LEGALZOOM.COM, INC. - (LZ)
10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management and Strategy
We identify, assess and manage material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things, operational risks, intellectual property theft, fraud, extortion, harm to personnel and customers, violation of privacy and security laws and other litigation and legal risk, and reputational risks. We have implemented and continue to maintain various cybersecurity processes, technologies, and controls designed to aid in our efforts to assess, identify, and manage such material risks.
To identify, assess and manage material risks from cybersecurity threats, our enterprise risk management program considers cybersecurity threat risks alongside other company risks as part of our overall risk assessment process. Our enterprise risk management committee, a multidisciplinary committee that includes our Chief Financial Officer, Chief Operating Officer and Chief Technology Officer and is chaired by our General Counsel, collaborates with internal subject matter specialists in an effort to gather information for identifying, assessing and managing material cybersecurity risks, such as information related to their severity, likelihood of occurrence and potential mitigation strategies. At least quarterly, our Chief Information Officer and Senior Director, Information Security, meet with our enterprise risk management committee, together with the rest of our senior leadership team, to present and discuss a cybersecurity risk assessment. Key cybersecurity risks are then incorporated into our enterprise risk management framework. To help inform our cybersecurity risk identification, assessment and management, we also employ a range of tools and services, including network and endpoint monitoring, vulnerability assessments, and periodic penetration testing and tabletop exercises.
In an effort designed to provide for the availability of critical data and systems, manage our material risks from cybersecurity threats, and protect against, detect, and respond to cybersecurity incidents, as such term is defined in Item 106(a) of Regulation S-K, we also undertake the below listed activities:
•closely monitor emerging data protection laws and implement any necessary changes to our processes;
•conduct annual security training for all our employees;
•conduct annual cybersecurity management and incident training designed for certain employees such as those who handle sensitive data;
•conduct phishing email simulations for personnel with access to corporate email systems in an effort to enhance awareness and responsiveness to such possible threats;
•through policy, practice and contract (as applicable) require employees, as well as third-parties who provide services on our behalf, to treat customer information and data with care;
•hold regular meetings of an internal multidisciplinary working group to discuss our cybersecurity incident preparedness;
•run tabletop exercises to simulate a cybersecurity incident and use findings from such exercises in an effort to improve our processes and technologies;
•maintain and regularly review and test a framework designed to help us identify, protect, detect, respond, and recover when there is an actual or potential cybersecurity incident;
•carry information security risk insurance designed to mitigate potential losses arising from cybersecurity incidents.
Our incident response plan coordinates the activities we take to prepare for, detect, respond to and recover from cybersecurity incidents, which include processes designed to triage, assess severity for, escalate, contain, investigate, and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage.
As part of the above processes, from time to time we work with third parties that are intended to help us to identify, assess, and manage cybersecurity risks, including professional services firms, threat intelligence service providers, managed cybersecurity service providers and penetration testing firms.
To operate our business, we utilize certain service providers to perform a variety of functions, such as professional services, data center facilities and other functions. Our processes are designed to address cybersecurity threat risks associated with our use of service providers, including those in our supply chain or who have access to our customer and employee data or our information systems. Certain risks associated with our use of service providers are included within our enterprise risk management assessment program, as well as our processes designed to identify, assess and manage cybersecurity-specific risks, both of which are discussed above. In addition, cybersecurity considerations may affect the selection and oversight of our service providers. We perform diligence on certain service providers that have access to our systems, data or
30
facilities that house such systems or data. This diligence may include a review of the service providers’ internal and/or external security audits and certifications. Additionally, we may impose specific cybersecurity obligations on certain service providers.
We face a number of cybersecurity risks in connection with our business. We have, from time to time, experienced threats to and breaches of our data and systems. For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see Item 1A, “Risk Factors” of this Annual Report on Form 10-K.
Cybersecurity Governance
Cybersecurity is an area of focus for our board of directors and management.
The audit committee of our board of directors is responsible for overseeing the adequacy and effectiveness of the Company’s information security policies and practices, as well as risks related to information security and cybersecurity. At least semiannually, and more frequently depending upon applicable facts and circumstances, our audit committee receives an overview of our cybersecurity threat risk management and strategy processes, which covers topics such as our incident response plan, results from third-party assessments, our cybersecurity risk roadmap and any threat risks, cybersecurity incidents or developments, and our progress towards risk-mitigation-related goals. The audit committee receives information related to the foregoing matters from our Chief Information Officer and Senior Director, Information Security, as well as with representatives from our enterprise risk management committee. Our audit committee also receives an annual information security report, which contains information regarding, among other things, the data security processes and procedures that have been implemented across company business units.
Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our Chief Information Officer and Senior Director, Information Security. Such individuals have collectively over 20 years of prior work experience in various roles involving managing and safeguarding information security, formulating and executing strategies for cybersecurity, and instituting programs for information and cyber protection, as well as several relevant degrees and certifications, including Certified Information Systems Security Professional, or CISSP, Offensive Security Certified Professional, or OCSP, M.S. Cybersecurity and Information Assurance, M.B.A. Information Systems. These individuals are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan.