UNITED STATES
SECURITIES AND EXCHANGE COMMISSION
Washington, D.C. 20549
FORM
CURRENT REPORT
Pursuant to Section 13 or 15(d)
of the Securities Exchange Act of 1934
Date of Report (Date of Earliest Event Reported):
(Exact name of registrant as specified in its charter)
(State or other jurisdiction of incorporation) |
(Commission File Number) |
(IRS Employer Identification No.) |
(Address of principal executive offices) | (Zip Code) |
Registrant’s telephone number, including area code:
Not Applicable
(Former name or former address, if changed since last report)
Check the appropriate box below if the Form 8-K filing is intended to simultaneously satisfy the filing obligation of the registrant under any of the following provisions:
Written communications pursuant to Rule 425 under the Securities Act (17 CFR 230.425) |
Soliciting material pursuant to Rule 14a-12 under the Exchange Act (17 CFR 240.14a-12) |
Pre-commencement communications pursuant to Rule 14d-2(b) under the Exchange Act (17 CFR 240.14d-2(b)) |
Pre-commencement communications pursuant to Rule 13e-4(c) under the Exchange Act (17 CFR 240.13e-4(c)) |
Securities registered pursuant to Section 12(b) of the Act:
Title of each class |
Trading Symbol(s) |
Name of each exchange on which registered | ||
Indicate by check mark whether the registrant is an emerging growth company as defined in Rule 405 of the Securities Act of 1933 (§ 230.405 of this chapter) or Rule 12b-2 of the Securities Exchange Act of 1934 (§ 240.12b-2 of this chapter).
Emerging growth company
If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. ☐
Item 8.01 | Other Events |
On May 31, 2023, Progress Software Corporation (the “Vendor”), a vendor to a subsidiary of Paycom Software, Inc. (the “Company”), disclosed a previously unknown vulnerability in the Vendor’s MOVEit file transfer software (“MOVEit”) that could enable malicious actors to gain unauthorized access to sensitive files and information. MOVEit is used by thousands of organizations for secure data file transfers and is now the subject of a widely reported cybersecurity event impacting numerous organizations and governmental agencies around the world (the “Vendor Incident”). The Company used MOVEit for a limited set of secure file transfers supporting client services and with certain outside vendors supporting internal operations.
The Company promptly deployed cybersecurity defenses, including patching the software according to the Vendor’s published protocols and launching an internal investigation in partnership with outside independent cybersecurity forensic experts. Currently there is no indication that the Company’s HR and payroll software application was impacted. There has been no interruption to the Company’s systems, services or business operations.
As of the date of filing this Current Report on Form 8-K, the Company confirms that, as a result of the MOVEit vulnerability, an unauthorized third party downloaded copies of files from the MOVEit server, gaining access to data of certain Company clients and their employees, including personally identifiable information of less than 0.4% of all persons on behalf of whom the Company stored client data during the year ended December 31, 2022. Compromised data included personally identifiable information in employee records of approximately 127 former and current clients, or approximately 0.7% of the Company’s client base (based on parent company grouping) as of December 31, 2022. The unauthorized third party also gained access to a limited number of Company files stored on the MOVEit server, including certain employee records containing personally identifiable information. The Company has engaged a third-party computer forensics team to verify the scope of the Vendor Incident and is in the process of contacting affected clients directly.
The Company is continuing to evaluate the impact of the Vendor Incident, including certain remediation expenses and other potential liabilities. The Company does not currently believe the Vendor Incident will have a material adverse effect on its business, operations or financial results.
Forward-Looking Statements
Certain statements in this Current Report on Form 8-K are forward-looking statements within the meaning of the Private Securities Litigation Reform Act of 1995. Forward-looking statements are any statements that refer to the Company’s estimated or anticipated results, other non-historical facts or future events and include, but are not limited to, statements regarding the actual or potential impact of the MOVEit vulnerability and the Vendor Incident on the Company’s business, operations or financial results. These forward-looking statements speak only as of the date hereof and are subject to business and economic risks. As such, our actual results could differ materially from those set forth in the forward-looking statements as a result of the factors discussed in our filings with the Securities and Exchange Commission, including but not limited to those discussed in our most recent Annual Report on Form 10-K and Quarterly Report on Form 10-Q. We do not undertake any obligation to update or revise the forward-looking statements to reflect events or circumstances that exist after the date on which such statements were made, except to the extent required by law.
SIGNATURES
Pursuant to the requirements of the Securities Exchange Act of 1934, as amended, the registrant has duly caused this report to be signed on its behalf by the undersigned hereunto duly authorized.
PAYCOM SOFTWARE, INC. | ||||||
Date: July 20, 2023 | By: | /s/ Craig E. Boelte | ||||
Name: | Craig E. Boelte | |||||
Title: | Chief Financial Officer |