Zscaler's Item 1C: A Zero-Trust Vendor Describes Its Own Risk Framework

Zscaler built its business on zero trust — the principle that no user or system should be trusted by default and every access should be verified. So its Item 1C cybersecurity disclosure is a natural place to ask whether the company applies that discipline to itself. Zscaler's Form 10-K for fiscal 2024, filed September 12, 2024, describes a "cybersecurity risk management approach" that "provides a framework for identifying, monitoring, evaluating and responding to risks from cybersecurity threats."

The four verbs — identifying, monitoring, evaluating, responding — are the skeleton of any mature security program, and the SEC's Item 1C is designed to make companies state that skeleton plainly. For a vendor, the disclosure is a chance to show that the lifecycle it sells to customers is the lifecycle it runs internally. The standardized section makes the claim checkable against peers.

Zscaler's governance disclosures elsewhere in its filings put audit-committee oversight on privacy and cybersecurity risk, which is the board-level half of what Item 1C requires: not just a process, but accountability for it. Reading the risk-management framework and the oversight structure together is the right way to use the section — process plus who answers for it.

For readers and buyers, the practical takeaway is to treat Item 1C as a maturity signal, with appropriate skepticism. The presence of a described framework is necessary but not sufficient; what matters is specificity and whether the oversight is real. A zero-trust vendor that describes a thin internal program would be telling on itself; one that describes a rigorous, board-supervised lifecycle is showing its work.

EdgarBeast surfaced the filing from the SEC's index; the 10-K on sec.gov is the primary source. The most useful next step for any reader is comparison — Zscaler's framework against those of Fortinet, CrowdStrike, and the other pure-play vendors, all now required to describe the same thing in the same place.

Forward from this filing, expect Item 1C sections to grow more detailed as companies learn what investors and regulators want from them, and as the first wave of Item 1.05 incident filings starts to test whether the described frameworks hold up under a real event.