AUTOMATIC DATA PROCESSING INC 10-K Cybersecurity GRC - 2024-08-07

Page last updated on August 7, 2024

AUTOMATIC DATA PROCESSING INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-08-07 15:06:59 EDT.

Filings

10-K filed on 2024-08-07

AUTOMATIC DATA PROCESSING INC filed a 10-K at 2024-08-07 15:06:59 EDT
Accession Number: 0000008670-24-000024

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk management and strategy At ADP, security is integral to our products, our business processes and infrastructure. We have an enterprise-wide approach to security with the objectives of protecting client data and funds, and preventing security incidents that could adversely affect the confidentiality, integrity, or availability of our information systems and data that resides in those systems, while also improving our system resilience with the aim of minimizing the impact to our business when incidents do occur. In connection with our business, we collect, host, store, transfer, process, disclose, use, secure, retain and dispose of large amounts of personal and business information about our clients, employees of our clients, our vendors and our employees, contractors and temporary staff. We also collect significant amounts of funds from the accounts of our clients and transmit them to their employees, tax authorities and other payees. As the global environment continues to grow increasingly hostile and attacks on information technology systems continue to grow in frequency, complexity and sophistication, we are regularly targeted by unauthorized parties using malicious tactics, code and viruses. Although this is a global problem, it may affect our businesses more than other businesses because malevolent parties may focus on the amount and type of personal and business information that our businesses collect, host, store, transfer, process, disclose, use, secure, retain and dispose of, and the client funds that we collect and transmit. ADP has implemented a cybersecurity program designed to assess, identify, and manage risks from cybersecurity threats. Our cybersecurity policies, processes, and standards are informed by industry practices and by industry frameworks and standards such as the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework and the International Organization for Standardization information security standards, including those standards for which we do not have a certification, but we do exercise judgment in selecting applicable controls from such framework or standards. Our cybersecurity program includes: - Technical Safeguards. We have implemented a layered approach to defend against cybersecurity threats. We periodically evaluate technical controls through application security assessments, vulnerability management, penetration testing, and security audits. - Incident Management and Response. A global team monitors our key applications and systems 24/7/365 to detect, investigate and respond to anomalies and incidents. This team addresses reported or detected issues by following a defined incident lifecycle and uses an incident management system to record facts, impact and remedial actions taken. We have established a cybersecurity incident response plan and escalation process, outlining processes for responding to incidents from identification to mitigation and notifying members of senior leadership, the board of directors and external advisors, as appropriate. We test our plans and processes through simulation exercises, scenario planning and tabletop exercises, using findings to improve processes. - External and Internal Assessments. We periodically engage assessors, consultants, auditors, and other third parties to evaluate our technology, security, and related controls and benchmark against industry practices. We engage in both internal and external assurance and audit activities across the company multiple times a year including an annual third-party review of our overall cybersecurity program. - Threat Intelligence. We maintain affiliations with cybercrime task forces and other third-party monitoring organizations. In addition, we collaborate with professional security organizations, law enforcement and technology companies to proactively identify malicious activity. - Business Resiliency Program. We have established a global, integrated business resiliency program designed to manage the impacts of technological, environmental, process and health risks on service delivery. This program uses an integrated framework that lays out our mitigation, preparedness, response and recovery process. - Third-Party Risk Management. We maintain a third-party risk management process, designed to identify and manage risks associated with our vendors and other third parties, that includes conducting security assessments prior to engagement and periodically during the engagement. We also seek to include security and privacy terms, where appropriate, in our contracts with third-party service providers that require third parties to maintain security controls to protect our data and notify us in the event of a cybersecurity incident. - Security Awareness and Training Program . Our security training and awareness program is a continuous, dynamic initiative, designed to develop and maintain a security-focused culture and empower our associates to make responsible, secure decisions. As part of this awareness program, we communicate to our associates on a regular basis regarding key security topics and current events, best practices for addressing such cybersecurity threats, and 24 gamification to reinforce effective behaviors. All associates are also required to take an annual, interactive security training program that includes an overview of key security topics, policies and responsibilities. We have also integrated cybersecurity related risks into our enterprise risk management program, which is designed to identify, prioritize, assess, monitor and mitigate the various risks confronting ADP, including cybersecurity risks. Our enterprise risk management team conducts a range of activities, including an annual enterprise risk management assessment. We have been, and continue to be, the subject of cybersecurity attacks, including unauthorized intrusion, malicious software infiltration, network disruption, and denial of service. Although we believe that we maintain a robust program of information security and controls and none of the cybersecurity incidents that we have identified to date have materially affected us, including our business strategy, results of operations, or financial condition, we cannot provide assurances that a cybersecurity incident will not materially affect us, or our business strategy, results of operations or financial condition in the future. For additional information on cybersecurity related risks, see “Item 1A. Risk Factors” of this Annual Report on Form 10-K. Governance A cross-functional, enterprise-wide management program operates to evaluate our global cybersecurity program’s effectiveness and members of the company’s executive committee, through an executive security council, routinely review strategy, policy, program effectiveness, standards enforcement and cyber issue management. Our chief information security officer (“CISO”) leads our global cybersecurity program and oversees the global cybersecurity services team, which is responsible for monitoring, identifying, assessing and managing cybersecurity threats across ADP. Our CISO reports to our chief security officer (“CSO”), who leads our global security organization and is responsible for cybersecurity, fraud prevention, operational risk management, client security management, and workforce protection. Our CSO has over 20 years of experience in a range of security roles, including serving as a chief security officer at another public company, and participates in various cyber security organizations. The current CISO has served in various roles in cybersecurity and information technology for over 25 years and has attained the professional certification of Certified Information Security Manager. Our board of directors and our audit committee are actively engaged in the oversight of our global cybersecurity program. Our audit committee receives regular, quarterly reports on these matters from our CSO and leadership from our global product and technology organization, including on the status of projects to strengthen the company’s cybersecurity systems and improve cyber readiness, as well as on existing and emerging threat landscapes. Concurrent and in addition to these reports, our chief administrative officer (“CAO”) (who oversees legal, security and compliance matters) provides a legal, regulatory and ethics update at each meeting of the audit committee of our board of directors, which includes matters of cybersecurity, as appropriate. In addition, important actual or emerging cybersecurity events are communicated to the board of directors by our CAO and Chief Legal Officer, even if immaterial to us. Our global cybersecurity program is subject to an annual third-party assessment overseen by our board of directors and this assessment reviews all aspects of our cyber program. Findings are reported to our board and, in response, ADP develops initiatives to improve our maturity across each of the pillars of the NIST Cybersecurity Framework. The status of these initiatives is then reviewed with our audit committee during its quarterly meetings. This governance process encourages an environment of continuous improvement. In advance of these quarterly meetings, members of our audit committee with cybersecurity expertise informally meet with our CAO, CSO, and other members of leadership, as appropriate, to advise and provide additional guidance and industry insights to the Company.

Company Information