Paymentus Holdings, Inc. 10-K Cybersecurity GRC - 2025-03-10

Page last updated on March 11, 2025

Paymentus Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-10 17:56:50 EDT.

Filings

10-K filed on 2025-03-10

Paymentus Holdings, Inc. filed a 10-K at 2025-03-10 17:56:50 EDT
Accession Number: 0000950170-25-036566

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Overview We recognize the importance of assessing, identifying and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things, operational disruption; intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy or security laws; other litigation and legal risk; customer attrition; and reputational risks. We have implemented several cybersecurity processes, technologies and controls to aid in our efforts to assess, identify and manage such material risks. Risk Management and Strategy Our cybersecurity risk assessment process helps identify our cybersecurity threat risks by assessing our cybersecurity program against industry and best practices standards set by the National Institute of Standards and Technology (“NIST”), the International Organization for Standardization (“ISO”) and the Center for Internet Security (“CIS”), as well as by annually engaging experts to attempt to infiltrate/test our information systems (as such term is defined in Item 106(a) of Regulation S-K). We have established a cybersecurity risk management process that includes internal reporting of significant cybersecurity risk to our senior leadership and executive team on a monthly basis. At the management level, we have established an information security risk committee, chaired by our Chief Information Security Officer (“CISO”) and comprised 52 of employees and executive management, to, among other things, coordinate and communicate the direction, current state, security risks (gaps) and governance of our information security program. Our cybersecurity program focuses in particular on the following key areas: Collaboration To identify and assess material risks from cybersecurity threats, our Cybersecurity Governance, Risk and Compliance (“GRC”) team considers cybersecurity threat risks alongside other company risks as part of our overall risk assessment process. Our enterprise risk professionals collaborate with subject matter experts, as necessary, to gather insights for identifying and assessing material cybersecurity threat risks, their severity and potential mitigations. Risk Assessment We employ a range of tools and services including (but not limited to) regular network and endpoint monitoring, vulnerability assessments and penetration testing to inform our professionals’ risk identification and assessment. Technical Safeguards We regularly assess and deploy internal and third party technical safeguards designed to protect our information systems from cybersecurity threats. Such safeguards are regularly evaluated and improved based on vulnerability assessments, cybersecurity threat intelligence and incident response experience. Incident Response and Recovery Planning We have established incident response and recovery plans and continue to regularly test and evaluate the effectiveness of those plans. Our incident response and recovery plans address and guide our employees, management and board of directors on our response to a cybersecurity incident. We also have relationships with third party experts that can be utilized in the case of an incident. Third-Party Risk Management Our cybersecurity risk processes address risks associated with our use of third-party service providers, including subcontractors used by those third-parties. Third-party risks are included within our GRC and procurement program, including the selection and oversight of our third-party service providers . Education and Awareness Our policies require each of our employees to contribute to our data security efforts. We regularly train employees of the importance of handling and protecting customer and employee data, including through annual privacy and security training to enhance employee awareness of how to detect and respond to cybersecurity threats. We also have annual specialized training of our development staff that focuses on secure development best practices. External Assessments We perform periodic internal and third-party assessments to test our cybersecurity controls and regularly evaluate our policies and procedures for handling and control of sensitive data and systems in an effort to identify areas for continued focus, improvement and/or compliance under various applicable regulatory frameworks (e.g., SOC, SOX, PCI, HIPAA). Cybersecurity Risk Governance and Oversight Board’s Oversight Role Cybersecurity is an important part of our risk management processes and an area of continued focus for our board of directors, audit committee and management. Our board of directors is responsible for the oversight of the overall corporate approach to cybersecurity risks. The board of directors has delegated such enterprise and cybersecurity risk management to its audit committee. At least quarterly, the audit committee and/or board of directors receives an overview from management of our cybersecurity threat risk management and strategy, covering topics such as data security posture, results from third-party assessments, progress towards pre-determined risk-mitigation-related goals, our incident response plan and any material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. Members of the audit committee and the board of directors are also encouraged to engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management programs. 53 Under its charter, the audit committee is charged with discussing our major financial, information technology and cybersecurity risk exposures and the steps management has taken to monitor and control such exposures as well as the oversight of management’s plans to address such risks. One member of our audit committee and board of directors has a strong background in information technology and cybersecurity risk management through service in related senior executive positions of other publicly traded companies meets regularly with our CISO to discuss our cybersecurity risk management processes. Management’s Role Our cybersecurity program, which is discussed in greater detail under the “Risk Management and Strategy” heading above, is led by our CISO, who has over 20 years of prior work experience in various roles with large public companies involving managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity programs. In addition, our CISO manages a team of highly trained and experienced cybersecurity professionals in support of the cybersecurity program. Disclosure Controls and Procedures In addition to the information security risk committee discussed above, we maintain a disclosure committee with certain responsibilities that include among other things, the discussion of cybersecurity matters for materiality, proper internal reporting systems and incident disclosure evaluation. The disclosure committee also has a cybersecurity subcommittee that meets at least quarterly to discuss ongoing internal and external cyber-events, as well as mapping out the response process in the event of a cybersecurity incident that may reasonably be viewed as potentially material, including assessing the incident, materiality and disclosure obligations. Cybersecurity Risks In 2024, we did not identify any cybersecurity threats that resulted in a material adverse effect on our business strategy, results of operations, or financial condition. Notwithstanding the discussion above and our efforts to address cybersecurity risks, we cannot guarantee that we can mitigate or eliminate all cyber-related risks, including those related to operational disruption; intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy or security laws and other litigation and legal risk; customer attrition; and reputational risks. We urge you to read our discussion regarding whether and how risks from identified cybersecurity threats could materially affect us as part of our risk factor disclosures at “Item 1A - Risk Factors”-Risks Related to Our Business and Industry" and “-Risks Related to Our Technology and Intellectual Property” of this Annual Report on Form 10-K, which disclosures are incorporated by reference herein.

Company Information