Cybersecurity is of paramount importance to customers and stakeholders. As an advanced telecommunications systems, mobile devices, and enterprise technology solutions provider, ZTE deeply understands the concerns of its customers and stakeholders on cybersecurity. The compliance with cybersecurity laws and regulations is the premise of ZTE's all business activities. ZTE is committed to an end-to-end delivery of secure and reliable products and services to customers. 

Cybersecurity is one of the highest priorities in ZTE product development and delivery. ZTE has built a three lines of defense security governance structure, integrating security policies and controls into each phase of the product life-cycle to achieve secure end-to-end delivery of products and services:

1.ZTE has adopted the three lines of defense security governance model to implement and review cybersecurity from multiple perspectives. The first line of defense achieves cybersecurity self-management and control, the second line of defense implements independent security verification and supervision; and the third line of defense audits the effectiveness of the first and second lines of defense.

2.ZTE supply chain ensures that products are produced, stored, transported and delivered to customers in a secure manner, with each process meeting the security management standards. The supply chain security team focuses on identifying security risks and improving relevant key processes to ensure that products in all the supply chain procedures are managed in a confidential, tamperproof and traceable manner. By signing security agreements with suppliers and implementing security audits, ZTE communicates cybersecurity requirements to suppliers and works with suppliers to ensure that purchased products are secure and trustworthy.

3.ZTE has established a closed-loop security control process covering all key checkpoints in the product development process and has deployed a multi-layer verification mechanism to ensure that the Product Security Teams, the Independent Security Verification Team and the Security Audit Team assess the cybersecurity from multiple yet separate perspectives.

4.ZTE has established multi-level product security management teams in the fields of engineering and services based on regional, national and project dimensions. The engineering and services business processes have been optimized with reference to industry standards and best practices. The management specifications are formulated and continuously improved. The cybersecurity  monitoring and incident response mechanisms are established to ensure a secure and reliable delivery of products and services to our customers.

5.ZTE Product Security Incident Response Team (PSIRT) identifies and analyzes security incidents, tracks incident handling processes, and communicates closely with internal and external stakeholders to disclose security vulnerabilities in a timely manner so as to mitigate the adverse effects of security incidents. As a member of the Forum of Incident Response and Security Teams (FIRST) and the CVE Numbering Authority (CNA), ZTE is collaborating with customers and stakeholders in a more open manner.

ZTE respects the legitimate rights and interests of customers and users, complies with relevant laws and regulations, continuously improves management and technical practices based on the three lines of defense security governance system, and realizes an end-to-end secure delivery of products and services, to ensure the security of customer networks, assets and privacy. ZTE is willing to communicate and cooperate with regulators, customers, business partners and other stakeholders in an open and transparent manner to create a good cybersecurity environment.

This statement applies to ZTE Corporation and its subsidiaries (directly and indirectly owned) and branches worldwide.