ASURE SOFTWARE INC - (ASUR)

10-K Filing Date: February 26, 2024
ITEM 1C. CYBERSECURITY

Risk Management and Strategy

We have implemented a comprehensive cyber risk management program that adheres to industry standards, specifically the National Institute of Standards and Technology’s cybersecurity framework and risk management standards. This program is maintained by a dedicated security operations team at the Company (the “Security Operations Team”). This process includes annually assessing and categorizing existing and emerging threats to Asure’s business operations and its information systems. Identified risks are assessed for severity and probability of impact and then risk treatments are identified and implemented. Additionally, Asure has implemented a vendor risk management program to continually assess and monitor risks posed by vendors and partners of the Company.

We maintain a comprehensive listing of controls that includes those risk treatments which are continuously monitored and assessed by the Security Operations team. These controls are derived from the risk assessment process and include physical, logical and environmental security, vulnerability management, secure development and change management, fraud detection, and privacy. We also maintain a security awareness program (the “Security Awareness Program”), which is designed, implemented and maintained by our VP of Information Security. Our Security Awareness Program includes training that reinforces our information technology risk and security management policies, standards and practices, as well as the expectation that employees comply with these policies. The Security Awareness Program engages personnel through training on how to identify potential cybersecurity risks and protect our resources and information, as well as how to respond to unauthorized access to or use of Company information. The Security Awareness Program training is mandatory for all employees at least annually, and it is supplemented by Company-wide assessment initiatives, including periodic testing. Additionally, we provide specialized security training for certain employee roles, such as application developers.

We conduct periodic tests to assess our processes and procedures and the threat landscape, which are designed with the goal of implementing and maintaining a robust cybersecurity program. Where appropriate, we take additional and ongoing steps intended to strengthen our cybersecurity capabilities and mitigate the risk of a breach or incident. Our security program and IT-related controls are regularly examined by internal auditors, external auditors and various regulators who regularly assess the design and effectiveness of our control framework. As part of those assessments, Asure maintains both SOC1 Type 2 and SOC2 Type 2 certifications specifically evaluating the security, confidentiality, and availability of its systems and information. Additionally, state examiners audit our IT-related controls as part of our Money Transmitter Licensing requirements.

24

Although we have designed its cybersecurity program and governance procedures noted above to mitigate cybersecurity risks, we continue to face unknown cybersecurity risks, threats and attacks. To date, these risks, threats and attacks have not had a material impact on our operations, business strategy or financial results; however, they may have a material impact in the future.

Please refer to the “Risk Factors” in Part I, Item 1A of this Form 10-K for more information on risks posed by cybersecurity threats to the Company.

Governance

Our Security Operations team, led by the VP of Information Security, is responsible for identifying, assessing, mitigating, and reporting on material cybersecurity risks to the executive management team. In addition, cybersecurity risks, emerging and existing threats and Asure’s current security posture are presented to the board of directors quarterly. Our VP of Information Security holds a high-level certification relating to information security, Certified Information Systems Security Professional (CISSP) from the International Information Security System Security Certification Consortium, and has 17 years of information security, risk management, application security, security operations, and incident management experience. Our Executive Management receives regular monthly reports from the VP of Information Security.

Our Security Operations team has implemented a continuous monitoring program that provides real time feedback to security events that are triaged and remediated. Critical incidents are escalated in accordance with Asure’s Incident Response Policy. Critical incidents are reported to the board of directors as required by Asure’s Incident Response Policy.