Cyber criminals are becoming more sophisticated and effective every day, and they are increasingly targeting software companies, including companies like ours that handle sensitive customer and stakeholder data. All companies utilizing technology are subject to threats of breaches of their cybersecurity programs. To mitigate the threat to our business, we take a comprehensive approach to cybersecurity risk management and make securing the data that customers and other stakeholders entrust to us a top priority. Our Board and our management are actively involved in the oversight of our risk management program, of which cybersecurity represents an important component. As described in more detail below, we have established policies, standards, processes and practices for assessing, identifying, and managing material risks from cybersecurity threats. We have devoted financial and personnel resources to implement and maintain security measures to meet regulatory requirements and customer expectations, and we intend to continue to make significant investments to maintain the security of our data and cybersecurity infrastructure. While no cybersecurity program can eliminate all risk or guarantee complete effectiveness, our controls are designed in alignment with industry recognized frameworks such as the NIST Cybersecurity Framework and incorporate key principles of ISO 27001.

While our Risk Factors describe in greater detail the material cybersecurity risks we face, we believe that prior cybersecurity threats, including any previous cybersecurity incidents, have not materially impacted our business to date. However, we cannot guarantee that future incidents will not occur or that, if they do, they will not have a material adverse effect on our business, strategy, results of operations, or financial condition.

Risk Management and Strategy

We understand the critical importance of cybersecurity in protecting our operations, customer data, and the integrity of our services. Our commitment to cybersecurity is unwavering, and we adopt a serious, multi-layered approach to minimize the risks and potential impacts of cyber-attacks which has been integrated into our overall risk management process. Our cybersecurity controls are guided by a formal data classification policy and are supported by a maturing Zero Trust–inspired architecture, which includes least privilege access, continuous authentication and micro segmentation.

Our strategies are designed to ensure the resilience and security of our systems, safeguarding against both internal and external vulnerabilities. We employ state-of-the-art technologies and practices to secure our systems. This includes deploying advanced encryption, securing network infrastructure, and implementing robust access controls and authentication mechanisms. Our information technology infrastructure is designed with security at its core, incorporating full encryption of data in transit and at rest, endpoint detection and response, security information and event management correlation, continuous vulnerability scanning and commercial threat intelligence feeds monitored by our 24/7/365 Security Operations Center.

As part of our risk assessment framework, we have a Vendor Risk Management Program to monitor cybersecurity risks posed by third-party vendors and service providers. This program includes:

Partnerships and Collaboration

We believe in the strength of collaboration in combating cyber threats. We actively engage with cybersecurity communities, industry groups, and regulatory bodies to stay ahead of evolving cyber risks. We also participate in threat sharing programs and use horizon scanning activities to evaluate emerging risks that may impact fintech, payments infrastructure, and healthcare related data environments. By sharing knowledge and best practices, we enhance our defenses and contribute to the broader effort of securing the digital ecosystem. We maintain controls and procedures that are designed to ensure prompt escalation of certain cybersecurity incidents so that decisions regarding public disclosure and reporting of such incidents can be made by management and the Board in a timely manner.

Risk Assessment

We continuously monitor our information technology environment to detect and respond to threats in real-time. Our dedicated cybersecurity team uses sophisticated tools to track anomalies, potential vulnerabilities, and ongoing attacks. In addition to annual penetration and segmentation testing, we conduct periodic threat hunting exercises to proactively identify malicious activity. Semi-annually, we leverage third-party independent consultants to perform penetration and segmentation testing of our internal and externally facing environments. Results from these assessments inform remediation roadmaps, prioritization of security investments, and updates to our enterprise risk register.

Technical Safeguards

Cybersecurity is an ever-evolving field, and we are committed to continuous improvement of our security practices. We regularly review and update our cybersecurity policies, procedures, and technologies to address new challenges and adapt to the changing threat landscape. Technical safeguards also include multi factor authentication (MFA) across all privileged and non-privileged accounts, automated provisioning and de provisioning, periodic access reviews, and comprehensive logging and monitoring to support audit and regulatory obligations.

Incident Response and Recovery Planning

Cybersecurity is a foundational element of our operations. Our multi-layered approach—encompassing system security, vigilant monitoring, comprehensive training, and collaborative engagement—demonstrates our dedication to protecting our company, our clients, and the financial ecosystem. Our incident response program includes ransomware specific playbooks, cross functional tabletop exercises involving senior leadership, and tight integration with our business continuity (BCP) and disaster recovery (DR) plans. We have established comprehensive incident response and recovery plans and continue to regularly test and evaluate the effectiveness of those plans.

Education and Awareness

Recognizing that human error can often be a weak link in cybersecurity defenses, we are committed to regular and comprehensive training for all employees and executives. We also conduct periodic phishing simulations, evaluate key performance indicators such as employee susceptibility rates, and track cybersecurity awareness metrics as part of our overall risk management dashboard.

Cybersecurity Threats

We are not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition.