Protecting Our Data, Buildings, and Employees

Through the Paychex Information Protection Program, we apply best practices in information security, proven technology, and effective policies and procedures, and maintain a comprehensive program to monitor and safeguard information from unauthorized access or destruction. The Paychex Enterprise Security Program is aligned with the National Institute of Standards and Technology (NIST) Version 1.1 Cybersecurity Framework. The NIST Cybersecurity Framework leverages NIST 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations.

Our security policy and standards, which have been ratified and enforced by executive management, are built upon the five NIST Framework Functions.

Click here to review our Paychex Security Whitepaper.

In addition to annual security awareness training provided across the enterprise via our Right Way Training, our employees participate in routine phishing simulations designed to test and educate our employees on how to recognize and report phishing emails. In addition we provide ongoing training to our Software Development teams where they are instructed in secure code development and provided up to date intelligence on different attack techniques. Last but not least, we provide security alerts and education to our employees through our internal employee communication networks to keep them up to date on the best security hygiene practices and advisories that may impact them. This includes weekly communications during October as we leverage National Cyber Security Awareness Month to reinforce security concepts and practices.

The Paychex Records Management Program (RMP) provides effective management of the company’s business records. The RMP provides effective life-cycle management of all Paychex records from their generation or receipt to their final disposition. Adherence to the RMP ensures that Paychex:

• Complies with government regulations and legal requirements by using multifactor authentication options for select client-facing services.
• Protects records necessary to Paychex operations.
• Reduces the cost of maintaining and storing records.
• Supports good business practices.

Paychex has adopted a business continuity strategy designed to help ensure the continuation of business-critical functions in the event of a significant business disruption at any of our branches or corporate offices, including technical failures affecting our applications, data centers, networks, and the buildings we occupy. Paychex’ business continuity plan also includes measures designed to deal with severe weather, localized and regional disasters, and workforce-impacting events such as pandemics. The documented and tested recovery strategies are designed to mitigate the impact to our clients from any business disruption.

Sustained events associated with climate change could cause long-term outages leading to financial impact to clients, Paychex revenue, and overall brand reputation as some of our data centers and service locations may be susceptible to increased energy consumption, accessibility to staff, and critical suppliers for our fulfillment centers. Redundant locations that protect against individual events (acute) may also be impacted equally by sustained events and require alternate solutions. Examples include, but are not limited to, rising temperatures, electrical blackouts, and rising sea levels.

In 2019, Paychex launched Active Threat Preparedness Training to help our employees understand what they can do to prepare for and – if necessary – minimize the impact should the unthinkable happen.

We partnered with the Monroe County Sheriff’s Office in Rochester, New York to underwrite a comprehensive training video that includes information, statistics, and a re-enactment of an active shooter situation. It was filmed at Paychex locations in Rochester and features our own employees and local law enforcement, who volunteered to be actors and extras in the powerful re-enactment.

All new employees take this important training, and we deliver it to existing employees with updated collateral materials every two years, with a shorter refresher in the alternate years. The training is also available on the Monroe County Sheriff’s Office website free of charge to other businesses and individuals to help as many people as possible be prepared to take appropriate action to minimize loss of life.

The annual training on Security and Internal Controls is a scenario-based eLearning that puts the learner in the driver’s seat to identify and troubleshoot realistic scenarios that are customized based on sales or non-sales, and manager or individual contributor job roles. The training is completed by all employees including full-time, part-time and contract employees. Throughout the training program, the learner is provided with information on company policies: both within the training content itself, as well as in a downloadable PDF, with links to the site where all policies are located. The learner is recommended to reference the links to obtain the most current policy information. The training also calls out the relevant Paychex values.