Paycom Software, Inc. - (PAYC)

10-K Filing Date: February 15, 2024
Item 1C. Cybersecurity

Risk Management and Strategy

Overview

We recognize that our clients entrust us with highly sensitive data. We also recognize our attendant responsibility to safeguard the accessibility, confidentiality, and integrity of this data. Our information security program consists of policies, procedures, systems, controls and technology designed to help us prevent, identify, detect and mitigate cybersecurity risks. Our processes are informed by cybersecurity events we have observed within the Company, across our industry, and across the cybersecurity landscape. We utilize the risk management framework for risk assessments as defined by the ISO 27001 Information Security Management Standard. We have integrated cybersecurity risk management into our overall risk management framework by conducting annual enterprise risk management assessments and IT risk management assessments, implementing periodic key risk indicator tracking, and holding periodic meetings among multiple department stakeholders to address cybersecurity risks. We review our information security policies at least annually and in connection with certain process changes to ensure that they meet the needs of the organization and the goals and objectives of the information security program.

Prevention, Identification, Detection and Mitigation Activities

We routinely undertake activities to prevent, identify, detect and mitigate risks from cybersecurity threats, including but not limited to the following:

Procedures and guidelines designed to ensure that information security is a key consideration in the requirements for both new information systems and enhancements to existing systems and assets;
IT environment risk assessments conducted at regular intervals and in connection with certain events, such as implementation of a new system, service or vendor;
Tabletop and simulation exercises to discuss roles and responsibilities of team members in the event of a cybersecurity incident and to test and modify the plan as needed;
Ongoing security penetration testing and threat modeling of our network and web application;
Automated tools and manual review processes to ensure ongoing compliance with technical standards and identify configuration issues and technical vulnerabilities;
Encryption of all communications with our servers, which are configured to utilize only high-grade encryption algorithms; and
Ongoing employee training related to information security and data privacy policies and standards, including periodic phishing, vishing, and social engineering exercises.

We also have implemented and continue to maintain policies, procedures, systems, controls and technology to oversee and identify the cybersecurity risks associated with our use of third-party service providers. For example, we conduct thorough cybersecurity risk assessments of all third-party service providers prior to engagement and ongoing monitoring to ensure compliance with our robust cybersecurity requirements. The monitoring includes periodic audits of third-party systems and vendors. We engage third-party consultants and auditors in connection with assessing, identifying and managing material risks from cybersecurity threats. Our collaboration with these third parties includes independent audits, threat assessments, and consultation on security enhancements.

Infrastructure; Network and Physical Security

Our IT infrastructure is secured and monitored using a number of leading practices and tools across physical and logical security. This security is also continually monitored by our information security department. We strictly regulate and limit all access to servers and networks at each of our facilities. Local network access is restricted by domain authentication, using stringent access control lists. Remote network access is restricted by a defense-in-depth approach that includes redundant firewalls, preventing unauthorized access from external networks to systems within our local network. We also employ (i) network and endpoint intrusion detection, intrusion prevention, and data loss prevention sensors throughout our infrastructure, (ii) systems that monitor our infrastructure and alert our continuously staffed security operations center of potential cybersecurity issues, and (iii) a seasoned process for managing and installing patches for third-party applications.

Incident Response

We maintain plans to address any cybersecurity incidents, including but not limited to Crisis Management Policies and Procedures, an Incident Response Plan, an Information Security Incident Management Policy and a Business Resiliency/Continuity Management Policy. Information security continuity is embedded in our business continuity management system to minimize the risk that continuity operations could result in a compromise to our security standards. We conduct business continuity, crisis communications and disaster recovery exercises at least annually to test and modify the plan, as needed. The activities related to the business continuity management system are routinely reported to executive management as part of our IT security team’s ongoing metrics reporting. In addition, reports related to activities and outcomes are provided to the audit committee on a quarterly basis.

34


 

 

Certifications and Audits

We maintain the following ISO certifications related to our information systems:

ISO 22301:2019 (standard for implementing and managing an effective business continuity management system);
ISO/IEC 27001:2013 (security standard for information security management systems, covering our production, quality assurance and implementation environments);
ISO 27701:2019 (standard for establishing, implementing, maintaining and continually improving a privacy information management system); and
ISO 9001:2015 (standard for the implementation of quality management processes).

We voluntarily obtain third-party security examinations relating to our internal controls over financial reporting in accordance with SOC 1. Our SOC 1 examination is conducted every six months by one of the four largest independent international auditing firms, and addresses, among other areas, our physical and environmental safeguards for production data centers, data availability and integrity procedures, change management procedures and logical security procedures. We also obtain third-party examinations relating to our internal controls over security and privacy in accordance with SOC 2. Our SOC 2 examination is conducted every year and addresses, among other areas, internal controls around security, availability, processing integrity, confidentiality and privacy. We publish SOC 1 reports semiannually and SOC 2 and SOC 3 reports annually.

Impact of Risks from Cybersecurity Threats

We have experienced cybersecurity incidents in the ordinary course of business and will continue to experience risks from cybersecurity threats that could have a material adverse effect on our business strategy, results of operations, or financial condition. Although prior cybersecurity incidents have not had a material adverse effect on our business strategy, results of operations, or financial condition to date, any actual or perceived breach of our security could damage our reputation, cause existing clients to discontinue the use of our solution, prevent us from attracting new clients, or subject us to third-party lawsuits, regulatory investigations and fines or other actions or liabilities, any of which could materially adversely affect our business strategy, results of operations, or financial condition.

Governance

Both management and the Board of Directors are actively involved in the oversight of risks from cybersecurity threats. Our information security program is designed to ensure that management and the Board of Directors are adequately informed about, and provided with the tools necessary to monitor, (i) material risks from cybersecurity threats and (ii) our efforts related to the prevention, detection, mitigation, and remediation of cybersecurity incidents.

Role of the Board of Directors

The Board of Directors has delegated to the audit committee primary responsibility for overseeing enterprise risk management, including oversight of risks from cybersecurity threats. The audit committee receives quarterly reports and updates from our Chief Information Officer and Executive Vice President of IT and Information Security with respect to cybersecurity risk management. Such reports cover the Company’s information security program, including its current status, capabilities, objectives and plans, as well as the evolving cybersecurity threat landscape.

Role of Management

The Chief Information Officer oversees the activities of our IT and information security teams. Our Chief Information Officer has been with Paycom since 2005 and has more than 30 years of IT and software development experience. The Executive Vice President of IT and Information Security, who reports to our Chief Information Officer, is responsible for ensuring that both new implementations and ongoing operations comply with the policies, procedures, and guidelines of our information security program. Our Executive Vice President of IT and Information Security has been with Paycom for over a decade and has worked in technology development, improvement, infrastructure, and security for over 25 years. The Executive Vice President of IT and Information Security is supported by our Director of IT Security, who has worked in technology development, improvement, infrastructure, and security for over a decade. The Director of IT Security is responsible for the growth and implementation of the information security and data privacy programs and oversees the operations of the information security team. The Director of IT Security also provides oversight for information security and privacy policies and controls, oversees compliance activities, and provides metrics and guidance to executive management regarding the program. The aforementioned leaders and teams have a breadth of experience and manage programs related to governance, risk, and compliance; data privacy and security; vulnerability management; security operations; and application security.

The Chief Information Officer is regularly informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. This ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. As discussed above, our information systems are routinely reviewed for compliance with information security policies and standards. Outcomes of reviews and audits are reported to the Director of IT

35


 

 

Security, Executive Vice President of IT and Information Security, and the Chief Information Officer. Relevant information about security nonconformities, incidents, and events are reported to the working group described below and to the Board of Directors. As discussed above, the Chief Information Officer and Executive Vice President of IT and Information Security report to the audit committee and the Board of Directors on cybersecurity matters at least quarterly.

In addition, we have established a working group composed of senior leaders from various departments, including operations, finance, IT, information security, audit, and legal. This working group’s responsibilities include (i) ensuring that information security goals and objectives are identified, meet organizational and business requirements, and are integrated into relevant processes, (ii) reviewing the effectiveness of the information security program, (iii) providing clear direction and highly visible management support for security initiatives, (iv) providing resources required for information security projects and initiatives, (v) overseeing programs to maintain information security awareness, including training and team-specific guidance, and (vi) coordinating the information security aspects of supplier relationships.