ZILLOW GROUP, INC. - (Z)

10-K Filing Date: February 14, 2024
Item 1C. Cybersecurity.
Cyber-attacks, malicious internet-based activity, online and offline fraud, administrative or technical failures and other cybersecurity threats present risks to the confidentiality, integrity and availability of our information systems, including those of the third parties upon which we rely, and our data residing in those systems. We take seriously our responsibility to protect sensitive consumer, customer and employee information.

Given the data-driven nature of our business and the prevalent use of technology in operating our business, we face cybersecurity risks that could materially affect our business strategy, results of operations and financial condition. For further details on the exposures related to these risks, see the section titled “Risk Factors” within this Annual Report on Form 10-K.

Risk Management, Strategy and Management Oversight

We have an enterprise risk management function at Zillow Group responsible for the oversight and assessment of ongoing and emerging risks to our business operations and the integrity of our data, including the impact of cybersecurity risks. Our enterprise risk management team maintains a steering committee that oversees and opines on our processes to identify, prioritize and assess key risks, including risks related to cybersecurity. The steering committee is composed of senior, cross-functional business leaders with visibility into our key risks. Such members have expertise in the areas of risk management, business strategy, information technology, cybersecurity, legal and compliance, finance, communications, and business products, among others. In partnership with risk owners, this steering committee monitors risk exposures and verifies that efficient and effective risk-management strategies or acceptance and notification criteria are in place. The steering committee meets at least quarterly and its activities are overseen by the Audit Committee of our Board of Directors (“Board”).

We also maintain an information security function that oversees the protection of our information assets through a program informed by standards promoted by the National Institute of Standards and Technology cybersecurity framework and the Cyber Risk Institute’s Cyber Profile. These frameworks guide our information security function in designing programs to assess cybersecurity risks and prevent cybersecurity incidents. The information security team is led by our Chief Information Security Officer (“CISO”) who is responsible for leading enterprise-wide cybersecurity strategy, including assessing and managing risks from cybersecurity threats, and implementing technical security controls by maintaining policies, standards and processes. With more than 20 years of experience in the field of cybersecurity, our CISO has had extensive involvement with the information security function and the maintenance of a robust cybersecurity program. Our CISO has held data privacy and information security roles with increasing responsibility in the financial services, technology and casino industries and is a certified information systems security professional.

The information security team maintains incident response policies and procedures designed to help protect the integrity, availability and confidentiality of information and help prevent loss of service. Cybersecurity events and incidents may be reported or detected through a variety of means, including emails to centralized information security addresses, our online information technology ticketing system, automatic alerts and incident detection systems, direct discovery by our information security team, or reports from a third party. Additionally, our incident response policies and procedures specify the process for initial investigation and containment procedures, remediation tactics, retention of documentation and internal and external communications. Our incident response policies and procedures also specify processes for analyzing the severity of an identified incident, which serve to dictate the escalation procedures to notify varying levels of our risk management team. In response to cybersecurity incidents, we may involve external advisors to assist with remediation efforts and communications and we may seek to mitigate associated liabilities through our insurance coverage. Such third parties may include external legal counsel, forensic investigators and public relation firms, among others. These vendors serve to support our existing processes and procedures and operate as an extension of our enterprise risk management and information security functions.

Our internal audit team conducts security controls testing and provides independent validation that such controls are operating effectively on systems in scope for various regulatory and compliance requirements. Our regulatory compliance team uses third-party external auditors to perform independent testing against all systems in scope for our regulatory and customer-
38


Table of Contents
driven compliance obligations. The audit cadence aligns with regulatory and customer-driven needs. The scope of our audits includes all systems that store, transmit or process data. We also perform periodic third-party risk assessments, vulnerability testing, system and cloud security assessments against our information technology systems.

We engage a variety of third-party service providers to process and store data, including certain customer information, some of which may include personally identifiable information. We also depend on third-party service providers to host many of the systems and infrastructure used to provide our products and services. A limited number of third-party services support essential functions of our business, including the use of cloud-based technology. We have a third-party service provider management program to manage cybersecurity risks associated with our use of these third-party service providers. The program includes the use of security questionnaires, review of statements of work and related information security addenda, procuring results of audits and compliance reviews and obtaining overviews of network infrastructure, among others. Based upon the extent and type of services utilized, reviews of certain third-party engagements are coordinated through members of the following management teams: procurement, legal, compliance, enterprise risk management and information security risk management, among others, as applicable. Depending on the nature of the services provided, the sensitivity of the data at issue and the identity of the third-party, our third-party service provider management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider.

Governance

Our Board considers risk assessment and development of risk mitigation strategies to be a responsibility of the entire Board in consultation with the appropriate Board committees. The Board regularly engages in risk oversight on a broad range of matters, including challenges associated with strategic acquisitions, cybersecurity, regulatory and other legal and compliance matters. For more focused risk oversight, our Board committees are tasked with specific risk management roles.

The Audit Committee oversees major enterprise risks and the steps management has taken to monitor and control such exposure, including risks to our information technology infrastructure and security. Members of our legal, compliance, enterprise risk management and information security management teams provide information and updates on any significant issues related to these topics at the periodic Audit Committee meetings, which are typically held at least quarterly. The Audit Committee is responsible for ensuring independent examination of management’s programs to identify, assess, respond to and monitor risks, which include those performed by internal audit and third party consultants, among others.

Audit Committee member education is provided throughout the year through presentations to and discussions with the Audit Committee led by members of management, third-party consultants, our independent registered public accounting firm and legal counsel, on topics including information security, among others. Members of our Audit Committee have expertise in the technology industry as well as corporate risk management strategies.

39


Table of Contents