ZIPRECRUITER, INC. 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

ZIPRECRUITER, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 16:13:37 EST.

Filings

10-K filed on 2024-02-28

ZIPRECRUITER, INC. filed an 10-K at 2024-02-28 16:13:37 EST
Accession Number: 0001617553-24-000011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Our board of directors recognizes the critical importance of maintaining the trust and confidence of our users, customers, clients, business partners, and employees. We are committed to protecting the privacy of our users and safeguarding our systems, networks, and services against cybersecurity risks, such as loss, unauthorized access, or other misuses. We take that responsibility very seriously and maintain high standards of governance. Our board of directors provides oversight of risk management issues, including information security and data privacy. Our board of directors is actively involved in oversight of our risk management, and cybersecurity 44 Table of Contents represents an important component of our overall approach to enterprise risk management, or ERM. The audit committee of our board of directors is regularly updated by management and reviews cybersecurity and other information technology risks, controls, and procedures on a regular basis. Our cybersecurity policies, standards, processes, and practices reflect our business and risks, take into account recognized frameworks (such as those established by the National Institute of Standards and Technology, the International Organization for Standardization, and other applicable industry standards), and are reviewed and updated as appropriate. In general, we address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, security, and availability of the information that we collect and store by proactively identifying, preventing, and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. Risk Management and Strategy As one of the critical elements of our overall ERM approach, our cybersecurity program is focused on the following key areas: Governance: Our board of directors oversight of cybersecurity risk management is supported by the audit committee of our board of directors, which regularly interacts with our ERM function, including our Chief Technology Officer, or CTO, Chief Legal Officer, or CLO, and other members of management and the relevant security, privacy, and compliance teams. Collaborative Approach and Implementation of Best Practices: We have implemented a comprehensive, cross-functional approach to identifying, preventing, and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner. For example, through the AppSec Guild, we establish and promote development practices, policies, procedures, and technical designs intended to develop secure outward facing products and systems. Our Security Operations team helps to provide information technology security and oversight for corporate infrastructure and systems, and engages in cybersecurity incident response and management. Working in concert, these groups establish a tiered, best practices driven posture to protect us from cybersecurity threats. Technical Safeguards: We deploy technical safeguards that are designed to protect our information systems from cybersecurity threats, including, without limitation, through firewalls, intrusion prevention and detection systems, anti-malware functionality, and access controls, which are evaluated and improved through vulnerability assessments and regular reviews. Incident Response and Recovery Planning: We have established and maintain comprehensive cybersecurity incident response policies and procedures, and business continuity and disaster recovery plans, which are tested or evaluated on a regular basis. Third-Party Risk Management: We maintain a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers, and other external users of our systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. We perform security vetting for all new applicable third-party vendors and service providers, and conduct security reviews of applicable existing third-party vendors and service providers on an ongoing basis. Ongoing Employee Training: We provide regular, mandatory security awareness training and phishing simulation for our employees regarding cybersecurity threats as a means to equip our personnel with effective tools to identify and address cybersecurity threats. Additional information on our policies, procedures, and safeguards can be found in our Security and Compliance webpage (https://www.ziprecruiter.global/en/security). 45 Table of Contents We engage in the periodic assessment and testing of our policies, standards, processes, and practices that are designed to address cybersecurity threats and incidents, as appropriate. These efforts include a wide range of activities, including audits, assessments, tabletop exercises, threat modeling, vulnerability testing, and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. For example, ZipRecruiter has completed a third-party SOC 2 Type 2 audit, works with independent security researchers through its private bug bounty program, and conducts annual penetration testing using a third-party security tester. The results of such assessments, audits, and reviews are regularly reviewed, and we adjust our cybersecurity policies, standards, processes, and practices as necessary based on the information provided by these assessments, audits, and reviews. Governance Our board of directors, in coordination with our audit committee, oversees our ERM, including the management of risks arising from cybersecurity threats. Our audit committee receives regular presentations and reports on cybersecurity, privacy, and compliance, which address a wide range of topics including recent developments, evolving standards, the threat environment, technological trends, and information security considerations arising with respect to our peers and third parties. Our audit committee also receives prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed. Our CTO, Security Operations team, AppSec Guild, and Senior Corporate Counsel work collaboratively across our company to implement a program designed to protect our information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with our incident response and recovery plans. To facilitate the success of our cybersecurity risk management, multidisciplinary teams throughout our company are utilized to address cybersecurity threats and to respond to cybersecurity incidents. Through ongoing communications with these teams, our Security Operations team monitors the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time and reports such threats and incidents to our Legal Team when appropriate. Our CTO has served in various roles in information technology for over 25 years, including serving as the CTO of two large companies, and holds a master s degree in Computer Science. Our CEO, CFO and CLO each hold undergraduate and/or graduate degrees in their respective fields, and collectively have over 25 years of experience managing risks at our company. Cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected, nor do we believe they are reasonably likely to materially affect, our business strategy, results of operations or financial condition, but we cannot provide assurance that they will not be materially affected in the future by such threats or any future material incidents. For more information regarding cybersecurity risks that we face and potential impacts on our business related thereto, see the risk factor titled Changes in laws or regulations relating to data privacy or the protection, collection, storage, processing, transfer, or use of personal data, or artificial intelligence, or any actual or perceived failure by us to comply with such laws and regulations or our privacy policies, could adversely affect our business.

Company Information