ZUORA INC - (ZUO)

10-K Filing Date: March 26, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management and Strategy
Our approach to risk management is designed to identify, assess, prioritize, and manage material risk exposures that could impact our ability to execute our corporate strategy and fulfill our business objectives. Cybersecurity is a critical component of our enterprise risk management approach, and cybersecurity risks are among the core enterprise risks that are subject to oversight by our Board of Directors and the Audit Committee of the Board of Directors (Audit Committee). To identify, assess, prioritize, and manage potential cybersecurity threats, we have integrated the following cybersecurity safety measures and processes into our overall risk management system:
Product Security: We integrate cybersecurity into our systems, applications, and processes so that security is a key aspect of the design process. Our major products undergo a formal review process that includes threat modeling, code and dependency scanning and manual code review to identify and remediate vulnerabilities prior to their final release. In addition, we have introduced robust access management controls to enhance the security of our offerings.
Threat Intelligence and Incident Prevention, Detection, and Response: In the fiscal year ended January 31, 2024, Zuora procured FS-ISAC membership for threat intelligence and proactive cybersecurity incident prevention. We maintain a cybersecurity detection and response program aligned with the National Institute of Standards and Technology’s Cybersecurity Framework to enable rapid cybersecurity threat detection and response. Additionally, Zuora established a Governance, Risk, and Compliance Committee (GRC Committee), which includes our Chief Financial Officer (CFO), Chief Legal Officer (CLO), Chief Information Officer (CIO), Chief Information Security Officer (CISO), and an Internal Audit representative, and others as needed, in the fiscal year ended January 31, 2024. We also deploy technical safeguards that are designed to protect our information systems from cybersecurity threats, including role-based user and network access controls, vulnerability scanning, security configuration monitoring, intrusion prevention and detection systems, and anti-malware prevention, which we evaluate and seek to improve through vulnerability assessments and cybersecurity threat intelligence.
Incident Management Procedures: To date, we have not experienced any cybersecurity incidents that have materially affected or are reasonably likely to materially affect our Company. We have a well-defined incident response plan that includes procedures and guidelines in the event of a potential Company crisis, including a potential cybersecurity incident that has the potential to materially and adversely impact our customers or business operations. Our guidelines define what is meant by a cybersecurity crisis, identify a core Crisis Management Team that includes our CFO, CLO, CIO, CISO, and engineering and human resource management, establish a basic escalation framework, and create a practical communications protocol. The escalation framework requires that our CEO and Audit Committee (and ultimately, the full Board of Directors) receive prompt notification if there is a reasonable risk of a material cybersecurity incident. Following notification, the Crisis Management Team (along with outside experts as needed) must provide the CEO and the Board of Directors with ongoing updates regarding the cybersecurity incident until it has been remediated.
Training: We have a cybersecurity training program in place for employees. Additionally, our engineers regularly undergo secure code training.
Third-Party Risk Management: Our security experts and our legal team work together to assess third-party vendors to confirm that each vendor contract requires adequate technical and organizational measures to protect the systems and data that such vendor operates or processes on behalf of Zuora. Additionally, we maintain a Supplier Code of Conduct that sets forth our vendor expectations and a Vendor Data Access Policy that establishes the limits on what information our vendors may see, access, modify, and control.
Assessments and Testing: We engage in the periodic assessment and testing of our cybersecurity policies, processes, and practices. These efforts include a wide range of activities, including audits, assessments, tabletop exercises, threat modeling, penetration testing, and other exercises focused on evaluating the effectiveness of our cybersecurity measures. We also engage third parties (including auditors and cybersecurity consulting firms) to perform assessments of our cybersecurity measures, including information security maturity assessments, audits, and independent reviews of our information security
46


control environment and operating effectiveness. We adjust our cybersecurity policies, processes, and practices based on the information provided by these assessments and testing activities.
Cybersecurity and Privacy Certifications: Zuora has maintained various security certifications, including ISO 27001, ISO 27002, ISO 27018, ISO 27701, PCI, and SOC 2 Type II.
Cybersecurity Governance
As part of its broader risk oversight activities, the Board of Directors regularly oversees business, strategic, operational, and financial risks facing Zuora, including cybersecurity risks and mitigation plans, primarily through delegation to the Audit Committee. As reflected in the Audit Committee Charter, the Audit Committee periodically reviews with management our cybersecurity and other information technology risks, controls, and procedures, including Zuora’s plans to mitigate cybersecurity risks and respond to potential data breaches. To ensure the Audit Committee may carry out these responsibilities, our management team provides regular information technology and cybersecurity updates, including metrics regarding cyber threat response preparedness, program maturity milestones, risk mitigation status, and the current and emerging threat landscape. In addition, the Audit Committee periodically reviews and provides input regarding the level of information security risk insurance coverage we maintain. The full Board of Directors receives regular updates on the activities of the Audit Committee, including with regard to cybersecurity oversight. One of our directors who serves on the Audit Committee recently underwent formal cybersecurity training and earned a National Association of Corporate Directors CERT Certificate in Cybersecurity Oversight.
In the fiscal year ended January 31, 2024, Zuora also hired a new CISO principally responsible for overseeing our cybersecurity risk management program, in partnership with other members of management. Our CISO has served in various roles in cybersecurity and information technology for over 25 years and has experience building security programs and leading global teams at large enterprises and fast-growing technology companies.
Moreover, our GRC Committee meets bimonthly to evaluate, among other things, cybersecurity incident response readiness and results of our quarterly cybersecurity tests and annual risk assessment. The GRC Committee also reviews corporate progress regarding artificial intelligence governance, audits, and various other security and privacy exercises and addresses any identified gaps in Zuora policies to prevent, detect, mitigate, and/or remediate any potential cybersecurity incidents.
Finally, as disclosed above, our incident management procedures are designed to notify and actively involve our Audit Committee and Board of Directors whenever there is a reasonable risk of a material cybersecurity incident.