ZEBRA TECHNOLOGIES CORP - (ZBRA)
10-K Filing Date: February 15, 2024
Item 1C. Cybersecurity
Zebra takes a comprehensive approach to managing cybersecurity risk, starting with the integration of cybersecurity risk into our overall enterprise risk management framework, among other significant risks to the Company.
Board Oversight
Our Board of Directors is responsible for oversight of risks to the Company, and is assisted by the Audit Committee in the oversight of cybersecurity risks. Management updates the Board on at least an annual basis on key cybersecurity activities. In connection with this oversight, the Audit Committee monitors the quality and effectiveness of the Company’s cybersecurity program covering security of its internal information technology systems and its products and solutions as well as our cyber incident response plan and resources. The Audit Committee regularly receives updates from management about prevention, detection, mitigation and remediation of cyber threats, including the overall status of the Company’s cyber security program, results of third-party assessments, and recent cyber threats. In addition, the Audit Committee reviews the Company’s cyber security investment methodology to determine whether cyber maturity improvements and risk reductions are being made.
Management’s Role
Management is responsible for day-to-day cyber risk management activities, including proactively identifying, assessing, prioritizing, managing and mitigating enterprise cybersecurity risks. Our Chief Financial Officer (“CFO”) is the accountable leader in executive management for Zebra’s IT and cybersecurity programs.
The Chief Security Officer (“CSO”) is the senior-most security professional responsible for the implementation of the Company’s cybersecurity, product security, and corporate/physical security programs, and reports to the CFO. The CSO also recommends to the Company’s executive management regarding the Company’s cyber risk mitigation priorities. The Company’s current CSO has served in that role for Zebra since 2018. He is a recognized leader in the field of cyber security with over 14 years of global executive cybersecurity experience.
The Chief Information Officer (“CIO”) is a peer to the CSO, also reporting to the CFO. The CIO and his team are responsible for executing cybersecurity risk mitigation plans. Zebra’s current CIO was appointed to the role in March 2022 and has nearly 20 years of experience in managing IT functions.
The Chief Information Security Officer (“CISO”) reports to the CSO and oversees the Company’s Security Operations Center (“SOC”). The CISO establishes and oversees the execution of prioritized cybersecurity mitigation plans for the Company. Zebra’s current CISO was appointed to the role in June 2018 and has held multiple leadership roles overseeing IT functions during his 14 years with the Company, including driving efforts within the cybersecurity function.
Cybersecurity Risk Management
The underlying controls of our cyber risk management program are based on recognized best practices and standards for cyber security and information technology, including the National Institute of Standards and Technology Cybersecurity Framework. Our approach to cybersecurity risk management includes the following key elements:
•Defense and On-going Monitoring – Our SOC is responsible for the on-going monitoring and analysis of cyber threats to the Company. The SOC evaluates cyber security incidents according to the Company’s cyber incident response plan, appropriate cyber incident playbook, and crisis communications cyber incident plan. The Company also utilizes endpoint detection and response services as well as data forensic investigation services for additional detection capability and timely assistance with potential cyber security incidents.
23
•Technical Safeguards – The Company utilizes various tactics for cyber threat prevention. We periodically perform vulnerability assessments, remediate vulnerabilities, review log and access, perform system maintenance, manage network perimeter protection, and implement and manage disaster recovery testing. Further, Zebra relies on its information security management system supported by a comprehensive set of policies that directly align with ISO 27001 and are supported by System and Organization Controls 2 (SOC2) reports and external ISO 27001:2013 certification for certain parts of our business.
•Education and Awareness – To foster employee awareness of cyber threats, we provide periodic educational sessions to our employees, including annual training on general cybersecurity concepts and educational opportunities that include real-life simulation and “tabletop exercises.” We also regularly conduct privacy and security summits that involve training and information sessions conducted by employees and by third parties.
•Third-Party Risk Management (“TPRM”) – Our TPRM function focuses on mitigating cyber risk from specific third-party vendor categories. This function performs initial TPRM assessments as part of the vendor selection process and regularly reassess vendors based on vendor type and risk factors.
While we have experienced and expect to continue to experience cybersecurity threats and incidents, there have been no material incidents incurred to-date at the Company. However, there can be no guarantee that our policies and procedures will be followed in every instance or that those policies and procedures will be effective. Cybersecurity threats could materially affect our business strategy, results of operations, or financial condition, as further discussed in the risk factors in Part I, Item 1A of this report.