XML 42 R25.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
Risk Management and Strategy

We have implemented a comprehensive cyber risk management program that adheres to industry standards, specifically the National Institute of Standards and Technology’s cybersecurity framework and risk management standards. This program is maintained by a dedicated security operations team at the Company (the “Security Operations Team”). This process includes annually assessing and categorizing existing and emerging threats to Asure’s business operations and its information systems. Identified risks are assessed for severity and probability of impact and then risk treatments are identified and implemented. Additionally, Asure has implemented a vendor risk management program to continually assess and monitor risks posed by vendors and partners of the Company.

We maintain a comprehensive listing of controls that includes those risk treatments which are continuously monitored and assessed by the Security Operations team. These controls are derived from the risk assessment process and include physical, logical and environmental security, vulnerability management, secure development and change management, fraud detection, and privacy. We also maintain a security awareness program (the “Security Awareness Program”), which is designed, implemented and maintained by our VP of Information Security. Our Security Awareness Program includes training that reinforces our information technology risk and security management policies, standards and practices, as well as the expectation that employees comply with these policies. The Security Awareness Program engages personnel through training on how to identify potential cybersecurity risks and protect our resources and information, as well as how to respond to unauthorized access to or use of Company information. The Security Awareness Program training is mandatory for all employees at least annually, and it is supplemented by Company-wide assessment initiatives, including periodic testing. Additionally, we provide specialized security training for certain employee roles, such as application developers.

We conduct periodic tests to assess our processes and procedures and the threat landscape, which are designed with the goal of implementing and maintaining a robust cybersecurity program. Where appropriate, we take additional and ongoing steps intended to strengthen our cybersecurity capabilities and mitigate the risk of a breach or incident. Our security program and IT-related controls are regularly examined by internal auditors, external auditors and various regulators who regularly assess the design and effectiveness of our control framework. As part of those assessments, Asure maintains both SOC1 Type 2 and SOC2 Type 2 certifications specifically evaluating the security, confidentiality, and availability of its systems and information. Additionally, state examiners audit our IT-related controls as part of our Money Transmitter Licensing requirements.
Although we have designed its cybersecurity program and governance procedures noted above to mitigate cybersecurity risks, we continue to face unknown cybersecurity risks, threats and attacks. We have had no material cybersecurity incidents, and these risks, threats and attacks have not had a material impact on our operations, business strategy or financial results; however, they may have a material impact in the future.
Please refer to the “Risk Factors” in Part I, Item 1A of this Form 10-K for more information on risks posed by cybersecurity threats to the Company.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]
We have implemented a comprehensive cyber risk management program that adheres to industry standards, specifically the National Institute of Standards and Technology’s cybersecurity framework and risk management standards. This program is maintained by a dedicated security operations team at the Company (the “Security Operations Team”). This process includes annually assessing and categorizing existing and emerging threats to Asure’s business operations and its information systems. Identified risks are assessed for severity and probability of impact and then risk treatments are identified and implemented. Additionally, Asure has implemented a vendor risk management program to continually assess and monitor risks posed by vendors and partners of the Company.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block] In addition, cybersecurity risks, emerging and existing threats and Asure’s current security posture are presented to the board of directors quarterly, as the board of directors is generally responsible for our risk management.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] Our Security Operations team, led by the VP of Information Security, is responsible for identifying, assessing, mitigating, and reporting on material cybersecurity risks to the executive management team.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] In addition, cybersecurity risks, emerging and existing threats and Asure’s current security posture are presented to the board of directors quarterly, as the board of directors is generally responsible for our risk management.
Cybersecurity Risk Role of Management [Text Block] Our Executive Management receives regular monthly reports from the VP of Information Security.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] Our Security Operations team, led by the VP of Information Security, is responsible for identifying, assessing, mitigating, and reporting on material cybersecurity risks to the executive management team.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] Our VP of Information Security holds a high-level certification relating to information security, Certified Information Systems Security Professional (CISSP) from the International Information Security System Security Certification Consortium, and has 18 years of information security, risk management, application security, security operations, and incident management experience.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] Our Security Operations team, led by the VP of Information Security, is responsible for identifying, assessing, mitigating, and reporting on material cybersecurity risks to the executive management team.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true