Our computer systems are subject to cyber-attacks, viruses, malware, hackers and other external hazards, as well as inadvertent errors, equipment and system failures and to unauthorized or illegitimate actions by employees, consultants, agents and other persons with legitimate access to our systems. In addition, over time, the sophistication of these threats continues to increase. Our administrative and technical controls as well as other preventative actions used to reduce the risk of cyber incidents and protect our information may be insufficient to detect or prevent future unauthorized access, other physical and electronic break-ins, cyber-attacks or other security breaches to our computer systems or those of third parties with whom we transact business.
We have increasingly outsourced certain technology and business process functions to third parties and may continue to do so in the future. Outsourcing of certain technology and business process functions to third parties may expose us to increased risk related to data security or service disruptions. If we do not effectively develop, implement and monitor these relationships, third-party providers do not perform as anticipated, technological or other problems are incurred with a transition, or outsourcing relationships relevant to our business process functions are terminated, we may not realize expected productivity improvements or cost efficiencies and may experience operational difficulties, increased costs and a loss of business.
The increased risks identified above could expose us to data loss, disruption of service, monetary and reputational damages, competitive disadvantage and significant increases in compliance costs, and costs to improve the security and resiliency of our computer systems. The compromise of personal, confidential or proprietary information could also subject us to legal liability or regulatory action under evolving cyber-security, data protection and privacy laws and regulations enacted by the U.S. federal and state governments, or by various regulatory organizations. As a result, our ability to conduct business and our results of operations might be materially and adversely affected.
Any failure to protect the confidentiality of customer information could have a material adverse effect on our business and financial condition.
We are subject to privacy regulations and confidentiality obligations, including the Gramm-Leach-Bliley Act and state privacy laws and regulations, that restrict the use and dissemination of, and access to, the information we produce, store or maintain in the course of our business. We also have contractual obligations to protect certain confidential information received through various business relationships. The obligations generally include protecting such information in the same manner and to the same extent as we protect our own confidential information, and, in some instances, may impose indemnity obligations on us relating to unlawful or unauthorized disclosure of any such information.
If we do not properly comply with privacy regulations or fail to protect confidential information, we could experience adverse consequences, including reputational damage, possible litigation, and regulatory sanctions, such as penalties, fines and loss of license. This could have adverse impact on our image or customer relationships and, consequently, result in loss of business partners, lower sales, lapses of existing business or increased expenses. While we may maintain insurance to mitigate or offset these risks, we cannot be certain that any such insurance coverage would be sufficient in amount or scope to fully address any resulting losses or liability.
Failure to maintain effective and efficient information systems could adversely affect our business.
Our various lines of business depend greatly on the use of effective information systems. Maintaining and updating current information systems and the development of new systems to match emerging technology, regulatory standards and customer expectations requires a substantial commitment of resources. We must maintain adequate information systems in order to perform necessary business functions, including processing premium and purchase payments, administering our products, providing customer support and paying claims. We also use systems for investment management, financial reporting and data analysis to support our reserves and other actuarial estimates. Any interruptions may reduce our revenues or increase our expenses, and may adversely impact our reputation, business partnerships and customer relationships. In addition, system interruptions may impair our ability to timely and accurately complete our financial reporting and other regulatory obligations, and may impact the effectiveness of our internal controls over financial reporting.
The occurrence of catastrophic events, pandemics, terrorism or military actions could adversely affect our business operations.
The occurrence of natural or man-made disasters and catastrophes, including pandemics such as the recent outbreak of the coronavirus commonly referred to as “COVID-19”, acts of terrorism, floods, earthquakes, industrial accident, blackout, cyber-attack, malicious software, insider threat, insurrections and military actions, unanticipated problems with our business continuity plans and disaster recovery systems, or a support failure from a third party vendor, could adversely affect our business operations and business results. In addition to impacting our normal business operations, such disasters and catastrophes may impact us indirectly by changing the condition and behavior of our customers, business counterparties and regulators, as well as by causing declines or volatility in the economic and financial markets. We maintain business continuity plans for our operations, but we cannot predict with certainty when normal operations would resume if such an event occurred.
87
