Zentalis Pharmaceuticals, Inc. - (ZNTL)

10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity

Our cybersecurity program is managed by our Senior Vice President, Digital and Information Technology, or SVP of Digital and IT, whose team is responsible for leading our enterprise-wide cybersecurity policy, strategy, standards, and architecture.

Our cybersecurity program is aligned with industry standards and reasonable security safeguards for comparable companies in our industry. We also actively engage with industry participants as part of our continuing efforts to evaluate and enhance the effectiveness of our information security policies and procedures. We may engage consultants from time to time to assist us with assessing and improving our cybersecurity program.

The Board considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee oversight of cybersecurity and other information technology risks. The Audit Committee oversees management’s implementation of our cybersecurity program and receives periodic reports regarding the program. These reports include updates on our information security program and the status of projects to strengthen our information security systems. The Board also receives reports regarding cybersecurity risks.

Our management team, including our SVP of Digital and IT and our Chief Legal Officer, is responsible for assessing and managing our risks from cybersecurity threats. Certain members of our management team, including our SVP of Digital and IT and our Chief Legal Officer, are part of our Cyber Incident Response Team and are responsible for executing the processes set forth therein, including with respect to our third party service providers. Cybersecurity events are escalated to our Board as appropriate. Our management team’s experience includes developing and overseeing the information technology security program as head of the information technology department and certification from the National Association of Corporate Directors for the Cyber-Risk Oversight Program.

We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition.

65