Security Compliance

What is the scope of an audit?

The scope of an audit refers to the specific areas, processes, or financials under review. It can include financial statements, compliance with laws and regulations, internal controls, or operational performance. The scope is typically defined during the initial stages of the audit to meet regulatory or business requirements.

How does Zayo ensure compliance with industry regulations?

To ensure consistency and compliance, Zayo follows the Unified Compliance Framework (UCF), which outlines a set of common control criteria that align with global standards, laws, regulations, directives, guidelines, and best practices (“requirements”). As new requirements emerge that impact our products and services, Zayo is committed to continuously improving our control environment to drive security maturity. Our compliance team continuously monitors changes in regulatory requirements and ensures our practices align with the latest standards. Regular internal audits, employee training, and external audits also play a key role in this process.

What happens if Zayo fails an audit or compliance check?

If an audit or compliance check reveals issues, Zayo logs them as issues for remediation as part of our Risk Management program. Corrective actions are assigned to appropriate operational teams as the 1st line of defense for remediation.

How do you handle sensitive data during an audit?

We take data privacy and security very seriously. All sensitive data is handled with the utmost care, in compliance with data protection regulations such as GDPR or HIPAA. Auditors are required to sign non-disclosure agreements (NDAs), and data is stored in secure environments with restricted access.

What are the key benefits of performing regular compliance audits?

Regular compliance audits help identify risks early, ensure legal compliance, improve operational efficiency and security, and provide confidence to stakeholders. They also allow Zayo to address issues before they escalate into costly problems or legal issues.

How does Zayo prepare for an audit?

To prepare for an audit, Zayo ensures that all relevant documents, records, and policies are up to date and easily accessible. We conduct internal reviews to identify and address any gaps in compliance, train key employees on audit processes, and ensure our internal controls are functioning.

What is the difference between internal and external audits?

An internal audit is conducted by employees within the Organization to assess risk management, compliance, and internal controls. External audits are carried out by third-party firms to provide an unbiased review of financial statements and compliance with legal or regulatory standards. External audits tend to be more formal and may be required by law, investors, or other stakeholders.

What is the Unified Compliance Framework (UCF)?

The UCF is one of the largest frameworks for aggregating Authority Documents into a collective whole. It then aligns and harmonizes the requirements within set of de-duplicated common controls. For more information about the UCF, refer to  https://www.unifiedcompliance.com/home.

What authoritative sources does Zayo consider in its common controls framework?

Zayo’s compliance team continuously monitors for new global regulations and requirements and incorporates authoritative sources as needed. Today, Zayo considers the following sources within its common controls framework:

• Regulation (EU) 2024/1689 of the European Parliament and of the Council – on Artificial Intelligence
• Cybersecurity Maturity Model Certification (CMMC) Level 1
• Colorado Revised Statutes, Title 6, Article 1 – Artificial Intelligence Act
• Directive (EU) 2022/2555 of the European Parliament and of the Council – on measures for a high common level of cybersecurity across the Union
• Regulation (EU) 2022/2554 of the European Parliament and of the Council – on digital operational resilience for the financial sector
• Regulation (EU) 2016/679 of the European Parliament and of the Council – General Data Protection Regulation (GDPR)
• FIPS Publication 140-2 – Security Requirements for Cryptographic Modules
• FedRAMP Security Controls – Moderate Baseline
• ISO 22301:2019 – Security and resilience – Business continuity management systems – Requirements
• ISO 45001:2018 – Occupational health and safety management systems – Requirements with guidance for use
• ISO 9001:2015 – Quality management systems – Requirements
• ISO/IEC 27002:2022 – Information security, cybersecurity and privacy protection – Information security controls
• ISO/IEC 27001:2022 – Information security, cybersecurity and privacy protection – Information security management systems – Requirements
• ISO/IEC 28394:2023 – Information technology – Information security management – Security requirements for service providers
• ISO/IEC 38507:2022 – Information technology – Governance of AI and autonomous systems – Overview of principles and practices
• NIST Special Publication 800-171 Revision 3 – Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
• NIST AI 100-1 – Artificial Intelligence Risk Management Framework
• NIST Cybersecurity Framework (CSF) 2.0 – Framework for Improving Critical Infrastructure Cybersecurity
• NIST Special Publication 800-161 Revision 1 – Cybersecurity Supply Chain Risk Management Practices for Federal Information Systems and Organizations
• NIST Special Publication (SP) 800-53 Revision 5.1.1 – Security and Privacy Controls for Information Systems and Organizations
• NIST Special Publication 800-171 Revision 3 – Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
• Payment Card Industry Data Security Standard (PCI DSS)
• Personal Information Protection and Electronic Documents Act (PIPEDA)
• Public Company Accounting Reform and Investor Protection Act of 2002
• Statement on Standards for Attestation Engagements (SSAE) No. 18 – Attestation Standards: Clarification and Recodification
• SOC 2® – Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy
• Web Content Accessibility Guidelines (WCAG) 2.1

Is Zayo in scope for the Digital Operations Resilience Act (DORA)?

DORA places significant responsibility on financial entities to manage and oversee their third party ICT providers. It emphasizes thorough due diligence, continuous monitoring, clear contracts, and incident management, all aimed at ensuring operational resilience in the face of disruptions or cyber risks. Financial institutions must be proactive in managing these risks to comply with DORA’s standards. DORA requirements for third-party ICT focus on managing risks arising from outsourcing critical ICT services, which could impact operational resilience.  

Zayo is not a financial services entity and has not been designated as a critical Information and Communications Technology (ICT) third party service provider, but Zayo acknowledges and appreciates the impact of DORA on financial services entities and includes DORA in its common controls framework as outlined by the Unified Compliance Framework (UCF). Our Organizational programs address DORA regulations as they apply to ICT third party service providers in the following areas:

• Risk Management
• Incident Reporting
• Resilience Testing
• Compliance with Security Standards
• Contractual Obligations
• Monitoring and Oversight

For more information, refer to International Regulatory Compliance.

What is Zayo’s approach to Europe’s new Network and Information Security 2.0 Directive (NiS2)?

NiS2 aims to enhance the cybersecurity landscape by introducing a Cyber Crisis Management Structure through the European Cyber Crisis Liaison Organization Network (EU-CyCLONe). It promotes harmonization of security requirements, encourages national strategies to address new areas such as supply chain and vulnerability management, and expands the sectors covered, thereby increasing the number of entities responsible for cybersecurity.

NiS2 significantly broadens the scope of compliance to include mid-sized and large companies across 18 critical sectors, such as energy, transport, and healthcare. Organizations classified as essential or important must establish incident-reporting processes for significant security breaches, guided by criteria related to location, size, and industry.

Zayo is proactively aligning its operations with NiS2 as an Essential Entity and includes NiS2 in its common controls framework as outlined by the Unified Compliance Framework (UCF). Under the guidance of the Chief Security Officer (CSO), Zayo is implementing safeguards as part of its security program to meet NiS2 requirements while ensuring compliance with other global regulations.

For more information, refer to International Regulatory Compliance.

Is Zayo compliant with the UK Telecommunications Security Act (TSA)?

The Telecommunications Security Act (TSA), effective March 31, 2025, introduces new security regulations for telecom providers in the United Kingdom (UK), responding to evolving geopolitical threats and increasing cybercriminal activity. The Act establishes a ‘Three Layer Framework’ and a tiering system that categorizes providers based on size and annual revenue, determining compliance requirements and timelines. The UK Office of Communications (Ofcom) is a regulatory body supervising the communications industry for the UK – TSA, passed into law on October 1, 2022, ushering in a number of new security requirements for public telecom providers.

Zayo, classified as a Tier 2 provider, is proactively aligning its operations with TSA requirements through its governance framework of common controls. Currently, the TSA authoritative source is not available in the UCF, however, Zayo has performed a gap analysis and an internal audit to determine the safeguards required within our common controls to meet initial compliance measures and continues to enhance its Security program with guidance from its Chief Security Officer (CSO).

For more information, refer to International Regulatory Compliance.

Is Zayo in scope for PCI?

With regards to PCI, Zayo is both a Merchant and a Service Provider. In both instances, the scope of responsibilities the Organization shares in protecting PCI is limited, as Zayo does not store, transmit, process, or dispose of cardholder data or maintain a Cardholder Data Environment (CDE).

• Merchant: Zayo accepts credit card payments from customers through customer account management portals and an Integrated Voice Response (IVR) system. These mechanisms provide a branded interface (wrapper) and coded calls to redirect customers to engage directly with third-party payment processors. Third-party payment processors use tokenized authorization methods to confirm identity and access before accepting, storing, or processing cardholder data on behalf of Zayo. Zayo complies with its PCI requirements and completes an SAQ-A-ER on an annual basis. 
• Service Provider: Zayo provides some services that may impact the security of customers who store, transmit, process, or dispose of cardholder data. As a Service Provider, Zayo and its customers have shared PCI responsibilities. Customers are responsible for protecting its cardholder data and CDE, and Zayo is responsible for protecting the network and service components of the customer CDE. Zayo complies with its PCI requirements completes Attestations of Compliance (AOCs) for its relevant service provider services annually. For more information about shared PCI responsibilities, refer to the PCI-DSS v4.0 Service Provider Responsibility Matrix.

Does Zayo hold a valid information security/cybersecurity third-party attestation or certification? (e.g., ISO 27001, SOC 2 Type 2, CMMC Level 3-5, Cybersecurity Maturity Assessment, etc.)?

Zayo does not hold security certifications for its network transport products, as we do not collect, store, or process customer data. Beginning in 2025, Zayo has embarked on a strategic company-wide effort to achieve certifications for its other products and services across SOX, SOC 1, SOC 2, FedRAMP, ISOs 9001, 14001, 20243, 27001, and 45001, and Capability Maturity Model Integration (CMMI) accreditation programs beginning in 2025. We are also exploring additional certifications, to expand compliance capabilities in the US, Canada, European markets.

Zayo Europe is certified in ISO27001, ISO9001, ISO14001, and ISO45001. SOC 2 certification applies only to voice services in Canada. 

Does Zayo host customer data?

No. Zayo acts as a processor, not a controller of customer data. Customer personal data retained by the Organization is limited to billing information and service provisioning, and is stored separately from our solutions environment. Any processing or storage of personal data is primarily limited to customer contact information necessary for service provisions. The Organization conducts comprehensive reviews of its data processing activities, including internal data transfer assessments and resulting Data Processing Addendums (DPAs) to ensure compliance.

How does Zayo interact with customer data?

Fiber & Transport and Network Connectivity: Zayo provides infrastructure and bandwidth services that permit customers to transport data in accordance with customer contractual requirements. The customer is responsible for ensuring the data transmitted through these services is appropriately protected and compliant with current privacy legislation. Although the information moving through company infrastructure may include customer information, Zayo is not acting in the role of processor of customer data, and Zayo does not possess any direct or administrative access to any customer content that is transmitted through our communication infrastructure. This separation is maintained through both technological and security controls implemented on our service architecture.

Cloud services (Object Based Storage Services): Zayo provides and operates cloud based capabilities and infrastructure that permit storage and lifecycle management activities for customer content. Zayo only permits access by a limited number of employees to customer-stored content at the request of the authorized customer party requesting Zayo to access such content, and such access by Zayo employees is limited to certain administrative functions, such as resetting passwords to provide the authorized customer party access to customer content. Zayo requires these employees to read, understand, and acknowledge compliance with Zayo’s policies governing such access. Through the Cloud Services Offering, Zayo is acting in the role of a processor on behalf of the customer (the controller). Zayo has prepared a Data Processor Addendum (“DPA”) in accordance with GDPR Article 28. Customers may make a request through their designated Zayo contact to initiate the process for executing a DPA.

Voice services: Zayo provides cloud-based voice and collaboration solutions that deliver voice and PBX features, video meetings and messaging, and contact management features through an intuitive cloud interface. Customers may access a dashboard of reports, and may subscribe to a call recording feature. To access the customer dashboard, a new user receives a system-generated password in a separate email from the application setup instructions. The user is instructed to change the password and neither the customer administrator nor Zayo have access to user passwords. Zayo has an application management password for all applications, including our call recording solutions. Zayo only permits access by a limited number of employees for the purpose of providing customer assistance and troubleshooting. Access to Zayo’s highest level master portal is limited to a select few employees.

Customer portals for programming phones may be accessed only by select Zayo employees upon request of the customer. These portals are limited to phone systems and do not provide access to applications such as meetings or call recordings.

Zayo provides telecommunications and infrastructure offerings to customers globally. As part of providing those offerings, Zayo may act as a processor. Zayo collects and stores Personal Data for purposes of providing its offerings, informing Customers of additional offerings, tracking use activity on its websites, and marketing efforts related to its offerings.

How does Zayo use customer data?

Zayo uses customer data for the following purposes:

• Contract Administration: Zayo processes personal data contact information as necessary for the performance of offerings pursuant to a contract between Zayo and its Customer. Contact information is needed for ongoing contract administration, to provide Customer notices and service announcements, to assist with service incident resolution, to install and maintain services on Customer premises and to address billing and payment inquiries.
• Physical Security Controls: Zayo processes identity information as necessary for the performance of a contract between Zayo and the Customer. Customer contracts require that physical security controls be implemented to prevent unauthorized access to colocation facilities and Customer equipment. Identity information is collected to authenticate individuals based on Customer approvals.
• Traffic Data: Zayo monitors and processes network traffic data consistent with its legitimate interests to support the offerings provided pursuant to a contract between Zayo and its Customer, to ensure the integrity of services and to support security incident and event management functions.
• Website: Zayo processes website visitor information and contact information with our legitimate interest to offer and provide products and services, send promotional materials and marketing communications regarding programs, offers and surveys, deliver targeted online advertising, communicate with returning visitors and auto fill web-based forms, respond to inquiries and to operate, evaluate and improve our business. Zayo processes website application information with our legitimate interest to create and maintain user credentials to allow authenticated user access to self-serve functions related to telecommunication services or to submit recruitment information for consideration of employment.

In what instances is customer personal data processed?

When personal data is processed, it is processed in the following instances:

• Contact Information: Zayo receives personal data from data subjects in their role as employees of our Customers. Information required by Zayo to enable communications with Customers, administer Customer accounts, and in accordance with contractual obligations is limited to name, business address, telephone number, job title, and email address. Zayo may also collect certain publicly available social media information to facilitate provisioning of our offerings and communications with our Customers.
• Website Application and Other Associated Service Portals: Zayo processes personal data contact information associated with the creation of application user credentials (eg. Tranzact, Workday recruitment, Zayo service portals, etc.), and collects website visitor information in the form of generic website statistics and cookies including device, operating system and browser type, country and time zone indicators and other system settings. Zayo collects this information directly from data subjects through the interaction and use of our websites. See the Zayo Cookie Notice for more specific details on data collection, use, and ability to block cookies.
• Marketing: Zayo utilizes websites for the display of corporate information as well as to market and transact Zayo Offerings. Customers and website visitors interact with various functions on these pages that may require the collection and use of Personal Data to complete those functions.
• Opt Out: If Zayo uses personal data for the purpose of sending Customers sales and marketing communications, Customers may manage the receipt of marketing and non-transactional communications from Zayo, click the Manage preference link located on the bottom of Zayo marketing emails.
• Submission of Personal Data by Customer: In cases where contact information is provided by the Customer in accordance with contractual requirements, the Customer is responsible for ensuring that any personal data submitted to Zayo has been obtained in accordance with relevant data protection requirements and that, where applicable, Customer has obtained any required consent from the data subject prior to providing personal data to Zayo.
• Identity Information: For Customers that require access to Zayo facilities, Zayo collects government issued identity information (e.g., drivers license, passport), palm or fingerprint biometric identifiers, and CCTV video image. Zayo collects this information directly from the data subject at each designated Zayo facility.
• Network Traffic Data: Zayo collects data that is captured through system logging and data flow management systems including, but not limited to, source and destination Internet Protocol (IP) addresses and domain name, date and time indicators, and other network layer protocol header information as collected based on service capabilities. Although IP addresses are collected within network traffic logs, Zayo does not possess the necessary capabilities without the involvement of the impacted Customer to identify an individual.

What privacy laws and regulations does Zayo comply with?

Zayo’s security program is based upon the Unified Compliance Framework (UCF) and structured around a set of control objective categories addressing controls from a multitude of authoritative industry standards and requirements. Authoritative privacy requirements incorporated into Zayo’s security program include, but are not limited to:

• California Consumer Protection Act (CCPA)
• Colorado Privacy Act
• General Data Protection Regulation (GDPR)
• Payment Card Information Data Security Standard (PCI-DSS)
• Personal Information Protection and Electronic Documents Act (PIPEDA)

For more information about the UCF, refer to  https://www.unifiedcompliance.com/home.

Is Zayo PCI compliant?

With regards to PCI, Zayo is both a Merchant and a Service Provider. In both instances, the scope of responsibilities the Organization shares in protecting PCI is limited, as Zayo does not store, transmit, process, or dispose of cardholder data or maintain a Cardholder Data Environment (CDE).

• Merchant: Zayo accepts credit card payments from Customers through customer account management portals and an Integrated Voice Response (IVR) system. These mechanisms provide a branded interface (wrapper) and coded redirects where Customers engage directly with third party payment processors. Third party payment processors use tokenized authorization methods to confirm identity and access before accepting, storing, or processing cardholder data on behalf of Zayo. Zayo complies with its PCI requirements and completes an SAQ-A-ER on an annual basis.
• Service Provider: Zayo provides services that may impact the security of Customers who store, transmit, process, or dispose of cardholder data. As a Service Provider, Zayo and its Customers have shared PCI responsibilities. Customers are responsible for protecting its cardholder data and CDE, and Zayo is responsible for protecting the network and service components of the Customer CDE. Zayo complies with its PCI requirements completes Attestations of Compliance (AOCs) for its relevant service provider services annually. For more information about shared PCI responsibilities, refer to the PCI-DSS v4.0 Service Provider Responsibility Matrix.

What are my Data Subject rights as a customer?

As a customer you have:

• Right to Access: Individuals may request access to their personal data
• Right to Correction: Individuals may request to rectify inaccuracy of their data
• Right to Erasure: Individuals may request deletion of their data, subject to legal and regulatory obligations
• Right to Restriction of Processing: Individuals may request their data in a structured, commonly used format
• Right to Data Portability: Individuals may object to data processing based on legitimate interests or direct marketing
• Right to Opt Out: Individuals may opt out of the sale of their personal information
• Right to Not Be Discriminated Against: Individuals may exercise their privacy rights without discrimination

Customers may manage the receipt of marketing and non-transactional communications from Zayo by clicking the Manage preference link located on the bottom of Zayo marketing emails.

Customers may update, correct, or remove personal data or to object to the processing of their information related to website visit or web application support, by contacting privacy.office@zayo.com or by using the Support options on portals or applications.

Can Zayo transfer customer data across borders?

The Organization is not prohibited from transferring personal information to an organization in another jurisdiction for processing. However, the Organization is held accountable for the protection of personal information transfers under each individual outsourcing arrangement.

The Organization is responsible for protecting personal information under its control. Personal information may be transferred to third parties for processing but contractual or other means are required to provide a comparable level of protection while the information is being processed by the third party.

Does Zayo share customer data with third parties?

Generally, Zayo may disclose customer personal data: (i) as set forth in a Data Processor Addendum (DPA) between Zayo and a customer; (ii) as required by law or legal process; (iii) to law enforcement authorities or other government entities; and (iv) when Zayo believes disclosure is necessary or appropriate to prevent harm or financial loss, or in connection with an investigation of alleged fraudulent or illegal activity.

Zayo endeavors to limit data transfers wherever possible, however, Zayo does provide personal data, limited to name, contact information, and title, to its sub-processors to fulfill its obligations to its customers and for administrative purposes. Where such data transfers are necessary, Zayo ensures that recipients of this data have appropriate safeguards and contractual terms in place, including Standard Contractual Clauses under GDPR where applicable.

When Zayo transfers personal information for processing, it can only be used for the purposes for which the information was originally collected. “Processing” is interpreted to include any use of the information by a third party processor for a purpose for which the transferring organization can use it. 

Third party processors must provide protection that can be compared to the level of protection the personal information would receive if it had not been transferred. It does not mean that the protections must be the same across the board, but it does mean that they should be generally equivalent.

How is customer data retained and disposed of?

Zayo retains personal data contact information and website application information for as long as the customer maintains an active account and for seven (7) years after account termination in order to comply with legal and financial reporting obligations. In some cases, such as when required by law or rule, Zayo will keep personal data contact information for longer periods (e.g., E-Rate retention requirements). For all other cases, when personal data contact information is no longer required in support of a defined purpose, it is properly and securely deleted.

How does Zayo handle data breaches?

Events involving unauthorized access, release, theft, or use of sensitive, protected, or confidential customer data are treated as security incidents by the Organization. Upon incident identification and confirmation, Zayo:

• Takes immediate steps to secure systems and prevent further unauthorized access.
• Assesses what data was exposed, identifies the customers affected, and evaluates potential risks.
• Promptly notifies customers via email about the breach and informs them of any actions they should take, such as changing passwords or monitoring accounts.
• Notifies regulatory authorities as per applicable laws. 
• Offers support services as applicable to the incident.
• Provides updates on any investigation, steps to breach resolution, and inform customers about any necessary further actions.
• Reviews the incident, identifies root causes, and strengthens security measures to prevent future breaches.

How do I report a data breach?

If you suspect a data breach incident, immediately contact our Privacy Office at privacy.office@zayo.com.

What is the Unified Compliance Framework (UCF)?

The UCF is one of the largest frameworks for aggregating Authority Documents into a collective whole. It then aligns and harmonizes the requirements within set of de-duplicated common controls. For more information about the UCF, refer to  https://www.unifiedcompliance.com/home.

How is Zayo’s Security Governance Framework structured?

Using a Common Control Framework (CCF) based upon the UCF, Zayo is able to ensure compliance with regulatory requirements, industry best practices, and other authoritative sources as defined by various leading global organizations. The Organization’s CCF is structured around various control families or domains, with each family representing a group of related controls from multiple regulations or standards, aligning them based on their common objectives and functional areas. This ensures the Organization’s compliance with a multitude of global industry standards, regulations, and best practices.

Does Zayo share its governance documentation with customers?

No. Zayo does not share governance documents in their entirety as they are treated as internal resources that are proprietary in nature. This fosters accountability and confidentiality, guiding teams through crises while ensuring compliance with industry standards.

Is there a process used to verify that information is categorized according to legal, regulatory, or internal sensitivity requirements?

Yes. Information is categorized using data classification standards and document retention policies. 

Do you follow operational standards or frameworks for managing Information Security/Cybersecurity?

Zayo’s security program is based upon the Unified Compliance Framework (UCF) and structured around a set of control objective categories addressing controls from a multitude of authoritative industry standards and requirements. For more information about the UCF, refer to https://www.unifiedcompliance.com/home.

Do you have company-wide, publicly available security policies in place covering privacy?

Yes. You can find publicly available policies under the Governance category of the Trust Center. For privacy information, please refer to Zayo’s Privacy Policy.

What mechanisms are in place to ensure Zayo policy and standards are enforced within your supply chain?

Zayo is a global corporation and rigorously assesses all Suppliers by strictly enforcing Inherent Risk Questionnaires (IRQs), Office of Foreign Assets Control (OFAC) and Committee on Foreign Investment in the United States (CFIUS) reviews, and Data Processing Addendums (DPAs). Agreements with Suppliers must include requirements to address the information security risks associated with information and communications technology services and the Organization’s product supply chain, which includes cloud computing services. It is the responsibility of Users to work with Suppliers to understand the information and communication technology supply chain so that the Organization knows the components that could have an important impact on the products and services being provided.  Supplier agreements state that Suppliers must adhere to the security requirements specified in the Supplier Relationships Policy they are required to sign, security requirements and practices specified are propagated throughout the supply chain, and relevant Organization teams associated with the Supplier and Supplier contract must ensure that monitoring is in place for validating that delivered information and communication technology products and services are adhering to the stated security requirements. Associated Organization teams must obtain assurance that the delivered information and communication technology products are functioning as expected without any unexpected or unwanted features. All third parties are assessed and re-assessed as service agreements change. If violations of contractual Third Party Risk Management (TPRM) requirements or TPRM-related incidents occur, remediation activities are managed as issues. Information that Users share with a Supplier must only be shared based on a need-to-know and need-to-use basis throughout the supply chain, and this method of information sharing must be used by the Supplier in the case that the Supplier uses any other Suppliers for the services provided to the Organization. 

Do the Board and Executive Management establish a clear ‘tone from the top’ on the importance of cybersecurity?

There is a distinct ‘tone from the top’ from the Board and Executive Management that is consistent, visible, and achieved on a sustained basis.

Does a relevant Board Committee (with risk management oversight or audit responsibilities) receive cybersecurity reports?

Yes. Reports include:

• Key threats and associated cyber security activities
• Cyber incidents and underlying causes
• Ownership responsibilities and accountabilities
• Roadmaps, action plans, and progress
• Key Risk Indicators, tolerances and financial thresholds / limits
• Cyber security performance metrics and trends
• Information on emerging threats

How often does the Board receive reporting on Zayo’s cyber risk profile?

Board reporting occurs quarterly or more frequently as needed.

Is there an executive-level sponsor (e.g., CTO, CIO, CISO, GC) to promote cybersecurity or dedicated roles with accountability for cyber security?

Yes. Zayo’s CIO, CFO, and CSO act as executive-level sponsors to promote Zayo’s security programs and posture.