Dayforce, Inc. 10-K Cybersecurity GRC - 2025-02-28

Page last updated on March 3, 2025

Dayforce, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-28 16:03:36 EST.

Filings

10-K filed on 2025-02-28

Dayforce, Inc. filed a 10-K at 2025-02-28 16:03:36 EST
Accession Number: 0000950170-25-029980

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. As an HCM company, we face a multitude of cybersecurity threats from threat actors seeking to access, compromise access, or leverage the data we possess for malicious ends. Review of our information security program, including our cybersecurity policies, standards, and processes, is integrated into our Enterprise Risk Management (“ERM”) program which is based on the COSO Enterprise Risk Management Framework and International Organization for Standardization (“ISO”) 31000, the two most widely used global standards for ERM. Our information security program aligns with recommended practices in security standards issued by ISO, American Institute of Certified Public Accountants (SSAE18), National Institute of Standards and Technology (“NIST”) and other industry sources. Specifically, we maintain several ISO certifications (ISO 27001, 27701, 27017, 27018, 27036), NIST 800-171 compliance, and SOC 1 and 2 Type 2 reports to comply and adhere to industry standard practices. We have invested in our data security team, information security program, and security environment in an effort to identify, prevent, and mitigate cybersecurity threats and promptly identify and respond to cybersecurity incidents when they occur. Maintaining, monitoring, and updating our information security program to ensure that it remains reasonable and appropriate with respect to changes in the security threat landscape, available technology, security vulnerabilities, and legal and contractual requirements applicable to us, is a continuous effort. Risk Management and Strategy We believe that effective cybersecurity depends upon the successful implementation and maintenance of a comprehensive information security program. Deploying suitable security technology, which encompasses analytics and automation, and leveraging the expertise of highly skilled security and risk professionals, is crucial in our strategy. Additionally, we prioritize data governance and data-centric security as integral components of our approach in an effort to ensure compliance, uphold privacy standards, and safeguard customer and enterprise data. We continue to enhance our capabilities in cloud security and assurance testing, security operations and automation, product security, and enterprise risk management. To combat the evolving cybersecurity risk landscape and the enhanced level of sophistication of cybersecurity threats, management has prioritized five areas of our information security program: global standards and operations, a risk-aware workforce, product security, detection and response, and data governance management. In addition, we maintain cybersecurity insurance; however, the costs related to cybersecurity threats or disruptions may not be fully insured. We contract with several outside cybersecurity experts to audit and test security controls on a regular basis. Any risks or control gaps identified as a result of such assessments, audits, and reviews are reported to the senior leadership of all functional areas of the Company, the Audit Committee of the Board (the “Audit Committee”), and the Board as appropriate, and we adjust our cybersecurity policies, standards, and practices as necessary. We also have a vendor risk assessment process consisting of the distribution and review of supplier questionnaires designed to help us evaluate cybersecurity risks that we may encounter when working with third parties that have access to confidential and other sensitive company information. We take steps designed to ensure that such vendors have implemented data privacy and security controls that help mitigate the cybersecurity risks associated with these vendors. We routinely assess our high-risk suppliers’ conformance to industry-leading practices, and we evaluate them for additional information, product, and physical security requirements. We face a number of risks from cybersecurity threats, which may materially affect our business, financial condition, and results of operations, because our business is dependent on the successful operation of our payroll, transaction, financial, accounting, and other data processing systems. We cannot eliminate all risks from cybersecurity threats or provide assurances that we have detected all cybersecurity incidents. Please refer to Part I, Item 1A, “Risk Factors” for further discussion of our cybersecurity-related risks. 29 | 2024 Form 10-K Table of Contents Index to Financial Statements Governance Our commitment to cybersecurity begins at the Board and extends to the senior leadership of all functional areas of the Company. Our Audit Committee oversees our risk management process at the Board level. The Audit Committee’s responsibilities include regular review of policies and practices with respect to risk assessment and risk management, including in the areas of cybersecurity and other information technology risk and privacy. The Company’s cybersecurity program is supervised by our Chief Information Security Officer (“CISO”). The CISO and his team are responsible for leading enterprise-wide cybersecurity, strategy, policy, standards, and processes. The CISO provides quarterly updates related to the cybersecurity program, including any notable incidents at regularly scheduled Audit Committee meetings. The CISO updates include details regarding the magnitude, financial impact, and remediation of cybersecurity incidents. Members of our Board and senior Company executives participate in annual tabletop exercises that focus on testing response plans to ransomware, cloud security, payroll disruption, and other incidents. In addition, in order to deploy a consistent cybersecurity framework, and to manage the risk of social engineering, software downloads, and phishing, we educate employees globally through ongoing security awareness training. Our CISO has over 25 years of experience in technology risk management, cybersecurity, compliance, network engineering, information systems, and business resiliency. He is a Certified Information Systems Security Professional and is a member of the National Association of Corporate Directors (“NACD”). Our CISO works closely with our Vice President, Enterprise Risk, Compliance and Service Management to assess and manage the cybersecurity element of our ERM program. In the area of risk, the Vice President, Enterprise Risk, Compliance and Service Management focuses on risk management, business continuity planning, crisis management, operations management, and executive and Board reporting. Our CISO and Vice President, Enterprise Risk, Compliance and Service Management report to our Chief Digital Officer, who in turn reports to our President and Chief Operating Officer. These officers drive our cybersecurity priorities at the executive level. We have established a documented cybersecurity incident materiality assessment and disclosure program that is jointly managed by our Incident Response, Cybersecurity, and Corporate Legal teams. This program calls for the immediate assessment of potentially material cybersecurity incidents, and the appropriate escalation to our cross-functional Disclosure Committee in order to facilitate the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner and elevated to our Audit Committee or Board, as appropriate.

Company Information