Risk Factors Dashboard

Once a year, publicly traded companies issue a comprehensive report of their business, called a 10-K. A component mandated in the 10-K is the ‘Risk Factors’ section, where companies disclose any major potential risks that they may face. This dashboard highlights all major changes and additions in new 10K reports, allowing investors to quickly identify new potential risks and opportunities.

Risk Factors - PCTY

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

$PCTY Risk Factor changes from 00/08/04/23/2023 to 00/08/02/24/2024

Item 1A. Risk Factors.Our business, growth prospects, financial condition or operating results could be materially adversely affected by any of these risks, as well as other risks not currently known to us or that are currently considered immaterial. The trading price of our common stock could decline due to any of the risks and uncertainties described below, and you may lose all or part of your investment.

In assessing these risks, you should also refer to the other information contained in this Annual Report on Form 10-K, including our consolidated financial statements and related notes. Risks Related to our Business and IndustryOur quarterly operating results have fluctuated in the past and may continue to fluctuate due to a variety of factors, many of which are outside of our control.Our quarterly operating results, including our revenues, operating income, and cash flow, have fluctuated and may continue to fluctuate in the future due to a variety of factors, many of which are outside of our control. Additionally, our number of new clients typically increases more during our third fiscal quarter ending March 31 than during the rest of our fiscal year, primarily because many new clients prefer to start using our human capital management, or HCM, and payroll solutions at the beginning of a calendar year.Our number of new clients typically increases more during our third fiscal quarter ending March 31 than during the rest of our fiscal year, primarily because many new clients prefer to start using our human capital management, or HCM, and payroll solutions at the beginning of a calendar year. Client funds and year-end activities are also traditionally higher during our third fiscal quarter. As a result, our total revenue and expenses have historically grown disproportionately during our third fiscal quarter as compared to other quarters. Accordingly, quarter-to-quarter comparisons of our operations are not necessarily meaningful and such comparisons should not be relied upon as indications of future performance.

14Table of ContentsIn addition to other risk factors listed within this “Risk Factors” section of this Annual Report on Form 10-K, some other important factors that may cause fluctuations in our quarterly operating results include the following:•The number of our clients’ employees;•Client renewal rates;•The extent to which our products achieve or maintain market acceptance;•Changes in client budgets and procurement policies;•The amount and timing of our investment in research and development activities and whether such investments are capitalized or expensed as incurred;•Business disruptions caused by public health issues, natural disasters or other catastrophic events; •Macroeconomic factors, including changes in interest rates and inflationary pressures; and•Unforeseen legal expenses, including litigation and settlement costs.Moreover, a significant portion of our operating expenses are related to compensation and other items which are relatively fixed in the short-term, and we plan expenditures based in part on our expectations regarding future needs and opportunities.In addition, a significant portion of our operating expenses are related to compensation and other items which are relatively fixed in the short-term, and we plan expenditures based in part on our expectations regarding future needs and opportunities. Changes in our business or revenue shortfalls could decrease our gross and operating margins and could negatively impact our operating results from period to period. Accordingly, changes in our business or revenue shortfalls could decrease our gross and operating margins and could negatively impact our operating results from period to period. If we do not continue to innovate and deliver high-quality, technologically advanced products and services, we will not remain competitive and our revenue and operating results could suffer.The market for our solutions is characterized by rapid technological advancements, including but not limited to artificial intelligence (“AI”) and machine learning, changes in client requirements, frequent new product introductions and enhancements and changing industry standards. The life cycles of our products are difficult to estimate. Rapid technological changes and the introduction of new products and enhancements by new or existing competitors, or development of entirely new technologies to replace existing offerings could limit the demand for our existing or future solutions and undermine our current market position. New technologies that involve AI or machine learning or that are created using AI or machine learning may emerge that are able to deliver HCM solutions at lower prices, more efficiently or more conveniently than our solutions, which could adversely impact our ability to compete. Additionally, if new technologies used in our products fail to operate as expected, our business may be negatively impacted.Our success depends in substantial part on our continuing ability to provide products and services that organizations will find superior to our competitors’ offerings and will continue to use. We intend to continue to invest significant resources in research and development to enhance our existing products and services and introduce new high-quality products that clients will want. We intend to continue to invest 14Table of Contentssignificant resources in research and development to enhance our existing products and services and introduce new high-quality products that clients will want. If we are unable to predict user preferences or industry changes, or if we are unable to modify our products and services on a timely basis or to effectively bring new products to market, our revenue and operating results may suffer.Failure to manage our growth effectively could increase our expenses, decrease our revenue, and prevent us from implementing our business strategy and sustaining our revenue growth rates.We have experienced revenue and client base growth and intend to pursue continued growth as part of our business strategy.We have experienced rapid revenue and client base growth and intend to pursue continued growth as part of our business strategy. However, the growth in our number of clients puts significant demands on our business, requires increased capital expenditures and increases our operating expenses. To manage this growth effectively, we must attract, train, and retain a significant number of qualified sales, implementation, client service, software development, information technology and management personnel. We also must maintain and enhance our technology infrastructure and our financial and accounting systems and controls. We must also expand and develop our network of third-party service providers, including 401(k) advisors, benefits administrators, insurance brokers, third-party administrators and HR consultants, which represent a significant source of referrals of potential clients for our products and implementation services. Failure to effectively manage our growth could adversely impact our business and results of operations. We could also suffer operational mistakes, a loss of business opportunities and employee losses. If our management is unable to effectively 15Table of Contentsmanage our growth, our expenses might increase more than expected, our revenue could decline or might grow more slowly than expected, and we might be unable to implement our business strategy. If our management is unable to effectively manage our growth, our expenses might increase more than expected, our revenue could decline or might grow more slowly than expected, and we might be unable to implement our business strategy. The markets in which we participate are highly competitive, and if we do not compete effectively, our operating results could be adversely affected.The market for HCM and payroll solutions is fragmented, highly competitive and rapidly changing. Our competitors vary for each of our solutions and primarily include payroll and HR service and software providers, such as Automatic Data Processing, Inc., Dayforce, Inc., Paycor, Inc. , Paychex, Inc., Paycom Software, Inc., Paycor, Inc., Ultimate Kronos Group and other local and regional providers.Several of our competitors are larger and have greater name recognition, longer operating histories and significantly greater resources than we do. Many of these competitors are able to devote greater resources to the development, promotion and sale of their products and services. Furthermore, our current or potential competitors may be acquired by third parties with greater available resources and the ability to initiate or withstand substantial price competition, which may include price concessions, delayed payment terms, or other terms and conditions that are more enticing to potential clients. As a result, our competitors may be able to develop products and services better received by our markets or may be able to respond more quickly and effectively than we can to new or changing opportunities, technologies such as AI or machine learning, regulations, or client requirements. As a result, our competitors may be able to develop products and services better received by our markets or may be able to respond more quickly and effectively than we can to new or changing opportunities, technologies, regulations, or client requirements. In addition, current and potential competitors have established, and might in the future establish, partner or form other cooperative relationships with vendors of complementary products, technologies or services to enable them to offer new products and services, to compete more effectively or to increase the availability of their products in the marketplace. New competitors or relationships might emerge that have greater market share, a larger client base, more widely adopted proprietary technologies, greater marketing expertise, greater financial resources, and larger sales forces than we have, which could put us at a competitive disadvantage. In light of these factors, current or potential clients might accept competitive offerings in lieu of purchasing our offerings. We expect competition to continue for these reasons, and such competition could negatively impact our sales, profitability or market share.If we fail to manage our technical operations infrastructure, including operation of our data centers, our existing clients may experience service outages and our new clients may experience delays in the deployment of our modules.We have experienced significant growth in the number of users, transactions and data that our operations infrastructure supports. We seek to maintain sufficient excess capacity in our data centers and other operations infrastructure to meet the needs of our clients. We also seek to maintain excess capacity to support new client deployments and the expansion of existing client deployments. In addition, we need to properly manage our technological operations infrastructure in order to support version control, changes in hardware and software parameters and the evolution of our modules. We have in the past and may in the future experience website disruptions, outages and other performance problems. These problems may be caused by a variety of factors, including infrastructure changes, human or software errors, viruses, security attacks, fraud, spikes in client usage and denial of service issues. In some instances, we may not be able to identify the cause or causes of these performance problems within an acceptable period of time. In some instances, we may not be 15Table of Contentsable to identify the cause or causes of these performance problems within an acceptable period of time. If we do not accurately predict our infrastructure requirements, our existing clients may experience service outages that may subject us to financial penalties, financial liabilities and client losses and adversely affect our reputation.In addition, our ability to deliver our cloud-based modules depends on the development and maintenance of Internet infrastructure by third parties. This includes maintenance of a reliable network backbone with the necessary speed, data capacity, bandwidth capacity, and security. We may experience future interruptions and delays in services and availability from time to time. Any interruption may affect the availability, accuracy, or timeliness in our services and could damage our reputation, cause our clients to terminate their use of our software, require us to indemnify our clients against certain losses due to our own errors and prevent us from gaining additional business from current or future clients. In the event of a catastrophic event with respect to one or more of our systems, we may experience an extended period of system unavailability, which could negatively impact our relationship with clients. To operate without interruption, both we and our clients must guard against:•Damage from fire, power loss, natural disasters, pandemics and other force majeure events outside our control;16Table of Contents•Communications failures;•Software and hardware errors, failures and crashes;•Security breaches, computer viruses, hacking, worms, malware, ransomware, denial-of-service attacks and similar disruptive problems; and•Other potential interruptions. To operate without interruption, both we and our clients must guard against:•Damage from fire, power loss, natural disasters, pandemics and other force majeure events outside our control;•Communications failures;•Software and hardware errors, failures and crashes;•Security breaches, computer viruses, hacking, worms, malware, ransomware, denial-of-service attacks and similar disruptive problems; and•Other potential interruptions. We use multiple cloud hosting and third-party data center providers to host our solutions, including data centers in Franklin Park, Illinois and Kenosha, Wisconsin (for backup and disaster recovery). We also may decide to employ additional offsite data centers in the future to accommodate growth. Problems faced by our data center locations (such as a hardware or other supply chain disruption), with the telecommunications network providers with whom we or they contract, or with the systems by which our telecommunications providers allocate capacity among their clients, including us, could adversely affect the availability and processing of our solutions and related services and the experience of our clients. In addition, our data center providers may be unable to keep up with our growing needs for capacity, may implement changes in service levels, may not renew these agreements on commercially reasonable terms, or may be acquired. We may be required to transfer our servers and other infrastructure to new data center facilities, and we may incur costs and experience service interruption in doing so. Interruptions in our services might reduce our revenues, subject us to potential liability or other expenses and adversely affect our reputation.We typically pay client employees and may pay taxing authorities amounts due for a payroll period before a client’s electronic funds transfers are finally settled to our account. If client payments are rejected by banking institutions or otherwise fail to clear into our accounts, we may require additional sources of short-term liquidity and our operating results could be adversely affected.Our payroll processing business involves the movement of significant funds from the account of a client to its employees and to relevant taxing authorities.Our payroll processing business involves the movement of significant funds from the account of a client to employees and relevant taxing authorities. Though we debit a client’s account prior to any disbursement on its behalf, due to Automated Clearing House, or ACH, banking regulations, funds previously credited could be reversed under certain circumstances and timeframes after our payment of amounts due to employees and taxing and other regulatory authorities. There is therefore a risk that the client’s funds will be insufficient to cover the amounts we have already paid on its behalf. There is therefore a risk that the employer’s funds will be insufficient to cover the amounts we have already paid on its behalf. While such shortage and accompanying financial exposure has only occurred in very limited instances in the past, should clients default on their payment obligations in the future, we might be required to advance funds to cover such obligations. Depending on the magnitude of such an event, we may be required to seek additional sources of short-term liquidity, which may not be available on reasonable terms, if at all, and our operating results and our liquidity could be adversely affected and our banking relationships could be harmed. Our business could be negatively impacted by disruptions in the operations of third-party service providers. 16Table of ContentsOur business could be negatively impacted by disruptions in the operations of third-party service providers. We depend on relationships with certain third-party service providers to operate our business. We rely on third-party couriers such as the United Parcel Service, or UPS, to ship printed checks to our clients, and any disruptions in their operations that impact their ability to successfully perform their tasks may negatively impact our business. We also engage international business partners to perform certain services in countries in which we currently do not have operations and as a result may subject us to regulatory, economic and political risks that are different from those in the United States. We also engage international business partners to perform certain services in countries where we currently do not have operations in and as a result may subjects us to regulatory, economic and political risks that are different from those in the United States. We currently have agreements with various major U.S. banks to execute ACH and wire transfers to support our client payroll, benefit and tax services. If one or more of the banks fails to process ACH transfers on a timely basis, or at all, then our relationship with our clients could be harmed and we could be subject to claims by a client with respect to the failed transfers. In addition, these banks have no obligation to renew their agreements with us on commercially reasonable terms, if at all. If a material number of these banks terminate their relationships with us or restrict the dollar amounts of funds that they will process on behalf of our clients, their doing so may impede our ability to process funds and could have an adverse impact on our business. We have contingency plans in place in case of any failures of banks to process transfers that may impact our operations. However, a failure of one of our banking partners or a systemic shutdown of the banking industry could result in the loss of client funds or prevent us from accessing and processing funds on our clients’ behalf, which could have an adverse impact on our business and liquidity. 17Table of ContentsIn addition, we utilize certain third-party software in some of our products. Although we believe that there are alternatives for the functionality provided by the third-party software, any significant interruption in the availability of such third-party software, or defects and errors in the third-party software, could have an adverse impact on our business unless and until we can replace the functionality provided by these products at a similar cost. Although we believe that there are alternatives for the functionality provided by the third party software, any significant interruption in the availability of such third-party software, or defects and errors in the third-party software, could have an adverse impact on our business unless and until we can replace the functionality provided by these products at a similar cost. We depend on our senior management team and other key employees, and the loss of these persons or an inability to attract and retain highly skilled employees, including product development, sales, implementation, client service and other technical persons, could adversely affect our business.Our success depends largely upon the continued services of our key executive officers. We also rely on our leadership team in the areas of product development, sales, implementation, client service, and general and administrative functions. From time to time, there may be changes in our executive management team resulting from the hiring or departure of executives, which could disrupt our business. While we have employment agreements with our executive officers, these employment agreements do not require them to continue to work for us for any specified period and, therefore, they could terminate their employment with us at any time. The loss of one or more of our executive officers or key employees could have an adverse effect on our business.We believe that to grow our business and be successful, we must continue to develop products that are technologically advanced, are highly integrable with third-party services, provide significant mobility capabilities and have pleasing and intuitive user experiences. To do so, we must attract and retain highly qualified personnel, particularly employees with high levels of experience in designing and developing software. We must also identify, recruit and train qualified sales, client service and implementation personnel in the use of our software. The amount of time it takes for our sales representatives, client service and implementation personnel to be fully trained and to become productive varies widely. Hiring for skilled employees across the United States and globally is highly competitive. If we fail to attract new personnel or fail to retain and motivate our current personnel, our business and future growth prospects could be severely harmed. We follow a practice of hiring the best available candidates wherever located, but as we grow our business, the productivity of our product development and direct sales force may be adversely affected. In addition, if we hire employees from competitors or other companies, their former employers may attempt to assert that these employees have breached their legal obligations, resulting in a diversion of our time and resources.Our software might not operate properly, which could damage our reputation, give rise to claims against us, or divert application of our resources from other purposes, any of which could harm our business and operating results.Our HCM and payroll software is complex and may contain or develop undetected defects or errors, particularly when first introduced or as new versions are released. Despite extensive testing, from time to time, we have discovered defects or errors in our products. In addition, because changes in employer and legal requirements and practices relating to benefits, filing of tax returns and other regulatory reports are frequent, we may discover defects and errors in our software and service processes in the normal course of business compared against these requirements and practices. Defects and errors could also cause the information that we collect to be incomplete or contain inaccuracies that our clients, their employees and taxing and other regulatory authorities regard as significant. Defects and 17Table of Contentserrors could also cause the information that we collect to be incomplete or contain inaccuracies that our clients, their employees and taxing and other regulatory authorities regard as significant. Defects and errors and any failure by us to identify and address them could result in delays in product introductions and updates, loss of revenue or market share, liability to clients or others, failure to achieve market acceptance or expansion, diversion of development and other resources, injury to our reputation, and increased service and maintenance costs. The costs incurred in correcting any defects or errors or in responding to resulting claims or liability might be substantial and could adversely affect our operating results. Our clients might assert claims against us in the future alleging that they suffered damages due to a defect, error, or other failure of our product or service processes. Any product liability claim or errors or omissions claim could subject us to significant legal defense costs and adverse publicity regardless of the merits or eventual outcome of such a claim. A product liability claim and errors or omissions claim could subject us to significant legal defense costs and adverse publicity regardless of the merits or eventual outcome of such a claim. Our agreements with our clients typically contain provisions intended to limit our exposure to such claims, but such provisions may not be effective in limiting our exposure. Contractual limitations we use may not be enforceable and may not provide us with adequate protection against product liability claims in certain jurisdictions. A successful claim for product or service liability brought against us could result in substantial cost to us and divert management’s attention from our operations. We also maintain insurance, but our insurance may be inadequate or may not be available in the future on acceptable terms, or at all. In addition, our policy may not cover all claims made against us and defending a suit, regardless of its merit, could be costly and divert management’s attention.18Table of ContentsWe may acquire other companies or technologies, which could divert our management’s attention, result in dilution to our stockholders, disrupt our operations and adversely affect our operating results.We may acquire other companies or technologies, which could divert our management’s attention, result in additional dilution to our stockholders and otherwise disrupt our operations and adversely affect our operating results. We have acquired and may in the future seek to acquire or invest in other businesses or technologies. The pursuit of potential acquisitions or investments may divert the attention of management and cause us to incur various expenses in identifying, investigating and pursuing suitable acquisitions, whether or not they are consummated.We may not be able to integrate the acquired personnel, operations and technologies successfully, or effectively manage the combined business following the acquisition. Factors that may negatively impact our operating results, business and financial position, without limitation include the following:•Inability to integrate or benefit from acquired technologies, operations, or services in a profitable manner;•Unanticipated costs or liabilities associated with the acquisition;•Difficulty converting the clients of the acquired business onto our modules and contract terms, including disparities in the revenues, licensing, support or professional services model of the acquired company;•Diversion of management’s attention from other business concerns;•Adverse effects to our existing business relationships with business partners and clients as a result of the acquisition;•The potential loss of key employees;•Use of resources that are needed in other parts of our business;•Use of substantial portions of our available cash to consummate the acquisition; and•Dilutive issuances of equity securities or the incurrence of debt.In addition, a significant portion of the purchase price of companies we acquire may be allocated to acquired goodwill and other intangible assets, which must be assessed for impairment at least annually. In the future, if our acquisitions do not yield expected returns, we may be required to take charges to our operating results based on this impairment assessment process, which could adversely affect our results of operations.Risks Related to Cybersecurity and Intellectual Property RightsIf our security measures are unable to prevent a breach or unauthorized access to our information systems, our proprietary and other information, our client data or funds, we may be subject to numerous adverse financial and other consequences, including that our solutions may be perceived as not being secure, clients may reduce the use of or stop using our solutions, and that we may incur significant liabilities to our clients and others.The solutions that we provide to clients involve the processing, storage and transmission of our clients’ proprietary and confidential information regarding their employees, consultants, independent contractors, other service providers and other groups or individuals. This information includes, among other things, bank account numbers, tax return information, social security numbers, benefit information, retirement account information, payroll information, system passwords, and in the case of our benefit administration solution, BeneFLEX, health information protected by the Health Insurance Portability and Accountability Act of 1996, as amended, or the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). This information includes bank account numbers, tax return information, social security numbers, benefit information, retirement account information, payroll information, system passwords, and in the case of our benefit administration solution, BeneFLEX, health information protected by the Health Insurance Portability and Accountability Act of 1996, as amended, or the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). In addition, we collect and maintain similar information regarding our own employees, consultants, independent contractors, other service providers and other groups or individuals. Our business also involves the storage and transmission of funds from the accounts of our clients to other persons, including taxing and regulatory authorities and others. Finally, our business involves the storage and transmission of funds from the accounts of our clients to their employees, taxing and regulatory authorities and others. We also rely on the security and availability of our information systems and solutions and those of third parties in the operation of our business. This includes, among other things, human capital solutions, financial solutions, customer relationship management solutions, software development solutions and tools, cybersecurity solutions and tools, and data center processing. 19Table of ContentsWe have experienced cybersecurity attacks and incidents in the past though we do not believe that any of them have been material to our business. Although we maintain security measures and controls that we continually monitor and invest in, there can be no assurance that our measures or controls will be effective in all instances or that we will not experience cybersecurity attacks or incidents in the future. Our systems and solutions and the third-party systems on which we rely are susceptible to such attacks and incidents as unauthorized access, supply-chain attacks, exfiltration or destruction of data, disruptions of service, phishing attempts and other forms of social engineering, malware, ransomware and other forms of cyber extortion, computer viruses or other malicious code and similar events. These threats may come from cybercriminals, cyberterrorists and hacktivists, nation-state and nation-state-supported actors (including advanced persistent threat intrusions) and computer hackers. They also may result from the malicious or accidental acts of insiders. Any unauthorized access to, or security breaches of, our systems or solutions or those of our clients or third-party partners and suppliers could result in numerous adverse consequences, including the unauthorized disclosure of proprietary and confidential information we or they obtain in the ordinary course of business, identity theft and financial theft. Any interruption may affect the availability, accuracy, or timeliness in our services and could damage our reputation, cause our clients to terminate their use of our software, require us to indemnify our clients against certain losses due to our own errors and prevent us from gaining additional business from current or future clients. We also could be subjected to periods in which our systems and solutions or the third-party systems on which we rely are negatively impacted, degraded or unavailable, potentially for extended periods of time. If any of these events were to occur, we could be subject to client loss, reputational harm, litigation, government enforcement actions, indemnity obligations and other liabilities, and our business, revenues, profitability and financial condition could be negatively impacted.Because the tactics and techniques used by threat actors to obtain unauthorized access or sabotage systems change frequently and, in some cases, are not recognized until they are launched or even later, we may be unable to anticipate these techniques or to implement adequate preventative measures in advance, and security breaches may remain undetected for an extended period of time. We also have incorporated and will continue to incorporate AI and machine learning features into our solutions and various processes across our business, which may increase vulnerability to cybersecurity risks. Additionally, AI and machine learning may be used for certain cybersecurity attacks, improving or expanding the existing capabilities of threat actors in manners we cannot predict at this time, resulting in greater risks of security incidents and breaches. Cybersecurity attacks and incidents could have a material adverse effect on our business, operations or financial condition, so as cyber threats continue to evolve, we are focused on ensuring that our operating environments safeguard and protect personal and business information, which requires us to devote significant resources to prevent and mitigate cybersecurity incidents and protect our systems, solutions and data. To add to the complexity of the existing privacy landscape, many areas of existing privacy laws are subject to interpretation, which imposes an added risk that adverse interpretations of these laws by advocacy groups and governments in countries where our clients operate could impose significant obligations on our business or prevent us from offering certain services in jurisdictions where we currently operate. Additionally, while we monitor and reassess our third-party relationships over time, we have no control over those third parties’ cybersecurity programs and controls, infrastructure, physical facilities or personnel. If our security measures, or the security measures of our third-party partners and suppliers, are breached, or if our third-party partners and suppliers experience supply-chain attacks, system errors or outages, our business could be substantially harmed, and we could incur significant liabilities. The costs of investigating, mitigating, and reporting such an incident to affected individuals (if required) can be substantial. The costs of investigating, mitigating, and reporting such a breach to affected individuals (if required) can be substantial. In addition, if a security breach occurs with respect to an industry peer, our clients and potential clients may lose trust in the security of HCM and payroll modules. In addition, if a high-profile security breach occurs with respect to an industry peer, our clients and potential clients may generally lose trust in the security of HCM and payroll modules. Any breach or unauthorized access could negatively affect our ability to attract new clients, cause existing clients to terminate their agreements with us, result in reputational damage and subject us to lawsuits, regulatory fines or other actions or liabilities which could materially and adversely affect our business and operating results. Any such breach or unauthorized access could negatively affect our ability to attract new clients, cause existing clients to terminate their agreements with us, result in reputational damage and subject us to lawsuits, regulatory fines or other actions or liabilities which could materially and adversely affect our business and operating results. Furthermore, the continuing and evolving threat of cyberattacks has resulted in increased regulatory focus and we may be required to invest significant additional resources to comply with evolving cybersecurity regulations. If client payments are rejected by banking institutions or otherwise fail to clear into our accounts, we may require additional sources of short-term liquidity and our operating results could be adversely affected. There can be no assurance that the limitations of liability in our contracts would be enforceable or adequate or would otherwise protect us from liabilities or damages with respect to any particular claim related to a breach or unauthorized access.There can be no assurance that the limitations of liability in our contracts would be enforceable or adequate or would otherwise protect us from any such liabilities or damages with respect to any particular claim related to a breach or unauthorized access. We also cannot be sure that our existing general liability insurance coverage and coverage for errors or omissions will continue to be available on acceptable terms or will be available in sufficient amounts to cover one or more large claims, or that the insurer will not deny coverage as to any future claim. The successful assertion of one or more large claims against us that exceed available insurance coverage, or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could have a material adverse effect on our business, financial condition and results of operations.Any failure to protect our intellectual property rights could impair our ability to protect our proprietary technology and our brand.Our success is dependent, in part, upon protecting our proprietary technology. Our proprietary technologies are not covered by any patent or patent application. Instead, we rely on a combination of copyrights, trademarks, service marks, trade secret laws, and contractual restrictions to establish and protect our proprietary rights in our products and services. However, the steps we take to protect our intellectual property may be inadequate. We will not be able to protect 20Table of Contentsour intellectual property if we are unable to enforce our rights or if we do not detect unauthorized use of our intellectual property. We will not be able to protect our intellectual property if we are unable to enforce our rights or if we do not detect unauthorized use of our intellectual property. Despite our precautions, it may be possible for unauthorized third parties to copy our products and use information that we regard as proprietary to create products and services that compete with ours. Some license provisions protecting against unauthorized use, copying, transfer and disclosure of our products may be unenforceable under the laws of certain jurisdictions and foreign countries.We enter into confidentiality and invention assignment agreements with our employees and consultants and enter into confidentiality agreements with the parties with whom we have strategic relationships and business alliances. No assurance can be given that these agreements will be effective in controlling access to and distribution of our products and proprietary information. The confidentiality agreements on which we rely to protect certain technologies may be breached and may not be adequate to protect our proprietary technologies. Further, these agreements do not prevent our competitors from independently developing technologies that are substantially equivalent or superior to our solutions. Our intellectual property could be wrongfully acquired as a result of a cyberattack or other wrongful conduct by employees or third parties. In order to protect our intellectual property rights, we may be required to spend significant resources, including cybersecurity resources, to monitor and protect these rights. 19Table of ContentsIn order to protect our intellectual property rights, we may be required to spend significant resources, including cybersecurity resources, to monitor and protect these rights. Litigation may be necessary in the future to enforce our intellectual property rights and to protect our trade secrets. Litigation brought to protect and enforce our intellectual property rights could be costly, time consuming, and distracting to management and could result in the impairment or loss of portions of our intellectual property. Furthermore, our efforts to enforce our intellectual property rights may be met with defenses, counterclaims, and countersuits attacking the validity and enforceability of our intellectual property rights. Our inability to protect our proprietary technology against unauthorized copying or use, as well as any costly litigation or diversion of our management’s attention and resources, could delay further sales or the implementation of our solutions, impair the functionality of our solutions, delay introductions of new solutions, result in our substituting inferior or more costly technologies into our solutions, or damage our reputation. In addition, we may be required to license additional technology from third parties to develop and market new solutions, and we cannot assure you that we could license that technology on commercially reasonable terms, or at all. Although we do not expect that our inability to license this technology in the future would have a material adverse effect on our business or operating results, our inability to license this technology could adversely affect our ability to compete.We may be sued by third parties for alleged infringement of their proprietary rights.There is considerable patent and other intellectual property development activity in our industry. Our success depends, in part, upon our not infringing upon the intellectual property rights of others. Our competitors, as well as a number of other entities and individuals, may own or claim to own intellectual property relating to our industry. From time to time, third parties may claim that we are infringing upon their intellectual property rights, and we may be found to be infringing upon such rights. However, we may be unaware of the intellectual property rights that others may claim cover some or all of our technology or services. Any claims or litigation could cause us to incur significant expenses and, if successfully asserted against us, could require that we pay substantial damages or ongoing royalty payments, prevent us from offering our services, or require that we comply with other unfavorable terms. In connection with any such claim or litigation, we may also be obligated to indemnify our clients or business partners or pay substantial settlement costs, including royalty payments, and to obtain licenses, modify applications, or refund fees, which could be costly. Even if we were to prevail in such a dispute, any litigation regarding our intellectual property could be costly and time-consuming and divert the attention of our management and key personnel from our business operations.The use of open source software in our products and solutions may expose us to additional risks and harm our intellectual property rights.Some of our products and solutions use or incorporate software that is subject to one or more open source licenses. Open source software is typically freely accessible, usable and modifiable. Certain open source software licenses require a user who intends to distribute the open source software as a component of the user’s software to disclose publicly part or all of the source code to the user’s software. In addition, certain open source software licenses require the user of such software to make any derivative works of the open source code available to others on potentially unfavorable terms or at no cost.The terms of many open source licenses to which we are subject have not been interpreted by U.S. or foreign courts. Accordingly, there is a risk that those licenses could be construed in a manner that imposes unanticipated conditions or restrictions on our ability to commercialize our solutions. In that event, we could be required to re-develop our products or solutions, to discontinue sales of our products or solutions, or to release our proprietary software code under the terms of 21Table of Contentsan open source license, any of which could harm our business. In that event, we could be required to seek licenses from third parties in order to continue offering our products or solutions, to re-develop our products or solutions, to discontinue sales of our products or solutions, or to release our proprietary software code under the terms of an open source license, any of which could harm our business. Further, given the nature of open source software, it may be more likely that third parties might assert copyright and other intellectual property infringement claims against us based on our use of these open source software programs.While we monitor the use of all open source software in our products, solutions, processes and technology and try to ensure that no open source software is used in such a way as to require us to disclose the source code to the related product or solution when we do not wish to do so, it is possible that such use may have inadvertently occurred in deploying our proprietary solutions. In addition, if a third-party software provider has incorporated certain types of open source software into software we license from such third party for our products and solutions without our knowledge, we could, under certain circumstances, be required to disclose the source code to our products and solutions. This could harm our intellectual property position and our business, results of operations and financial condition.Risks Related to Legal and Regulatory MattersChanges in regulatory laws or requirements applicable to our software and services could impose increased costs on us, delay or prevent our introduction of new products and services and impair the function or value of our existing products and services.20Table of ContentsRisks Related to Legal and Regulatory MattersChanges in regulatory laws or requirements applicable to our software and services could impose increased costs on us, delay or prevent our introduction of new products and services and impair the function or value of our existing products and services. Our products and services may become subject to increasing and/or changing regulatory requirements, including changes in tax, benefit, wage and hour, employment laws and other international and domestic laws, and as these requirements proliferate, we may be required to change or adapt our products and services to comply. Changing regulatory requirements might reduce or eliminate the need for some of our products and services, block us from developing new products and services or have an adverse effect on the functionality and acceptance of our solution. This might in turn impose additional costs upon us to comply, modify or further develop our products and services. It might also make introduction of new products and services more costly or more time-consuming than we currently anticipate or prevent introduction of such new products and services. For example, the adoption of new money transmitter or money services business statutes in jurisdictions or changes in regulators’ interpretation of existing state and federal money transmitter or money services business statutes or regulations, could subject us to registration or licensing or limit business activities until we are appropriately licensed. These occurrences could also impact how we conduct some aspects of our business or invest client funds, which could adversely impact interest income from investing client funds. Should any state or federal regulators determine that we have operated as an unlicensed money services business or money transmitter, we could be subject to civil and criminal fines, penalties, costs, legal fees, reputational damage or other negative consequences. Any of these regulatory implementations or changes could have an adverse effect on our business, operating results or financial condition.Some of our products incorporate new technologies such as AI and machine learning.Some of our products incorporate new technologies such as artificial intelligence and machine learning. The ability to provide products powered by new and evolving technologies must be approached in a principled manner to navigate the complexities associated with the current or future regulatory requirements as well as social and ethical considerations. Additionally, failure by others in our industry, or actions taken by our clients, employees, or other end users (including misuse of these technologies) could negatively affect the adoption of our solutions and restrict our ability to continue to leverage novel technologies in innovative ways and subject us to reputational harm, regulatory action, or legal liability, which may harm our financial condition and operating results. As we continue to pursue such new technologies, our failure to adequately address legal risks relating to the use of AI and machine learning in our applications could result in litigation regarding, among other things, intellectual property, privacy, employment, civil rights and other claims that could result in liability. The use of AI and machine learning may also result in new or increased governmental or regulatory scrutiny as regulatory and legislative authorities in the United States, the European Union and other jurisdictions have enacted or proposed legislation that imposes or would impose restrictions on the development of generative AI and machine learning. Any actual or alleged noncompliance with applicable laws and regulations, or failure to meet client expectations with respect to the use of AI and machine learning, could result in negative publicity or harm to our reputation and subject us to investigations, claims or other remedies, and expose us to significant fines, penalties and other damages.Failure to comply with data privacy laws and regulations may have a material adverse effect on reputation, financial condition, and/or operations. Failure to comply with privacy laws and regulations may have a material adverse effect on reputation, financial condition, and/or operations. Our processing of personal information for our employees and on behalf of our clients is subject to federal, state and international data privacy laws. These laws, which are not uniform, generally regulate the collection, storage, transfer, 22Table of Contentsand other processing of personal information; require notice to individuals of privacy practices before or at the point of collection; give individuals certain rights with respect to their personal information, including access, deletion and correction; regulate the use or disclosure of personal information for secondary purposes such as marketing; and in some cases, require notification to affected individuals, clients, and/or regulators in the event of a data breach. These laws, which are not uniform, generally regulate the collection, storage, transfer, and other processing of personal information; require notice to individuals of privacy practices before or at the point of collection; give individuals certain rights with respect to their personal information, including access, deletion and correction; regulate the use or disclosure of personal information for secondary purposes such as marketing; and require notification to affected individuals, clients, and/or regulators in the event of a data breach. HIPAA, which applies to our benefit administration solution, BeneFLEX and our self-insured group health plan, the European Union’s General Data Protection Regulation ("GDPR"), and U.S. state privacy laws like the California Consumer Privacy Act (“CCPA”), are among the most comprehensive data privacy laws and apply to multiple areas of our business. Other countries and U.S. states are increasingly adopting similarly comprehensive laws that impose new data privacy and protection requirements and restrictions on covered organizations. states are increasingly adopting similarly comprehensive laws that impose new data privacy protection requirements and restrictions on covered organizations. Notably, these laws can impose significant penalties and fines on organizations for non-compliance, such as up to 4% of worldwide revenue for the preceding year under the GDPR. Notably, these laws can impose significant penalties and fines on organizations for non-compliance, such as 4% of worldwide revenue for the preceding year under the GDPR. The worldwide regulatory focus on data privacy has intensified during the past several years, in part triggered by the GDPR, and has led to the rapid evolution of legal requirements related to the processing of personal information in ways that require our business to adapt, including to support our clients’ compliance. The worldwide regulatory focus on privacy has intensified during the past several years, in part triggered by the GDPR, and has led to the rapid evolution of legal requirements related to the handling of personal information in ways that require our business to adapt to support our clients’ compliance. As this focus continues, the potential risks related to the processing of personal information by our business will only increase. As this focus continues, the potential risks related to handling personal information by our business will only increase. Adding to the complexity of the existing data privacy landscape, many areas of existing data privacy laws are subject to interpretation, which imposes an added risk that adverse interpretations of these laws by advocacy groups and governments in countries where we or our clients operate could impose significant obligations on our business or prevent us from offering certain services in jurisdictions where we currently operate. To add to the complexity of the existing privacy landscape, many areas of existing privacy laws are subject to interpretation, which imposes an added risk that adverse interpretations of these laws by advocacy groups and governments in countries where our clients operate could impose significant obligations on our business or prevent us from offering certain services in jurisdictions where we currently operate. Enforcement actions and investigations by regulatory authorities related to security incidents and data privacy violations continue to increase. 21Table of ContentsEnforcement actions and investigations by regulatory authorities related to security incidents and privacy violations continue to increase. Future enforcement actions or investigations could impact us through increased costs or restrictions on our businesses. A finding of noncompliance could result in significant regulatory penalties, legal liability and burdensome governmental oversight. Additionally, security incidents and concerns about data privacy abuses by other companies are changing consumer and market expectations for enhanced data privacy. Additionally, security events and concerns about privacy abuses by other companies are changing consumer and social expectations for enhanced privacy. As a result, a perception of noncompliance could damage our reputation with our current and potential clients, employees and stockholders.Adverse tax laws or regulations could be enacted, or existing laws could be applied to us or our clients, which could increase the costs of our services and adversely impact our business.The application of federal, state, and local tax laws to services provided electronically often involve complex issues and significant judgment. New or changes to existing income, sales, use or other tax laws, statutes, rules, regulations or ordinances could be enacted at any time, possibly with retroactive effect, and could be applied solely or disproportionately to services provided over the Internet. These enactments could adversely affect our business, results of operations and financial condition due to the inherent cost increase.Moreover, each state has different rules and regulations governing sales and use taxes, and these rules and regulations are subject to varying interpretations that change over time. We review these rules and regulations periodically and, when we believe we are subject to sales and use taxes in a particular state, we may voluntarily engage state tax authorities to determine how to comply with that state’s rules and regulations. We cannot, however, assure you that we will not be subject to sales and use taxes or related penalties for past sales in states where we currently believe no such taxes are required. If one or more taxing authorities determines that taxes should have, but have not, been paid with respect to our services, we might be liable for past taxes and the associated interest and penalty charges, in addition to taxes going forward, which will adversely affect our business, sales activity, results of operations and financial condition. Any future litigation against us could be costly and time-consuming to defend.We have in the past, and may in the future, become subject to legal proceedings and claims that arise in the ordinary course of business. Such claims may be brought by our clients in connection with commercial disputes, employment claims made by our current or former employees, or lawsuits related to breaches of personal information. Litigation might result in substantial costs and may divert management’s attention and resources, which could seriously harm our business, overall financial condition, and operating results. Litigation might result in substantial costs and may divert management’s attention and resources, which might seriously harm our business, overall financial condition, and operating results. Insurance might not cover such claims, might not provide sufficient payments to cover all the costs to resolve one or more such claims and might not continue to be available on terms acceptable to us. A claim brought against us that is uninsured or underinsured could result in unanticipated costs, thereby harming our operating results and leading analysts or potential investors to lower their expectations of our performance, which could reduce the trading price of our stock.23Table of ContentsRisks Related to Financial MattersOur revolving credit agreement contains covenants that may constrain the operation of our business, and our failure to comply with these covenants could have a material adverse effect on our financial condition.Risks Related to Financial MattersCertain of our debt agreements contain covenants that may constrain the operation of our business, and our failure to comply with these covenants could have a material adverse effect on our financial condition. Our revolving credit agreement contains restrictive covenants including restrictions regarding the incurrence of liens and indebtedness, substantial changes in the general nature of our business and our subsidiaries (taken as a whole), certain merger transactions, certain sales of assets and other matters, all subject to certain exceptions. The revolving credit agreement that we amended in August 2022 contains restrictive covenants including restrictions regarding the incurrence of liens and indebtedness, substantial changes in the general nature of our business and our subsidiaries (taken as a whole), certain merger transactions, certain sales of assets and other matters, all subject to certain exceptions. Failure to comply with these covenants could have a negative impact on our business and financial condition.Corporate investments and client funds that we hold are subject to market, interest rate, credit and liquidity risks. The loss of these funds could have an adverse impact on our business.We invest portions of excess cash and cash equivalents and funds held for our clients in liquid, investment-grade marketable securities such as corporate bonds, commercial paper, asset-backed securities, U.S. treasury securities, money market securities, and other cash equivalents. We follow an established investment policy and set of guidelines to monitor and help mitigate our exposure to liquidity and credit risks. Nevertheless, our corporate investments and client fund assets are subject to general market, interest rate, credit, and liquidity risks. These risks may be exacerbated, individually or in unison, during periods of unusual financial market volatility. Any loss of or inability to access our corporate investments or client funds could have adverse impacts on our business, results of operations, financial condition and liquidity.In addition, funds held for clients are deposited in consolidated accounts on behalf of our clients, and as a result, the aggregate amounts in the accounts exceed the applicable federal deposit insurance limits.22Table of ContentsIn addition, funds held for clients are deposited in consolidated accounts on behalf of our clients, and as a result, the aggregate amounts in the accounts exceed the applicable federal deposit insurance limits. We believe that since such funds are deposited in trust on behalf of our clients, the Federal Deposit Insurance Corporation, or the FDIC, would treat those funds as if they had been deposited by each of the clients themselves and insure each client’s funds up to the applicable deposit insurance limits. If the FDIC were to take the position that it is not obligated to provide deposit insurance for our clients’ funds or if the reimbursement of these funds were delayed, our business and our clients could be materially harmed.Our reported financial results may be adversely affected by changes in accounting principles generally accepted in the United States.Generally accepted accounting principles in the United States are subject to interpretation by the Financial Accounting Standards Board, or FASB, the Securities and Exchange Commission, or SEC, and various bodies formed to promulgate and interpret appropriate accounting principles. A change in these principles or interpretations could have a significant effect on our reported financial results, including increased volatility, and could affect the reporting of transactions completed before the announcement of a change. Risks Related to Ownership of Our Common StockInsiders have substantial control over us, which may limit our stockholders’ ability to influence corporate matters and delay or prevent a third party from acquiring control over us.As of July 26, 2024, our directors and executive officers, together with their respective affiliates, beneficially owned, in the aggregate, approximately 21.As of July 28, 2023, our directors, executive officers and holders of more than 5% of our common stock, together with their respective affiliates, beneficially owned, in the aggregate, approximately 22. 8% of our outstanding common stock. These stockholders will be able to exercise influence over all matters requiring stockholder approval, including the election of directors and approval of corporate transactions, such as a merger or other sale of our company or its assets. In addition, these stockholders will be able to exercise influence over all matters requiring stockholder approval, including the election of directors and approval of corporate transactions, such as a merger or other sale of our company or its assets. This concentration of ownership could limit the ability of our other stockholders to influence corporate matters and may have the effect of delaying or preventing a change in control, including a merger, consolidation, or other business combination involving us, or discouraging a potential acquirer from making a tender offer or otherwise attempting to obtain control, even if that change in control would benefit our other stockholders.24Table of ContentsOur stock price may be subject to wide fluctuations.The market price of our common stock has experienced, and may continue to experience, wide fluctuations and increased volatility.

Factors that may impact our performance and market price include those discussed elsewhere in this “Risk Factors” section of this Annual Report on Form 10-K and others such as:•Our operating performance and the operating performance of similar companies;•Announcements by us or our competitors of acquisitions, business plans or commercial relationships;•Any major change in our board of directors or senior management;•Publication of research reports or news stories about us, our competitors, or our industry, or positive or negative recommendations or withdrawal of research coverage by securities analysts;•The public’s reaction to our press releases, our other public announcements and our filings with the SEC;•Repurchases of our common stock under our share repurchase program or the decision to terminate or suspend any repurchases;•Sales of our common stock by our directors, executive officers and affiliates;•Adverse market reaction to any indebtedness we may incur or securities we may issue in the future;•Short sales, hedging and other derivative transactions in our common stock;•Threatened or actual litigation;•Public health issues; and•Other events or factors, including changes in general conditions in the United States and global economies or financial markets (including acts of God, war, incidents of terrorism, inflationary pressures or other destabilizing events and the resulting responses to them). Factors that may impact our performance and market price include those discussed elsewhere in this “Risk Factors” section of this Annual Report on Form 10-K and others such as:•Our operating performance and the operating performance of similar companies;•Announcements by us or our competitors of acquisitions, business plans or commercial relationships;•Any major change in our board of directors or senior management;•Publication of research reports or news stories about us, our competitors, or our industry, or positive or negative recommendations or withdrawal of research coverage by securities analysts;•The public’s reaction to our press releases, our other public announcements and our filings with the SEC;•Sales of our common stock by our directors, executive officers and affiliates;•Adverse market reaction to any indebtedness we may incur or securities we may issue in the future;•Short sales, hedging and other derivative transactions in our common stock;•Threatened or actual litigation;23Table of Contents•Public health issues such as the COVID-19 pandemic; and•Other events or factors, including changes in general conditions in the United States and global economies or financial markets (including acts of God, war, incidents of terrorism, inflationary pressures or other destabilizing events and the resulting responses to them). In addition, the stock market in general and the market for software or technology-related companies in particular, have experienced extreme price and volume fluctuations that have often been unrelated or disproportionate to the operating performance of those companies. Securities class action litigation has often been instituted against companies following periods of volatility in the overall market and in the market price of a company’s securities. This litigation, if instituted against us, could result in substantial costs, divert our management’s attention and resources, and harm our business, operating results, and financial condition. Our share repurchase program may increase the volatility of the market price of our stock and adversely affect our liquidity. Further, we may not realize the anticipated long-term stockholder value of our share repurchase program.In May 2024, we announced that our Board of Directors approved a share repurchase program, authorizing the purchase of up to $500 million of our issued and outstanding common stock. The authorization does not obligate us to repurchase any specific dollar amount or number of shares, there is no expiration date for the authorization, and the repurchase program may be modified, suspended or terminated at any time and for any reason. Any future announcement of a termination or suspension of the program, or our decision not to utilize the full authorized repurchase amount under the program, may reduce investor confidence and/or result in a decrease in the market price of our shares.The existence of the repurchase program could cause our stock price to trade higher than it otherwise would and could potentially reduce the market liquidity for our stock. The repurchase program may not enhance long-term stockholder value because the market price of our common stock may decline below the levels at which we repurchased shares. Additionally, short-term stock price fluctuations could reduce the number or amount of shares we may ultimately repurchase pursuant to the program.25Table of ContentsRepurchasing our common stock will reduce the amount of cash we have available to fund working capital, repayment of debt, capital expenditures, strategic acquisitions or business opportunities, and other general corporate purposes. The actual timing, number and value of shares repurchased will depend on various factors, including the market price of our common stock, trading volume, general market conditions and other corporate and economic considerations. We do not currently intend to pay dividends on our common stock and, consequently, your ability to achieve a return on your investment will depend on appreciation in the price of our common stock.We do not currently intend to pay dividends on our common stock and, consequently, your ability to achieve a return on your investment will depend on appreciation in the price of our common stock. We have not declared or paid dividends on our common stock in the past three fiscal years and do not currently intend to do so for the foreseeable future. We currently intend to invest our future earnings to fund our growth and other corporate initiatives. Therefore, you are not likely to receive any dividends on your common stock for the foreseeable future, and the success of an investment in shares of our common stock will depend upon future appreciation in its value, if any. There is no guarantee that shares of our common stock will appreciate in value or even maintain the price at which our stockholders purchased their shares.Future issuances of shares of our common stock would dilute the ownership of our existing stockholders and could depress the market price of our common stock.Future issuances of shares of our common stock could depress the market price of our common stock. Our third amended and restated certificate of incorporation authorizes the issuance of up to 155,000,000 shares of common stock and 5,000,000 shares of preferred stock with such rights, preferences, privileges and restrictions as determined by the board of directors.Our second amended and restated certificate of incorporation authorizes the issuance of up to 155,000,000 shares of common stock and 5,000,000 shares of preferred stock with such rights, preferences, privileges and restrictions as determined by the board of directors. We may issue all or any portion of the capital stock which has been authorized but not issued subject to applicable rules and regulations, which may not require any action or approval by our stockholders. Also, in the future, we may issue additional securities in connection with investments and acquisitions. The amount of our common stock issued in connection with an investment or acquisition could constitute a material portion of our then outstanding stock. Due to these factors, issuances of a substantial number of shares of our common stock into the public market could occur at any time, which would dilute the ownership proportion of current stockholders and could cause the price of our common stock to decline. Due to these factors, issuances of a substantial number of shares of our common stock into the public market could occur at any time which could dilute the ownership proportion of current stockholders. Anti-takeover provisions in our charter documents and Delaware law could discourage, delay, or prevent a change in control of our company and may affect the trading price of our common stock.We are a Delaware corporation and the anti-takeover provisions of the Delaware General Corporation Law, which apply to us, may discourage, delay or prevent a change in control by prohibiting us from engaging in a business combination with an interested stockholder for a period of three years after the stockholder becomes an interested stockholder, even if a change in control would be beneficial to our existing stockholders. In addition, our third amended and restated certificate of incorporation and third amended and restated bylaws may discourage, delay or prevent a change in our management or control over us that stockholders may consider favorable. In addition, our second amended and restated certificate of incorporation and second amended and restated bylaws may discourage, delay or prevent a change in our management or control over us that stockholders may consider favorable. Our third amended and restated certificate of incorporation and bylaws:•Authorize the issuance of “blank check” convertible preferred stock that could be issued by our board of directors to thwart a takeover attempt;•Provide that vacancies on the board of directors, including newly created directorships, may be filled only by a majority vote of directors then in office rather than by stockholders;•Prevent stockholders from calling special meetings; and•Prohibit stockholder action by written consent, requiring all actions to be taken at a meeting of the stockholders. Our amended and restated certificate of incorporation and bylaws:•Authorize the issuance of “blank check” convertible preferred stock that could be issued by our board of directors to thwart a takeover attempt;•Provide that vacancies on the board of directors, including newly-created directorships, may be filled only by a majority vote of directors then in office rather than by stockholders;•Prevent stockholders from calling special meetings; and•Prohibit stockholder action by written consent, requiring all actions to be taken at a meeting of the stockholders. Our bylaws provide that the state and federal courts located within the state of Delaware are the sole and exclusive forums for certain legal actions involving the company or our directors, officers and employees.24Table of ContentsOur bylaws provide that the state and federal courts located within the state of Delaware are the sole and exclusive forums for certain legal actions involving the company or our directors, officers and employees. Our third amended and restated bylaws designate the state and federal courts located within the state of Delaware as the sole and exclusive forums for claims arising derivatively, pursuant to the Delaware General Corporation Law or governed by the internal affairs doctrine.Our second amended and restated bylaws designate the state and federal courts located within the state of Delaware as the sole and exclusive forums for claims arising derivatively, pursuant to the Delaware General Corporation Law or governed by the internal affairs doctrine. The choice of forum provision is expressly authorized by the Delaware General Corporation Law, which was amended so that companies would not have to litigate internal claims in more than one jurisdiction. If a court were to find the exclusive forum provision contained in our bylaws to be inapplicable or 26Table of Contentsunenforceable, we may incur additional costs associated with resolving such extra-forum claims, which could adversely affect our business and financial condition. If a court were to find the exclusive forum provision contained in our bylaws to be inapplicable or unenforceable, we may incur additional costs associated with resolving such extra-forum claims, which could adversely affect our business and financial condition. This bylaws provision, therefore, may dissuade or discourage claimants from initiating lawsuits or claims against us or our directors and officers in forums other than Delaware.General Risk FactorsAdverse economic and market conditions could affect our business, results of operations and financial condition.Our business depends on the overall demand for HCM and payroll software and services, and on the economic health of our current and prospective clients. As a result, we are subject to risks arising from adverse changes in economic and market conditions such as lower employment levels, increasing interest rates, inflation, volatility in capital markets, and instability of the banking environment, among other factors. During an economic slowdown or downturn, clients may reduce their number of employees and delay or reduce their spending on payroll and other HCM solutions or renegotiate their contracts with us. During a slowdown in the economy, clients may reduce their number of employees and delay or reduce their spending on payroll and other HCM solutions or renegotiate their contracts with us. This could result in reductions in our revenues and sales of our products, longer sales cycles, increased price competition and clients’ purchasing fewer solutions than they have in the past. Any of these events would likely harm our business, results of operations, financial condition and cash flows from operations.If we are unable to maintain effective internal controls over financial reporting, investors may lose confidence in the accuracy and completeness of our financial reports and the market price of our common stock may be negatively affected.As a public company, we are required to maintain internal controls over financial reporting and to report any material weaknesses in such internal controls. Section 404 of the Sarbanes-Oxley Act of 2002, or the Sarbanes-Oxley Act, requires that we evaluate and determine the effectiveness of our internal controls over financial reporting and provide a management report on the internal controls over financial reporting. In addition, the Sarbanes-Oxley Act requires that our management report on the internal controls over financial reporting be attested to by our independent registered public accounting firm. If we have a material weakness in our internal controls over financial reporting, we may not detect errors on a timely basis and our financial statements may be materially misstated. Compliance with these public company requirements has made some activities more time-consuming, costly and complicated. If we identify material weaknesses in our internal controls over financial reporting, if we are unable to assert that our internal controls over financial reporting are effective, or if our independent registered public accounting firm is unable to express an opinion as to the effectiveness of our internal controls over financial reporting, investors may lose confidence in the accuracy and completeness of our financial reports and the market price of our common stock could be negatively affected, and we could become subject to investigations by the stock exchange on which our securities are listed, the SEC or other regulatory authorities, which could require additional financial and management resources.Item 1B. Unresolved Staff Comments.None.Item 1C.Item 1A. Cybersecurity.Risk Management and StrategyOur cybersecurity risk management program, which is part of our overall risk management function, comprises processes for assessing, identifying and managing material risks from cybersecurity threats, including the following:Information Security Policies We maintain information security policies that are formally reviewed and approved by senior management and are periodically updated for new developments. These policies map to standard industry frameworks such as the National Institute of Standards and Technology (NIST), Committee of Sponsoring Organizations (COSO), and International Organization for Standardization (ISO) 27001 to establish structured governance, policies, standards, and controls. Information Security Certifications and Audits We maintain certification for compliance with ISO 27001:2022 as assessed by an independent third-party auditor. We also engage an independent accounting firm to perform assessments of our procedures and controls as part of our annual Systems and Organization Controls (SOC) 1 and SOC 2 audits. 27Table of ContentsSecurity Awareness and Training Through our onboarding process, each new employee is required to complete security training upon employment. Our employees also are required to complete annual security and privacy training to maintain our focus on protecting our information and that of our clients and their employees. This mandatory training educates our employees on safe handling of sensitive information, appropriate responses to a suspected data security breach, and awareness of security responsibilities. We strive to promote a healthy security awareness culture throughout the organization through supplemental education, training courses, videos, internal and external publications, and supporting activities. We also invest in our Information Security professionals with continued information security training and certifications.Data and Web Security Safeguards We have implemented the following information security solutions and practices:•deployment of intrusion prevention systems designed to detect and block malicious traffic,•web application firewalls designed to protect our application from attacks,•network firewalls,•security information and event management, •user and entity behavior analytics, •endpoint detection and response designed to protect our workstation and server population, •data loss prevention software at multiple layers of our IT environment, •regular penetration testing conducted by both our internal teams and external providers, and •a multi-layered vulnerability management program designed to identify technical bugs within our product and infrastructure. We encrypt sensitive client information both during transmission and at rest using industry standard protocols. We also have a mature application security program that promotes security champions within the developer community to instill strong, secure coding practices for reducing vulnerabilities and delivering a secure web application. Incident Response Plan We maintain an incident response plan designed to provide a high-level framework that can be implemented in any cyber incident. The plan addresses identification of the incident, notifications to appropriate individuals, organization of response activities by role, and escalation procedures based on the severity of the incident. We also have action plans to support business remediation and recovery efforts in the event of an incident. Business Resilience We apply controls from best practices such as, but not limited to, The Business Continuity Institute (BCI), Disaster Recovery Institute International (DRII), and International Organization for Standardization (ISO) 22301 for developing and maintaining threat-agnostic plans with strategies to continue client services and critical business operations in the event of a disruption to critical dependencies. The business resilience planning process includes business impact analyses, risk assessments, and continuity strategies. Our business resilience team conducts regular exercises to validate and continuously improve the plans and strategies, including conducting tabletop exercises with teams from across the organization. Third-Party Risk Management We monitor and reassess our third-party relationships on an ongoing basis depending on risk level or in the event of a change of products and services provided to us. We also require third-party vendors, suppliers and service providers to undergo a cybersecurity risk assessment prior to entering into a contract with us. The third-party risk assessments, conducted by our information security and enterprise risk management teams with input from key business stakeholders, involve understanding the products and services we obtain from the third party, what sensitive company and client data it will be able to access and an evaluation of the vendor’s security program and documentation. We also require that certain information security-related contract terms be incorporated into agreements with third parties that will have access to sensitive information before entering into such agreements. Although we have experienced cybersecurity incidents in the past, none of these incidents to date have materially affected our business strategy, results of operations or financial condition. Despite our efforts, there can be no assurance that our risk management program will be effective in preventing cybersecurity incidents that could adversely affect our business strategy, results of operations or financial condition. For more information regarding risks from cybersecurity threats, please refer to the Risk Factors entitled “If our security measures are breached or unauthorized access to client data or funds is otherwise obtained, our solutions may be perceived as not being secure, clients may reduce the use of or stop 28Table of Contentsusing our solutions and we may incur significant liabilities.” and “Any failure to protect our intellectual property rights could impair our ability to protect our proprietary technology and our brand.Any failure to protect our intellectual property rights could impair our ability to protect our proprietary technology and our brand. ” in Part I, Item 1A, Risk Factors.GovernanceOur board of directors has delegated oversight of risk assessment and risk management activities, including oversight over cybersecurity risks, to the audit committee. The audit committee meets at least quarterly with our Vice President and Chief Information Security Officer (“CISO”), who oversees our overall information security risk management program. The CISO’s updates to the audit committee include recent developments related to the threat landscape, security controls, results of vulnerability assessments, third-party reviews, technological trends and information security considerations arising with respect to peers and third parties. Our CISO reports to our Chief Financial Officer and leads our cybersecurity risk management efforts and our dedicated information security team. Our CISO has 20 years of information security experience, including over four years as a director in the information security management practice of a big four accounting firm. He holds multiple information security certifications and has a B.S. in Network Security. Our CISO leads our Information Security Steering Committee (“ISSC”), comprised of key executives and operating personnel from across the company, that oversees ongoing day-to-day management of our risks to information systems. The ISSC tracks risks and security initiatives, reviews the results of annual cybersecurity risk assessments, reviews the results of internal and third-party information security audits and assessments, identifies significant risks that threaten the achievement of security commitments and identifies controls to mitigate such risks. The CISO, along with other members of the ISSC and information security teams, remains apprised of developing cybersecurity trends through communications with the intelligence and law enforcement communities, vendors and industry engagement so that our cybersecurity risk management and governance controls and processes address new and evolving cybersecurity threats. .
Recently Filed
Click on a ticker to see risk factors
<
Ticker * File Date
EVI 17 hours ago
FARM 17 hours ago
RLGT 18 hours ago
IBEX 18 hours ago
EGAN 18 hours ago
ZS 18 hours ago
AIAD 1 day, 2 hours ago
EPM 1 day, 18 hours ago
LSAK 1 day, 18 hours ago
LYTS 1 day, 18 hours ago
IROQ 1 day, 20 hours ago
INNV 2 days, 17 hours ago
GROW 2 days, 17 hours ago
CTLP 2 days, 18 hours ago
MTRX 2 days, 18 hours ago
DREM 2 days, 19 hours ago
TMGI 2 days, 22 hours ago
BFYW 3 days, 4 hours ago