We offer a range of services and products to our clients, including tax return preparation solutions, financial services and products, and small business solutions through our company-owned or franchise offices and online. Due to the nature of these services and products, we use multiple digital technologies to collect, transmit, and store high volumes of client personal information. We also collect, use, and retain other sensitive, nonpublic information, such as employee social security numbers, healthcare information, and payroll information, as well as confidential, nonpublic business information. Certain third parties and vendors have access to personal information to help deliver client benefits, services, and products, or may host certain of our and our clients' sensitive and personal information and data. Information security risks continue to increase due in part to the increased adoption of and reliance upon digital technologies by companies and consumers. Our risk and exposure to these matters remain heightened due to a variety of factors including, among other things, (1) the evolving nature of these threats and related regulation, (2) the increased activity and sophistication of hostile foreign governments, organized crime, cyber criminals, and hackers that may initiate cyberattacks against us or third-party systems on which we rely using technology and other strategies that continue to evolve, including artificial intelligence and social engineering, (3) the prominence of our brand, (4) our and our franchisees' extensive office footprint, (5) our plans to continue to implement strategies for our online and mobile applications and our desktop software, (6) our use of third-party vendors, (7) our use of certain new technologies, such as artificial intelligence and machine learning, and (8) the usage of remote working arrangements by our associates, franchisees, and third-party vendors, which has significantly expanded in recent years.
Cybersecurity risks may result from fraud or malice from external or internal actors (a cyberattack), human error, or accidental technological failure. Cyberattacks are designed to electronically circumvent network security for malicious purposes such as unlawfully obtaining personal information, disrupting our ability to offer services, damaging our brand and reputation, stealing our intellectual property, or advancing social or political agendas. We face a variety of cyberattack threats including computer viruses, malicious codes, worms, phishing attacks, social engineering, denial of service attacks, ransomware, and other sophisticated attacks.
Although we use security and business controls to limit access to and use of personal information and expend significant resources to maintain multiple levels of protection to address or otherwise mitigate the risk of a security breach, such measures cannot provide absolute security. We regularly test our systems to discover and address potential vulnerabilities, and we rely on training and testing of our employees regarding heightened phishing and social engineering threats. We also conduct certain background checks on our employees, as allowed by law. Due to the structure of our business model, we also rely on our franchisees, vendors, and other private and governmental third parties to maintain secure systems and respond to cybersecurity risks. Where appropriate, we impose certain requirements and controls on these third parties, but it is possible that they may not appropriately employ these controls or that such controls (or their own separate requirements and controls) may be insufficient to protect personal information.
Cybersecurity and the continued development and enhancement of our controls, processes, and practices designed to protect our systems, computers, software, data, and networks from attack, damage, or unauthorized access remain a top priority for us. As risks and regulations continue to evolve, we may be required to expend significant additional resources to continue to modify or enhance our protective measures or to investigate and remediate information security vulnerabilities. Notwithstanding these efforts, there can be no assurance that a security breach, intrusion, or loss or theft of personal information will not occur. In addition, the techniques used to obtain unauthorized access change frequently, become more sophisticated, and are often difficult to detect until after a successful attack, causing us to be unable to anticipate these techniques or implement adequate preventive measures in all cases.
Unauthorized access to personal information as a result of a security breach could cause us to determine that it is required or advisable for us to notify affected individuals, regulators, or others under applicable privacy laws and regulations or otherwise. Security breach remediation could also require us to expend significant resources to assist impacted individuals, repair damaged systems, implement modified information security measures, and maintain client and business relationships. Other consequences could include reduced client demand for our services and products, loss of valuable intellectual property, reduced growth and profitability and negative impacts to future financial results, loss of our ability to deliver one or more services or products (e.g., inability to provide financial services and products or to accept and process client credit card transactions or tax returns), modifying or stopping existing business practices, legal actions, harm to our reputation and brands, fines, penalties, and other damages, and further regulation and oversight by U.S. federal, state, or foreign governmental authorities.
A security breach or other unauthorized access to our systems, or third-party systems on which we rely, could have a material adverse effect on our business and our consolidated financial position, results of operations, and cash flows.