Paylocity Holding Corp 10-K Cybersecurity GRC - 2024-08-02

Page last updated on August 2, 2024

Paylocity Holding Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-08-02 10:00:19 EDT.

Filings

10-K filed on 2024-08-02

Paylocity Holding Corp filed a 10-K at 2024-08-02 10:00:19 EDT
Accession Number: 0001591698-24-000151

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy Our cybersecurity risk management program, which is part of our overall risk management function, comprises processes for assessing, identifying and managing material risks from cybersecurity threats, including the following: Information Security Policies We maintain information security policies that are formally reviewed and approved by senior management and are periodically updated for new developments. These policies map to standard industry frameworks such as the National Institute of Standards and Technology (NIST), Committee of Sponsoring Organizations (COSO), and International Organization for Standardization (ISO) 27001 to establish structured governance, policies, standards, and controls. Information Security Certifications and Audits We maintain certification for compliance with ISO 27001:2022 as assessed by an independent third-party auditor. We also engage an independent accounting firm to perform assessments of our procedures and controls as part of our annual Systems and Organization Controls (SOC) 1 and SOC 2 audits. Security Awareness and Training Through our onboarding process, each new employee is required to complete security training upon employment. Our employees also are required to complete annual security and privacy training to maintain our focus on protecting our information and that of our clients and their employees. This mandatory training educates our employees on safe handling of sensitive information, appropriate responses to a suspected data security breach, and awareness of security responsibilities. We strive to promote a healthy security awareness culture throughout the organization through supplemental education, training courses, videos, internal and external publications, and supporting activities. We also invest in our Information Security professionals with continued information security training and certifications. Data and Web Security Safeguards We have implemented the following information security solutions and practices: - deployment of intrusion prevention systems designed to detect and block malicious traffic, - web application firewalls designed to protect our application from attacks, - network firewalls, - security information and event management, - user and entity behavior analytics, - endpoint detection and response designed to protect our workstation and server population, - data loss prevention software at multiple layers of our IT environment, - regular penetration testing conducted by both our internal teams and external providers, and - a multi-layered vulnerability management program designed to identify technical bugs within our product and infrastructure. We encrypt sensitive client information both during transmission and at rest using industry standard protocols. We also have a mature application security program that promotes security champions within the developer community to instill strong, secure coding practices for reducing vulnerabilities and delivering a secure web application. Incident Response Plan We maintain an incident response plan designed to provide a high-level framework that can be implemented in any cyber incident. The plan addresses identification of the incident, notifications to appropriate individuals, organization of response activities by role, and escalation procedures based on the severity of the incident. We also have action plans to support business remediation and recovery efforts in the event of an incident. Business Resilience We apply controls from best practices such as, but not limited to, The Business Continuity Institute (BCI), Disaster Recovery Institute International (DRII), and International Organization for Standardization (ISO) 22301 for developing and maintaining threat-agnostic plans with strategies to continue client services and critical business operations in the event of a disruption to critical dependencies. The business resilience planning process includes business impact analyses, risk assessments, and continuity strategies. Our business resilience team conducts regular exercises to validate and continuously improve the plans and strategies, including conducting tabletop exercises with teams from across the organization. Third-Party Risk Management We monitor and reassess our third-party relationships on an ongoing basis depending on risk level or in the event of a change of products and services provided to us. We also require third-party vendors, suppliers and service providers to undergo a cybersecurity risk assessment prior to entering into a contract with us. The third-party risk assessments, conducted by our information security and enterprise risk management teams with input from key business stakeholders, involve understanding the products and services we obtain from the third party, what sensitive company and client data it will be able to access and an evaluation of the vendor’s security program and documentation. We also require that certain information security-related contract terms be incorporated into agreements with third parties that will have access to sensitive information before entering into such agreements. Although we have experienced cybersecurity incidents in the past, none of these incidents to date have materially affected our business strategy, results of operations or financial condition. Despite our efforts, there can be no assurance that our risk management program will be effective in preventing cybersecurity incidents that could adversely affect our business strategy, results of operations or financial condition. For more information regarding risks from cybersecurity threats, please refer to the Risk Factors entitled “If our security measures are breached or unauthorized access to client data or funds is otherwise obtained, our solutions may be perceived as not being secure, clients may reduce the use of or stop using our solutions and we may incur significant liabilities.” and “Any failure to protect our intellectual property rights could impair our ability to protect our proprietary technology and our brand.” in Part I, Item 1A, Risk Factors. Governance Our board of directors has delegated oversight of risk assessment and risk management activities, including oversight over cybersecurity risks, to the audit committee. The audit committee meets at least quarterly with our Vice President and Chief Information Security Officer (“CISO”), who oversees our overall information security risk management program. The CISO’s updates to the audit committee include recent developments related to the threat landscape, security controls, results of vulnerability assessments, third-party reviews, technological trends and information security considerations arising with respect to peers and third parties. Our CISO reports to our Chief Financial Officer and leads our cybersecurity risk management efforts and our dedicated information security team. Our CISO has 20 years of information security experience, including over four years as a director in the information security management practice of a big four accounting firm. He holds multiple information security certifications and has a B.S. in Network Security. Our CISO leads our Information Security Steering Committee (“ISSC”), comprised of key executives and operating personnel from across the company, that oversees ongoing day-to-day management of our risks to information systems. The ISSC tracks risks and security initiatives, reviews the results of annual cybersecurity risk assessments, reviews the results of internal and third-party information security audits and assessments, identifies significant risks that threaten the achievement of security commitments and identifies controls to mitigate such risks. The CISO, along with other members of the ISSC and information security teams, remains apprised of developing cybersecurity trends through communications with the intelligence and law enforcement communities, vendors and industry engagement so that our cybersecurity risk management and governance controls and processes address new and evolving cybersecurity threats.

Company Information