Item 1C. Cybersecurity

Risk Management and Strategy

We are committed to protecting the confidentiality, integrity, and availability of our systems and information. Our security program is intended to assess, identify, and manage risks from cybersecurity threats, and is aligned with the National Institute of Standards and Technology Version 2.0 Cybersecurity Framework (“NIST CSF”). The NIST CSF provides a flexible model for identifying and managing cybersecurity risks. Our security infrastructure uses a layered controls approach, incorporating various capabilities guided by the NIST CSF and other industry standards and best practices. We routinely invest in our security processes and capabilities, including those related to our risk management and assessment programs, vulnerability and intrusion detection, incident response plans, and other advanced detection, prevention, and protection capabilities.

We conduct regular assessments of cybersecurity risks to identify threats to us and potential vulnerabilities that could negatively affect our business operations if exploited. We track cybersecurity risks within our enterprise risk management system with cybersecurity threats considered to be among the top-priority risks to us. In addition, our Enterprise Security Organization (the “ESO”) conducts technical risk assessments, and, in some instances, we engage with third-party experts to assist with or perform technical risk assessments. The results of these risk assessments are reported to management. Our processes require escalation of significant cybersecurity risks to management and Paychex’s Audit Committee derived from the Board of Directors (the “Board”).

The ESO is led by our Chief Information Security Officer (“CISO”) and seeks to maintain a consistent, resilient, and secure infrastructure by partnering with resources across the Company. The ESO implements numerous cybersecurity processes and capabilities, which include but are not limited to: assessing risk associated with significant infrastructure or operational changes and the introduction of new technologies; administering our third-party service provider risk management program; managing secure software development and change management; managing access management and logical access controls, identifying security vulnerabilities through automated scanning technologies; performing penetration testing and due diligence assessments; and protecting the confidentiality, integrity, and availability of the Company’s data in transit. The ESO includes the activities of the Paychex Cyber Fusion Center, which provides 24x7x365 cybersecurity monitoring and incident response. We maintain incident response plans which outline the escalation, investigation, reporting, and overall response procedures depending on the type and severity of incidents.

As part of our security program, we require all employees to take information security awareness training upon hire and annually thereafter. We provide additional ongoing training to our employees about security best practices and awareness, including internal phishing simulations.

We maintain a program designed to assess and manage the cybersecurity-related risk associated with third-party service providers that we rely on as part of providing solutions to our clients. This program incorporates a risk-based approach based on service criticality and type of information. Vendor risk assessments are performed and documented within our vendor management system. As part of the vendor risk assessment, we conduct an information security program evaluation of critical third-party providers before engagement and, based on our assessment of the vendor’s risk, contractually require certain third parties we engage to implement security programs commensurate with their risk profile.

As of May 31, 2025, we are not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, and financial condition. We continue to invest in cyber-resilience and cyber-threat response preparedness as we anticipate ongoing risks from cybersecurity threats. Refer to the “Risk Factors” section contained in Item 1A of this Form 10-K for more information on our cybersecurity-related risks.

Governance

Our CISO reports to our Vice President of Platform and Technology Services, who has over two decades of technology leadership experience and has earned a relevant degree. Our VP of Platform and Technology Services leads the teams responsible for the Company's core technology platforms. Prior to joining Paychex in October 2012, he held senior technology leadership positions at two telecommunications companies.

Cybersecurity risks are overseen by the Audit Committee of our Board. Annually, the Audit Committee reviews an assessment of our risk management processes with the Board. The Audit Committee is responsible for reviewing significant cybersecurity risk exposures and the steps management has taken to monitor, control, and report such exposures. The Audit Committee receives quarterly updates from our CISO regarding our cybersecurity risk management program. These updates include a status of current capabilities, ongoing initiatives, and the evolving cybersecurity threat landscape.

Our CISO has over two decades of experience in various roles involving information security: developing and implementing cybersecurity programs to protect the confidentiality, integrity, and availability of information systems and data. Our CISO has earned relevant degrees and holds several information security certifications, including the Certified Chief Information Security Officer certification. Prior to joining Paychex in September 2019, he served as VP and CISO at a publicly traded company in the HCM industry. Before that, he held security leadership positions at several banks, insurance companies, and professional services firms.