Zoomcar Holdings, Inc. - (ZCAR)

10-K Filing Date: July 12, 2024
Item 1C. Cybersecurity

 

Cybersecurity attacks impact businesses and organizations of all sizes and sectors on a global basis. At Zoomcar, we recognize the importance of developing, implementing and maintaining a cybersecurity risk management program. Our customers rely on our solutions to store, use and protect their files, which may include confidential or personally identifiable information, critical business information, photographs, and other meaningful content. A successful cybersecurity attack could adversely affect the confidentiality, integrity, and availability of our information systems or any data residing therein. We dedicate significant effort and resources to protect our systems and data, as well as the data of our customers from cybersecurity threats. We are dependent on internal and external information technology systems and infrastructure to securely process, transmit, and store critical information. Our Internal Security team is responsible for overseeing our cybersecurity. We seek to reduce cybersecurity risks through a variety of cybersecurity risk management activities that are designed to identify, assess, manage and mitigate cybersecurity threats.

 

54

 

Risk Management Strategy

 

The Company’s cybersecurity risk management program is focused on the following key areas:

 

Governance: The cybersecurity risk management program is led by Mr. Mohit Kumar, Head of DevSecOps, (Development, Security and Operations), with support from the Internal Security team and the policies therein are reviewed from time to time by Mr. Vishal Ramrakhyani, our Head of Engineering. At present our Board of Directors does not oversee the cybersecurity risk management program, however, the Audit Committee of our Board of Directors is in the process of implementing procedures to obtain regular updates on our cybersecurity program, including recent developments, key initiatives to strengthen our systems, applicable industry standards, vulnerability assessments, third-party and independent reviews, and other information security considerations.

 

Approach: We use a cross-functional approach to identifying, preventing, assessing, and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that are designed to provide for the prompt escalation of cybersecurity incidents and support appropriate public disclosure and reporting of incidents as required in a timely manner. Our cybersecurity efforts include the use of risk-based administrative, technical, and physical controls. Zoomcar has implemented an extensive set of policies, procedures, systems and tools designed to help safeguard our systems and data, including firewalls, intrusion detection systems, access controls including multi-factor authentication, vulnerability scanning, penetration testing, independent third-party control audits, an internal bug bounty program, and other systems and processes.

 

Incident Response Planning: We maintain a breach reporting and resolution plan that includes defined processes, roles, communications, responsibilities and procedures for responding to cybersecurity incidents and other events that impact our operations. Our incident response plans are tested and evaluated on a regular basis.

 

Third-Party Risk Management: Our business relies on various services from third party service providers that could adversely impact the security of our systems and business. We have implemented processes designed to identify and assess cybersecurity risks associated with our use of third-party service providers.

 

Education and Awareness: We have established a security and privacy awareness program that runs throughout the year and includes training for all company personnel to enhance employee awareness of how to detect and respond to cybersecurity threats as well as more targeted training for company personnel that have increased responsibility for mitigating certain potential cybersecurity risks.

 

We regularly review and update our policies, procedures, processes and practices to address changes in the threat landscape and as a result of lessons learned from suspected, actual or simulated incidents. We also conduct tabletop exercises, and engage third party services to conduct evaluations of our security controls through penetration testing and independent audits. We also review industry best practices to assist in evaluating responses to new challenges and risks. These evaluations include testing both the design and operational effectiveness of security controls.

 

Experience:

 

Our Head of DevSecOps, Mr. Mohit Kumar, is a seasoned technology leader with over 14 years of experience in DevOps, SRE, Cloud Computing, and Cybersecurity. As the Deputy Director of DevOps and Cybersecurity at Zoomcar, Mohit heads the DevSecOps team and has led transformative projects, cultivated cybersecurity awareness and promoting holistic cybersecurity practices that were aligned with policies defined and approved by management. Mohit and his team are dedicated to integrating security into development, ensuring robust cloud security, enforcing security policies, and driving shift-left practices with operational excellence at Zoomcar.

 

Vishal Ramrakhyani, our Head of Engineering, has over 13 years of experience as a seasoned technology leader and operator with expertise in application development, IT, cybersecurity, data protection and governance. He has been associated with Zoomcar for more than 7 years and has led strategic initiatives to build robust cybersecurity practices that align with long-term business objectives. Vishal has also worked with internal DevSecOps and external security consultants to build policies around disaster recovery and incident response keeping business continuity as the core objective. Before Zoomcar, Vishal worked as an engineering leader in multiple startups in India.

 

55

 

Cybersecurity Risks

 

While we dedicate significant efforts and resources to our cybersecurity program, we may be unable to successfully identify threats, prevent attacks, satisfactorily resolve cybersecurity incidents, or implement adequate mitigating controls. Any breach of our network security and information systems or other cybersecurity-related incidents that results in, or may result in, the loss, theft or unauthorized disclosure of data, or any delay in determining the full extent of a potential breach, could have a material adverse impact on our business, results of operations, and financial condition, including harm to our reputation and brand, reduced demand for our solutions, time-consuming and expensive litigation, fines, penalties, and other damages. To date and except as otherwise may be noted in this Annual Report on Form 10-K, we do not believe that any cybersecurity threats, including as a result of any previous cybersecurity incidents have materially affected, or are reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition. For more information relating to cybersecurity risks and uncertainties, please see the risk factor entitled “Breaches and other types of security incidents of our networks or systems, or those of our third-party service providers, could negatively impact our business, our brand and reputation, our ability to retain existing Hosts and Guests and attract new Hosts and Guests, may cause us to incur significant liabilities and adversely affect our business, results of operations, financial condition, and future prospects.” in Part I, Item 1A, and other risk factors in this 10-K.