ZEBRA TECHNOLOGIES CORP 10-K Cybersecurity GRC - 2025-02-13

Page last updated on February 14, 2025

ZEBRA TECHNOLOGIES CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-13 16:52:36 EST.

Filings

10-K filed on 2025-02-13

ZEBRA TECHNOLOGIES CORP filed a 10-K at 2025-02-13 16:52:36 EST
Accession Number: 0000877212-25-000027

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Zebra takes a comprehensive approach to managing cybersecurity risk, starting with the integration of cybersecurity risk into our overall enterprise risk management framework, among other significant risks to the Company. Board Oversight Our Board of Directors is responsible for oversight of risks to the Company and is assisted by the Audit Committee in the oversight of cybersecurity risks. Management provides regular updates to the Board regarding the Company’s key cybersecurity activities. In connection with its oversight, the Audit Committee monitors the quality and effectiveness of the Company’s cybersecurity program, including security of its internal information technology systems and its products, services, and software solutions as well as our cybersecurity incident response plan and resources. Management provides quarterly updates to the Audit Committee about cybersecurity threat protection, detection, mitigation and remediation, including the overall status of the Company’s cybersecurity program, results of third-party assessments, and recent cybersecurity threats. In addition, the Audit Committee reviews the Company’s cybersecurity investment methodology to determine whether cybersecurity maturity improvements and risk reductions are being made. Management’s Role Management is responsible for day-to-day cybersecurity risk management activities, including proactively identifying, assessing, prioritizing, managing and mitigating enterprise cybersecurity risks. Our Chief Financial Officer (“CFO”) is the accountable leader in executive management for Zebra’s IT and cybersecurity programs. The Chief Security Officer (“CSO”) is the senior-most security professional responsible for the implementation of the Company’s cybersecurity, product security, and corporate/physical security programs, and reports to the CFO. The CSO also makes recommendations to the Company’s executive management regarding the Company’s cybersecurity risk mitigation priorities. The Company’s current CSO has served in that role for Zebra since 2018. He is a recognized leader in the field of cybersecurity with over 15 years of global executive cybersecurity experience. The Chief Information Officer (“CIO”) is a peer to the CSO, also reports to the CFO. The CIO and his team are responsible for executing cybersecurity risk mitigation plans. Zebra’s current CIO was appointed to the role in 2022 and has nearly 20 years of experience in managing IT functions. The Chief Information Security Officer (“CISO”) reports to the CSO and oversees the Company’s Security Operations Center (“SOC”). The CISO establishes and oversees the execution of prioritized cybersecurity mitigation plans for the Company. Zebra’s current CISO was appointed to the role in 2018 and has held multiple leadership roles overseeing IT functions since joining the Company in 2004, including driving efforts within the cybersecurity function. Cybersecurity Risk Management The underlying controls of our cybersecurity risk management program are based on recognized industry practices and standards for cybersecurity and information technology, including the National Institute of Standards and Technology Cybersecurity Framework. Our approach to cybersecurity risk management includes the following key elements: - Defense and On-going Monitoring - Our SOC is responsible for the on-going monitoring and analysis of cybersecurity threats to the Company. The SOC evaluates cybersecurity incidents according to the Company’s cyber incident response plan, appropriate cybersecurity incident playbook, and crisis communications cybersecurity incident plan. The Company also utilizes endpoint detection and response services as well as data forensic investigation services for additional capability and timely assistance with potential cybersecurity incidents. - Technical Safeguards - The Company utilizes various tactics for cybersecurity threat protection. We periodically perform vulnerability assessments, remediate vulnerabilities, review logs and access, perform system maintenance, manage network perimeter protection, and implement and manage disaster recovery testing. Further, Zebra relies on its information security management system supported by a comprehensive set of policies that directly align with ISO 27001 and are supported by System and Organization Controls 2 (SOC2) reports and external ISO 27001:2013 certification for certain parts of our business. - Education and Awareness - To foster employee awareness of cybersecurity threats, we provide periodic educational sessions to our employees, including annual training on general cybersecurity concepts and targeted educational opportunities that include real-life simulation and “tabletop exercises.” We also regularly conduct privacy and security summits that involve training and information sessions conducted by employees and by third parties. - Third-Party Risk Management (“TPRM”) - Our TPRM function focuses on mitigating cybersecurity risk from specific third-party vendor categories. This function performs initial TPRM assessments as part of the vendor selection process and regularly reassesses vendors based on vendor type and risk factors. While we have experienced and expect to continue to experience cybersecurity threats and incidents, there have been no material incidents incurred to-date at the Company. However, there can be no guarantee that our policies and procedures will be followed in every instance or that those policies and procedures will always be effective. Cybersecurity threats could materially affect our business strategy, results of operations, or financial condition, as further discussed in the risk factors in Part I, Item 1A of this report.

Company Information