Dayforce, Inc. - (DAY)
10-K Filing Date: February 28, 2024
As an HCM company, we face a multitude of cybersecurity threats from threat actors seeking to access or leverage the data we possess for malicious ends. Review of our information security program, including our cybersecurity policies, standards, and processes, is integrated into our Enterprise Risk Management ("ERM") program which is based on the COSO Enterprise Risk Management Framework and International Organization for Standardization ("ISO") 31000, the two most widely used global standards for ERM.
Our information security program aligns with recommended practices in security standards issued by ISO, AICPA (SSAE18), National Institute of Standards and Technology ("NIST") and other industry sources. Specifically, we maintain several ISO certifications (ISO 27001, 27701, 27017, 27018, 27036), NIST 800-171 compliance, and SOC 1 and 2 Type 2 reports to comply and adhere to industry standard practices. We have invested in our data security team, information security program, and security environment in order to identify, prevent, and mitigate cybersecurity threats and promptly identify and respond to cybersecurity incidents when they occur. Maintaining, monitoring, and updating our information security program to ensure that it remains reasonable and appropriate to changes in the security threat landscape, available technology, security vulnerabilities, and legal and contractual requirements applicable to us, is a continuous effort.
Risk Management and Strategy
We believe that effective cybersecurity depends upon the successful implementation and maintenance of a comprehensive information security program. Deploying suitable security technology, which encompasses analytics and automation, and leveraging the expertise of highly skilled security and risk professionals, is crucial in our strategy. Additionally, we prioritize data governance and data-centric security as integral components of our approach to ensure compliance, uphold privacy standards, and safeguard customer data.
We continue to work to enhance our capabilities in cloud security and assurance testing, security operations and automation, product security, and enterprise risk management. To combat the evolving cybersecurity risk landscape and the enhanced level of sophistication of cybersecurity threats, management has prioritized five areas of our information security program: global standards and operations, a risk-aware workforce, product security, detection and response, and data governance management. In addition, we maintain cybersecurity insurance; however, the costs related to cybersecurity threats or disruptions may not be fully insured.
We contract with several outside cybersecurity experts to audit and test security controls on a regular basis. Any risks or control gaps identified as a result of such assessments, audits, and reviews are reported to the most senior leadership of all functional areas of the Company, the Audit Committee of the Board (the "Audit Committee"), and the Board as appropriate, and we adjust our cybersecurity policies, standards, and practices as necessary.
We face a number of risks from cybersecurity threats, which may materially affect our business, financial condition, and results of operations, because our business is dependent on the successful operation of our payroll, transaction, financial, accounting, and other data processing systems. Although such risks have not materially affected us, including our business, financial condition, and results of operations to date, we have, from time to time, experienced threats to and breaches of our data and systems, and our third-party partners’ data and systems, including malware and computer virus attacks. Businesses we acquire maintain separate cybersecurity programs and processes that may differ in scope and complexity from our overall programs and processes as we set about integrating the acquisition target’s systems into ours.
We cannot eliminate all risks from cybersecurity threats or provide assurances that we have not detected a cybersecurity incident.
Please refer to Part I, Item 1A, “Risk Factors” for further discussion of our cybersecurity-related risks.
Governance
Our commitment to cybersecurity begins at the Board and extends to the most senior leadership of all functional areas of the Company. Our Audit Committee oversees our risk management process at the Board level. The Audit Committee’s responsibilities include regular review of policies and practices with respect to risk assessment and risk management, including in the areas of cybersecurity and other information technology risk and privacy.
26 | 2023 Form 10-K
The Company’s cybersecurity program is supervised by our Chief Information Security Officer ("CISO"). The CISO and his team are responsible for leading enterprise-wide cybersecurity, strategy, policy, standards, and processes. The CISO provides quarterly updates related to the cybersecurity program, including any notable incidents at regularly scheduled Audit Committee meetings. The CISO updates include details regarding the magnitude, financial impact, and remediation of cybersecurity incidents. Members of our Board of Directors and senior Company executives participate in annual tabletop exercises that focus on testing response plans to ransomware, cloud security, payroll disruption, and other incidents. In addition, in order to deploy a consistent cybersecurity framework, and to manage the risk of social engineering, software downloads, and phishing, we educate employees globally through ongoing security awareness training.
Our CISO has served in various roles in information technology and information security for over 25 years, with experience in technology risk management, cybersecurity, compliance, network engineering, information systems, and business resiliency. He is a Certified Information Systems Security Professional and is a member of the National Association of Corporate Directors ("NACD"). At the management level, our CISO, who oversees our data security personnel, works closely with our Chief Risk Officer, who oversees our incident response and business continuity management programs, to assess and manage the cybersecurity element of our ERM program. Our Chief Risk Officer has extensive familiarity with our business, having been at Dayforce, Inc. for over 20 years. Our Chief Risk Officer focuses on risk management, business continuity planning, crisis management, audit processes, operations management, and executive and board of directors reporting.
Our CISO and Chief Risk Officer report to our Chief Operating Officer. These officers, along with our Chief Product and Technology Officer and our Chief Information Officer, drive our cybersecurity priorities at the executive level.
We have established a documented cybersecurity incident materiality assessment and disclosure program that is jointly managed by our Incident Response, Cybersecurity, and Corporate Legal teams. This program calls for the immediate assessment of potentially material cybersecurity incidents, and the appropriate escalation to our cross-functional Disclosure Committee in order to facilitate the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner and elevated to our Audit Committee or Board if needed.