PAYC: 10-K Risk Factor Changes

Our business depends on the overall demand for HCM applications and on the economic health of our current and prospective clients. If economic conditions in the United States or in global markets deteriorate, clients may cease their operations, eliminate or reduce unscheduled payroll runs (such as bonuses), reduce headcount, delay or reduce their spending on HCM and other outsourcing services or attempt to renegotiate their contracts with us. In addition, global and regional macroeconomic developments, such as changes in global trade policies and tariffs, increased unemployment, decreased income, uncertainty related to future economic activity, reduced access to credit, increased interest rates, inflation, volatility in capital markets, and decreased liquidity, among other possible factors, could negatively affect our ability to conduct business. Furthermore, the impact of such macroeconomic developments may be exacerbated by geopolitical events and ongoing military conflicts throughout the world. An economic decline could result in reductions in sales of our applications, decreased revenue from unscheduled payroll runs and fees charged on a per-employee basis, longer sales cycles, slower adoption of new technologies and increased price competition, any of which could adversely affect our business, operating results or financial condition. In addition, HCM spending levels may not increase following any recovery. Further, as part of our payroll and payroll tax filing services, we collect and then remit client funds to taxing authorities and accounts designated by our clients. During the interval between receipt and disbursement, we typically invest such funds in money market funds, demand deposit accounts, certificates of deposit, U.S. treasury securities and commercial paper. These investments are subject to general market, interest rate, credit and liquidity risks, and such risks may be exacerbated during periods of unusual financial market volatility. Any loss of or inability to access such funds could have an adverse impact on our cash position and results of operations and could require us to obtain additional sources of liquidity, which may not be available on terms that are acceptable to us, if at all. Furthermore, although increased interest rates may have a negative impact on certain clients, increased interest rates have resulted in increased interest earned on funds held for clients and additional income earned on our corporate funds. Changes in interest rates will impact potential earnings of future investments. A stable or rising interest rate environment would sustain the additional interest earned on funds held for clients and interest earned on our corporate funds, whereas a decreasing interest rate environment would compress the additional interest earnings and potentially adversely affect our operating results. In recent years, there have been several instances when there has been uncertainty regarding the ability of Congress and the President collectively to reach agreement on federal budgetary and spending matters. A period of failure to reach agreement on these matters, particularly if accompanied by an actual or threatened government shutdown, may have an adverse impact on the U.S. economy. Additionally, because certain of our clients rely on government resources to fund their operations, a prolonged government shutdown may affect such clients’ ability to make timely payments to us, which could adversely affect our operations results or financial condition. Item 1B. Unresolved Staff Comments None. 34 34 Item 1C. CybersecurityRisk Management and StrategyOverviewWe recognize that our clients entrust us with highly sensitive data. We also recognize our attendant responsibility to safeguard the accessibility, confidentiality, and integrity of this data. Our information security program consists of policies, procedures, systems, controls and technology designed to help us prevent, identify, detect and mitigate cybersecurity risks. Our processes are informed by cybersecurity events we have observed within the Company, across our industry, and across the cybersecurity landscape. We utilize the risk management framework for risk assessments as defined by the ISO 27001 Information Security Management Standard. We have integrated cybersecurity risk management into our overall risk management framework by conducting annual enterprise risk management assessments and IT risk management assessments, implementing periodic key risk indicator tracking, and holding periodic meetings among multiple department stakeholders to address cybersecurity risks. We review our information security policies at least annually and in connection with certain process changes to ensure that they meet the needs of the organization and the goals and objectives of the information security program.Prevention, Identification, Detection and Mitigation ActivitiesWe routinely undertake activities to prevent, identify, detect and mitigate risks from cybersecurity threats, including but not limited to the following:•Procedures and guidelines designed to ensure that information security is a key consideration in the requirements for both new information systems and enhancements to existing systems and assets;•IT environment risk assessments conducted at regular intervals and in connection with certain events, such as implementation of a new system, service or vendor;•Tabletop and simulation exercises to discuss roles and responsibilities of team members in the event of a cybersecurity incident and to test and modify the plan as needed;•Ongoing security penetration testing and threat modeling of our network and web application;•Automated tools and manual review processes to ensure ongoing compliance with technical standards and identify configuration issues and technical vulnerabilities;•Encryption of all communications with our servers, which are configured to utilize only high-grade encryption algorithms; and•Ongoing employee training related to information security and data privacy policies and standards, including periodic phishing, vishing, and social engineering exercises.We also have implemented and continue to maintain policies, procedures, systems, controls and technology to oversee and identify the cybersecurity risks associated with our use of third-party service providers. For example, we conduct thorough cybersecurity risk assessments of all third-party service providers prior to engagement and ongoing monitoring to ensure compliance with our robust cybersecurity requirements. The monitoring includes periodic audits of third-party systems and vendors. We engage third-party consultants and auditors in connection with assessing, identifying and managing material risks from cybersecurity threats. Our collaboration with these third parties includes independent audits, threat assessments, and consultation on security enhancements.Infrastructure; Network and Physical SecurityOur IT infrastructure is secured and monitored using a number of leading practices and tools across physical and logical security. This security is also continually monitored by our information security department. We strictly regulate and limit all access to servers and networks at each of our facilities. Local network access is restricted by domain authentication, using stringent access control lists. Remote network access is restricted by a defense-in-depth approach that includes redundant firewalls, preventing unauthorized access from external networks to systems within our local network. We also employ (i) network and endpoint intrusion detection, intrusion prevention, and data loss prevention sensors throughout our infrastructure, (ii) systems that monitor our infrastructure and alert our continuously staffed security operations center of potential cybersecurity issues, and (iii) a seasoned process for managing and installing patches for third-party applications.Incident ResponseWe maintain plans to address any cybersecurity incidents, including but not limited to a Crisis Management Plan, an Incident Response Plan, an Information Security Incident Management Policy and a Business Resiliency Policy. Information security continuity is embedded in our business continuity management system to minimize the risk that continuity operations could result in a compromise to our security standards. We conduct business continuity, crisis communications and disaster recovery exercises at least annually to test and modify the plan, as needed. The activities related to the business continuity management system are routinely reported to executive management as part of our IT security team’s ongoing metrics Item 1C. CybersecurityRisk Management and StrategyOverviewWe recognize that our clients entrust us with highly sensitive data. We also recognize our attendant responsibility to safeguard the accessibility, confidentiality, and integrity of this data. Our information security program consists of policies, procedures, systems, controls and technology designed to help us prevent, identify, detect and mitigate cybersecurity risks. Our processes are informed by cybersecurity events we have observed within the Company, across our industry, and across the cybersecurity landscape. We utilize the risk management framework for risk assessments as defined by the ISO 27001 Information Security Management Standard. We have integrated cybersecurity risk management into our overall risk management framework by conducting annual enterprise risk management assessments and IT risk management assessments, implementing periodic key risk indicator tracking, and holding periodic meetings among multiple department stakeholders to address cybersecurity risks. We review our information security policies at least annually and in connection with certain process changes to ensure that they meet the needs of the organization and the goals and objectives of the information security program.Prevention, Identification, Detection and Mitigation ActivitiesWe routinely undertake activities to prevent, identify, detect and mitigate risks from cybersecurity threats, including but not limited to the following:•Procedures and guidelines designed to ensure that information security is a key consideration in the requirements for both new information systems and enhancements to existing systems and assets;•IT environment risk assessments conducted at regular intervals and in connection with certain events, such as implementation of a new system, service or vendor;•Tabletop and simulation exercises to discuss roles and responsibilities of team members in the event of a cybersecurity incident and to test and modify the plan as needed;•Ongoing security penetration testing and threat modeling of our network and web application;•Automated tools and manual review processes to ensure ongoing compliance with technical standards and identify configuration issues and technical vulnerabilities;•Encryption of all communications with our servers, which are configured to utilize only high-grade encryption algorithms; and•Ongoing employee training related to information security and data privacy policies and standards, including periodic phishing, vishing, and social engineering exercises.We also have implemented and continue to maintain policies, procedures, systems, controls and technology to oversee and identify the cybersecurity risks associated with our use of third-party service providers. For example, we conduct thorough cybersecurity risk assessments of all third-party service providers prior to engagement and ongoing monitoring to ensure compliance with our robust cybersecurity requirements. The monitoring includes periodic audits of third-party systems and vendors. We engage third-party consultants and auditors in connection with assessing, identifying and managing material risks from cybersecurity threats. Our collaboration with these third parties includes independent audits, threat assessments, and consultation on security enhancements.Infrastructure; Network and Physical SecurityOur IT infrastructure is secured and monitored using a number of leading practices and tools across physical and logical security. This security is also continually monitored by our information security department. We strictly regulate and limit all access to servers and networks at each of our facilities. Local network access is restricted by domain authentication, using stringent access control lists. Remote network access is restricted by a defense-in-depth approach that includes redundant firewalls, preventing unauthorized access from external networks to systems within our local network. We also employ (i) network and endpoint intrusion detection, intrusion prevention, and data loss prevention sensors throughout our infrastructure, (ii) systems that monitor our infrastructure and alert our continuously staffed security operations center of potential cybersecurity issues, and (iii) a seasoned process for managing and installing patches for third-party applications.Incident ResponseWe maintain plans to address any cybersecurity incidents, including but not limited to a Crisis Management Plan, an Incident Response Plan, an Information Security Incident Management Policy and a Business Resiliency Policy. Information security continuity is embedded in our business continuity management system to minimize the risk that continuity operations could result in a compromise to our security standards. We conduct business continuity, crisis communications and disaster recovery exercises at least annually to test and modify the plan, as needed. The activities related to the business continuity management system are routinely reported to executive management as part of our IT security team’s ongoing metrics Item 1C. Cybersecurity