ZoomInfo Technologies Inc. - (ZI)

10-K Filing Date: February 15, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity Risk Management and Strategy
Commitment to Security
Security is a foundation on which ZoomInfo builds and maintains customers’ trust. We are committed to protecting our information and our customers’ information from both intentional and unintentional misuse and have implemented a robust Information Security Management System (“ISMS”) that meets the ISO 27001 Standard requirements as well as the ISO 27701 (Privacy) and ISO 27017 (Cloud Security) standards. We have also earned AICPA’s SOC 2 attestation regarding the security, availability, and confidentiality controls around our services and meet the security requirements of the Cloud Security Alliance (CSA) STAR program.
Risk Management Framework
Our security program is risk-driven and integrated into our overall enterprise risk management (ERM) process. We emphasize risk detection, which serves as the foundation for risk management-related business decisions. Our ISMS provides the structure for our overall security program and serves to assess, manage, monitor, and minimize our cybersecurity risks. The program includes:
Context of the organization
Leadership
Planning
Support
Operation
Performance evaluation
Improvement
The ISMS consists of a set of policies and procedures that serve as a foundation for risk identification and remediation across all company assets. ZoomInfo’s ISMS implementation allows for the appropriate integration of security controls into existing or newly created business processes. ZoomInfo’s risk management platform is based on the ISO 31000 Risk Management Standard, and continuous risk assessment activities are conducted in partnership and coordination with risk owners in various functions.
Cybersecurity Team and Internal Operations
Our Cybersecurity team is comprised of a diverse group of security veterans with experience managing all facets of information risk including, but not limited to, Application Security, Data Governance, Security Engineering, Security Processes and Services, Secure Software Development (S-SDLC), Governance Risk and Compliance (GRC), Risk Management, Cyber Threat Intelligence, Breach Readiness, Cyber Defense Center for monitoring (CDC), Offensive Security, and Security Awareness.
We also consult with outside experts to identify and implement best practices, help gauge the security climate, and identify effective methods for related skill development and information sharing.
Our information security policies outline the roles and responsibilities within the organization, and our security team works directly with specific members of senior management we call “security ambassadors” to help ensure that the various information security directives are executed as required in their respective departments. Our security partners help to establish, assess, and enhance business processes by ensuring the required information security risk management practices are suitably embedded within their respective processes.
32

All employees and contractors are required to participate in continuous and dynamic security awareness training. The training includes an overview of key security topics, policies, and responsibilities. Regular security bulletins are disseminated to employees and contractors with security alerts, tips and best practices, external resources, security procedures, and contact information so that they can ask security-related questions or raise concerns.
Prevention, Detection, and Response
ZoomInfo has implemented preventative security and detection measures, including asset protection and access controls in the following key areas:
Critical Assets
Data Protection
Application Protection
Cloud Security
Network Security
End Point Devices
Perimeter Defense
Physical Protection
We also maintain written incident response plans and conduct periodic cross-functional tabletop exercises to help assess our incident response plans, processes, and capabilities in addressing cybersecurity threats.
As part of our security framework and evaluation of our supply chain risks, we review our service providers’ security practices and require appropriate certifications from them. We, and also perform an analysis of controls to manage our third-party security risks.
Cybersecurity Risks
For information related to whether risks from cybersecurity threats have materially affected or are reasonably likely to materially affect ZoomInfo, see “Risk Factors—Cyber-attacks and security vulnerabilities could result in serious harm to our reputation, business, and financial condition” in Part I, Item 1A of this Annual Report on Form 10-K.
33

Cybersecurity Governance
Oversight of Risk Management Generally
Our Board has extensive involvement in the oversight of risk management related to us and our business. The Board accomplishes this oversight both directly and through its Audit Committee, Compensation Committee, Nominating and Corporate Governance Committee, and Privacy, Security and Technology Committee, each of which assists the Board in overseeing a part of our overall risk management and regularly reports to the Board. The Audit Committee represents the Board by periodically reviewing our accounting, reporting and financial practices, including the integrity of our financial statements, the oversight of administrative and financial controls, our compliance with legal and regulatory requirements and our policies with respect to risk assessment and risk management. Through its regular meetings with management, including the finance, legal and internal audit functions, the Audit Committee reviews and discusses significant areas of our business and related risks and summarizes for the Board areas of risk and any mitigating factors. The Compensation Committee considers, and discusses with management, management’s assessment of certain risks, including whether any risks arising from our compensation policies and practices for our employees are reasonably likely to have a material adverse effect on us. The Nominating and Corporate Governance Committee oversees and evaluates programs and risks associated with Board organization, membership and structure, succession planning and corporate governance. In addition, our Board receives periodic detailed operating performance reviews from management. The Privacy, Security and Technology Committee, represents the Board by periodically reviewing and discussing with Company management the Company’s major risk exposures relating to privacy, cybersecurity, and technology, and the steps the Company takes to detect, monitor, and actively manage such exposures.
Board Oversight of Privacy, Cybersecurity and Technology Risks
Our Board recognizes the importance of maintaining the trust and confidence of our customers and employees. As a part of its independent oversight of the key risks facing our company, the Board, primarily through its Privacy, Security and Technology Committee, devotes significant time and attention to the oversight of privacy, cybersecurity, and technology risks. The Privacy, Security, and Technology Committee oversees management’s approach to staffing, policies, processes, and practices to gauge and address privacy, cybersecurity, and technology risks. The Privacy, Security, and Technology Committee regularly reports to the full Board and discusses the significant privacy, cybersecurity, and technology issues at the Board level.
Management
Our cybersecurity program is managed by our chief security officer (“CSO”). Our CSO is informed about and monitors awareness, prevention, detection, mitigation, and remediation efforts through regular communication and reporting from members of the information security team. Our CSO has served in information security roles for over 20 years, including serving as the Chief Information Security Officer for technology organizations and a government defense agency. He holds a masters degree in information systems and an undergraduate degree in electrical engineering. In addition, our chief technology officer (“CTO”) has served in various leadership roles in information technology, engineering, and product management for over 25 years at public and private technology companies. He holds a PhD in computer science and undergraduate and masters degrees in computer engineering.
Our chief compliance officer, CTO, general counsel, and other members of management are part of an executive-level Security Steering Committee chaired by our CSO, along with subcommittees comprised of cross-functional representatives focused on evaluating ZoomInfo’s data governance, cybersecurity incident response framework, security culture, and product and application security, among other areas. Members of the executive-level Security Steering Committee provide updates and analysis regarding cybersecurity, data privacy, and related security topics to the Board’s Privacy, Security, and Technology Committee at each meeting. In addition, our legal, privacy, and compliance teams are focused on applicable cybersecurity laws and regulations and monitor changes to such laws and regulations with a view to implementing what we believe are best practices in the industry.
34