Zoom Video Communications, Inc. - (ZM)

10-K Filing Date: March 01, 2024
Item 1C. CYBERSECURITY
Risk Management and Strategy
We have designed and implemented an information security program that is tailored to our operations and infrastructure, the nature of our products and services, and the sensitivity of data. Our information security program consists of processes that are designed to identify, assess, and manage material risks from cybersecurity threats.
We have implemented cybersecurity risk management processes that include, for example, vulnerability assessments, application security assessments, penetration testing, third party security assessments, security audits, and ongoing risk assessments. In addition, we have implemented technical, physical, and organizational safeguards designed to mitigate material risks from cybersecurity threats, including, for example, depending on the environment or system: information security policies and standards, data protection policies and standards, security training and awareness campaigns, information protection processes, and systems monitoring for cybersecurity threats. We have also implemented an Incident Response Plan and procedures that provide a framework for responding to cybersecurity incidents. The Incident Response Plan and procedures provide protocols for incident evaluation, including the use of third-party service providers, processes for notification, and internal escalation of information to our senior management and the appropriate Board committee(s). The Incident Response Plan is reviewed and updated, as necessary, under the leadership of Zoom’s Chief Information Security Officer (“CISO”).
Further, our assessment and management of material risks from cybersecurity threats are an important element of our overall enterprise risk management program and included in our annual enterprise risk assessment which we provide to senior management and the Board.
We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including for example: professional services firms (including legal counsel), threat intelligence service providers, cybersecurity consultants, cybersecurity software and managed service providers, penetration testing firms, and forensic investigators.
We have a third party risk management program designed to oversee, identify, and mitigate material risks from cybersecurity threats associated with our use of third-party service providers. We perform risk-based due diligence and ongoing monitoring of third parties, which may include, for example: reviewing the third party’s relevant security audits and assessments; conducting our own security assessments, and imposing contractual obligations related to information security.
For a description of the risks from cybersecurity threats that may materially affect us, see “Part I, Item 1A. Risk Factors” of this Annual Report on Form 10-K.
Governance
Our Board addresses our cybersecurity risk management as part of its general oversight function. As outlined in its committee charter, the Cybersecurity Risk Management Committee of the Board (“Cybersecurity Risk Committee”) assists the Board in fulfilling its oversight responsibility. Our CISO, Michael Adams, leads the team responsible for implementing and maintaining our information security program and reports directly to the Chief Operating Officer (“COO”), who reports directly to our Chief Executive Officer (“CEO”). Mr. Adams is a graduate of the United States Naval Academy and brings nearly 30 years of security and leadership experience, including serving as Deputy General Counsel of NATO's International Security Assistance Force Joint Command, Deputy General Counsel of the United States' Military's Pacific Command, and Deputy General Counsel for two Chairmen of the Joint Chiefs of Staff of the United States, as well as an executive at a leading technology company. Mr. Adams previously also served as Zoom's Chief Counsel to the COO and CISO.
The CISO provides regular briefings to our senior management and the Cybersecurity Risk Committee concerning relevant cybersecurity risks and the processes we have implemented to address them. The Cybersecurity Risk Committee and the Board also receive various reports, summaries, and presentations related to cybersecurity threats, risks, and mitigations.