performed by internal audit and third party consultants, among others. Audit Committee member education is provided throughout the year through presentations and discussions led by members of management, third-party consultants, our independent registered public accounting firm and legal counsel, on topics including information security, among others. Members of our Audit Committee have expertise in the technology industry as well as corporate risk management strategies.

Company Information