Paymentus Holdings, Inc. 10-K Cybersecurity GRC - 2024-03-04

Page last updated on April 11, 2024

Paymentus Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-04 18:13:23 EST.

Filings

10-K filed on 2024-03-04

Paymentus Holdings, Inc. filed an 10-K at 2024-03-04 18:13:23 EST
Accession Number: 0000950170-24-025084

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Overview We recognize the importance of assessing, identifying and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things, operational disruption; intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy or security laws and other litigation and legal risk; customer attrition; and reputational risks. We have implemented several cybersecurity processes, technologies and controls to aid in our efforts to assess, identify and manage such material risks. Risk Management and Strategy Our cybersecurity specific risk assessment process, helps identify our cybersecurity threat risks by comparing our cybersecurity program to industry standards and best practices standards set by the National Institute of Standards and Technology ( NIST ), the International Organization for Standardization ( ISO ) and the Center for Internet Security ( CIS ), as well as by annually engaging experts to attempt to infiltrate/test our information systems (as such term is defined in Item 106(a) of Regulation S-K). We have established a cybersecurity risk management process that includes internal reporting of significant cybersecurity risk to our senior leadership and executive team on a monthly basis. We have established an information security risk committee, chaired by our chief information security officer ( CISO ) and comprised of employees and executive management, to, among other things, coordinate and communicate the direction, current state, security risks (gaps) and governance of our information security program. Our cybersecurity program in particular focuses on the following key areas: Collaboration To identify and assess material risks from cybersecurity threats, our Cybersecurity Governance, Risk and Compliance (“GRC”) team considers cybersecurity threat risks alongside other company risks as part of our overall risk assessment process. Our enterprise risk professionals collaborate with subject matter specialists, as necessary, to gather insights for identifying and assessing material cybersecurity threat risks, their severity and potential mitigations. Risk Assessment We employ a range of tools and services including (but not limited to) regular network and endpoint monitoring, vulnerability assessments and penetration testing to inform our professionals risk identification and assessment. Technical Safeguards We regularly assess and deploy internal and third party technical safeguards designed to protect our information systems from cybersecurity threats. Such safeguards are regularly evaluated and improved based on vulnerability assessments, cybersecurity threat intelligence and incident response experience. Incident Response and Recovery Planning We have established comprehensive incident response and recovery plans and continue to regularly test and evaluate the effectiveness of those plans. Our incident response and recovery plans address and guide our employees, management and board of directors on our response to a cybersecurity incident. Third-Party Risk Management Our cybersecurity risk processes address risks associated with our use of third-party service providers, including those in our supply chain (subservice organizations). Third-party risks are included within our GRC and procurement program, including the selection and oversight of our third-party service providers. Education and Awareness Our policies require each of our employees to contribute to our data security efforts. We regularly remind employees of the importance of handling and protecting customer and employee data, including through annual privacy and security training to enhance employee awareness of how to detect and respond to cybersecurity threats. External Assessments We perform periodic internal and third-party assessments to test our cybersecurity controls and regularly evaluate our policies and procedures for handling and control of sensitive data and systems, in an effort to identify areas for continued focus, improvement and/or compliance (e.g., SOC, SOX, PCI, HIPAA). 53 Cybersecurity Risk Governance and Oversight Board’s Oversight Role Cybersecurity is an important part of our risk management processes and an area of continued focus for our board of directors, audit committee and management. Our board of directors is responsible for the oversight of the overall corporate approach to cybersecurity risks. The board of directors has delegated such enterprise and cybersecurity risk management to its audit committee. At least quarterly, the audit committee and/or board of directors receives an overview from management of our cybersecurity threat risk management and strategy, covering topics such as data security posture, results from third-party assessments, progress towards pre-determined risk-mitigation-related goals, our incident response plan and any material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. Under its charter, the audit committee is charged with discussing our major financial, information technology and cybersecurity risk exposures and the steps management has taken to monitor and control such exposures as well as the oversight of management s plans to address such risks. A member of our audit committee and board of directors with a strong background in information technology and cybersecurity risk management through service in related senior executive positions of other publicly traded companies meets regularly with our CISO to discuss our cybersecurity risk management processes. Management s Role Our cybersecurity program, which is discussed in greater detail above, is led by our CISO, who has over 20 years of prior work experience in various roles with large public companies involving managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity programs. In addition, our CISO manages a team of highly trained and experienced cybersecurity professionals in support of the cybersecurity program. Members of the audit committee and the board are also encouraged to regularly engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management programs. Material cybersecurity threat risks are also considered during audit committee and/or board discussions of important matters such as enterprise risk management, operational budgeting, business continuity planning, mergers and acquisitions and other relevant matters. Disclosure Controls and Procedures In addition to the information security risk committee discussed above, we maintain a disclosure committee with certain responsibilities that include among other things, the discussion of cybersecurity matters for materiality, proper internal reporting systems and incident disclosure evaluation. The disclosure committee also has a cybersecurity subcommittee that meets at least quarterly to discuss ongoing internal and external cyber-events, as well as mapping out the response process in the event of a cybersecurity incident that may reasonably be viewed as potentially material, including assessing the incident, materiality and disclosure obligations. Cybersecurity Risks Notwithstanding the discussion above and our efforts to address cybersecurity risks, we cannot guarantee you that we can mitigate or eliminate all cyber-related risks, including those related to operational disruption; intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy or security laws and other litigation and legal risk; customer attrition; and reputational risks. We urge you to read our discussion regarding whether and how risks from identified cybersecurity threats could materially affect us as part of our risk factor disclosures at Item 1A - Risk Factors Risks Related to Our Business and Industry and Risks Related to Our Technology and Intellectual Property of this Annual Report on Form 10-K, which disclosures are incorporated by reference herein.

Company Information