Our business relies on IT Systems and involves the generation, collection, storage, processing, and transmission of Confidential Information, including personal information and proprietary business information, by us and by third-party providers we rely on. We own and manage IT Systems but also rely on third-party managed IT Systems and a broad array of third-party products and services to support our business operations. An increasing number of organizations, including large merchants, businesses, technology companies, and financial institutions, as well as government institutions, have disclosed security incidents, disruptions to, and breaches of their or third-party providers' IT Systems, some of which have involved sophisticated and highly targeted attacks, including on websites, mobile applications, and infrastructure, following a trend of cyberattacks increasing in frequency and magnitude on a global basis.
Our IT Systems, or those of third parties on which we rely, may be disrupted or damaged and our Confidential Information may be compromised, corrupted, lost, or stolen. The tools and techniques (including AI) used to obtain unauthorized, improper, or illegal access to a target's systems, data, or customers' data, disable or degrade services, or sabotage systems are constantly evolving and have become increasingly complex and sophisticated. It is difficult to detect, investigate, and remediate cyber-attacks quickly and attacks often are not recognized or detected until after they have been launched against a target. We expect that unauthorized parties will continue to attempt to gain access to or disrupt our IT systems or facilities through various means, including hacking into IT Systems or facilities or those of our customers or vendors, installing malware (including ransomware) or attempting to fraudulently induce (for example, through spear phishing attacks or social engineering) our employees, customers, vendors, or other users of IT Systems into disclosing access credentials or other sensitive information to access our IT Systems.
Numerous and evolving cybersecurity risks, including from diverse threat actors, such as state-sponsored organizations, opportunistic hackers and hacktivists, as well as through diverse attack vectors, such as advanced cyberattacks, phishing, social engineering schemes, malware (including ransomware), malfeasance by insiders, human or technological error, and as a result of bugs, misconfigurations, or exploited vulnerabilities in software or hardware, could threaten the confidentiality, availability, and integrity of Confidential Information and our IT systems. Efforts by us, our customers, our vendors and other users of our IT Systems to prevent, detect, and respond to data security incidents cannot guarantee protection due to attackers increasingly using tools and techniques that are designed to circumvent controls, to avoid detection, and to remove or obfuscate forensic evidence. There can be no assurance that our cybersecurity risk management program and processes, including our policies, controls, or procedures, will be fully implemented, complied with or effective in protecting our IT Systems and Confidential Information.
Our IT Systems are vulnerable to cyberattacks and security breaches involving our customers' or our employees' Confidential Information, including personal or proprietary information, that is stored on or accessible through those systems. We have experienced and expect to continue to experience in the future, cyberattacks as well as breaches of our security measures due to human error, malfeasance, system errors or vulnerabilities, or other irregularities. In the past, for example, one of our vendors providing IT infrastructure management software was compromised by cyberattacks. We are also regularly exposed to vulnerabilities in widely deployed third-party software that we use in the ordinary course of business, such as the Log4J vulnerability. Moreover, given the nature of complex software and services like ours, and the scanning tools that we deploy across our networks, infrastructure, and products, we regularly identify and track security vulnerabilities. We are unable to comprehensively apply patches or confirm that measures are in place to mitigate all such vulnerabilities, or that patches will be applied before vulnerabilities are exploited by a threat actor. While these cyberattacks and vulnerabilities have not had a material adverse effect on our operations, they and similar incidents require us to devote time and resources to monitoring and remediation on a regular basis, and there can be no guarantee that future attacks or incidents will not be material.
In the past three years, we have not experienced a material cybersecurity incident, but any actual or perceived cybersecurity incidents or breaches of our security could result in any or all of the following, among other things, any of which could adversely affect our business and results of operations:
- Interruption of our operations;- Unavailability of our systems or services;- Improper disclosures of data;- Improper payments;- Harm to our reputation and brands;- Regulatory scrutiny, enforcement actions, legal proceedings and claims, (including class action lawsuits), and other legal and financial exposure;- Remediation, system restoration, incident response, and compliance costs;- Loss of customer confidence in, or decreased use of, our products and services;- Diversion of the attention of management from the operation of our business; and - Contractual penalties or other payments as a result of third-party losses or claims.
In addition, any cyberattacks or data security breaches affecting companies that we acquire and/or that provide us services (including data center and cloud computing providers) could materially impact our business. Further, we may not be able to recover any or all damages suffered as a result of security breaches or other security incidents from such third-party providers.
The coverage under our insurance policies for cybersecurity and related issues may not be adequate to reimburse us for losses caused by cyberattacks or other security incidents or be available on economically reasonable terms or at all.