Cybersecurity risks could adversely affect our business and disrupt our operations.
We face various cybersecurity threats, including threats to our information technology infrastructure, denial-of-service attacks, zero day attacks, phishing and spoofing attempts, fraudulent requests for money transfers, attempts to compromise proprietary information, and ransomware attacks. In addition, we
face cybersecurity threats from entities that may seek to target us by exploiting our relationships with our members, vendors, subcontractors, employees, independent contractors, and other third parties with whom we do business. While the cyber
threat landscape is ever-changing, the current risks may be heightened by ongoing tensions with various nation state threat actors.
Threats to our
information technology assets, network, and data stored therein, are increasingly diverse and sophisticated. Despite our efforts and processes to prevent breaches, the commercial products we use, our servers, and other assets, along with those of
our third party service providers, are vulnerable to cybersecurity threats, including zero day attacks, malware, phishing and spoofing exploits, denial-of-service
attacks, compromise of physical assets, insider theft or misuse or mistake, and similar disruptions.
Despite our efforts to create security barriers to
such threats, we may not be able to successfully guard against every threat or mitigate the resulting risks. A successful cyber-attack could lead to interruptions, delays, loss of critical data, unauthorized access to member data, and require large
expenditure to investigate and remediate. This could, in turn, adversely affect consumer confidence, our business, our financial condition, and damage our reputation.
Our contracts may not contain limitations of liability, and even where they do, there can be no assurance that limitations of liability in our contracts are
sufficient to protect us from liabilities, damages, or claims related to our data privacy and security obligations. Also, we cannot be sure that our insurance coverage will be adequate or sufficient to protect us from or to mitigate liabilities
arising out of our privacy and security practices, that such coverage will continue to be available on commercially reasonable terms or at all, or that such coverage will pay future claims.
A breach of our information technology systems or physical security systems, or any actual or perceived violation of privacy or data protection laws,
could harm our reputation, business, financial condition, and results of operations.
We rely on our information technology systems to process,
transmit, and store electronic information (including sensitive data such as confidential business information, financial information, and personally identifiable information relating to employees, members, and other business partners), and to
manage or support a variety of critical business processes and activities, as well as physical security systems to protect our facilities and employees. We can provide no assurance that our current information technology or physical security
systems, or those of the third parties upon which we rely, are fully protected.
Although we have not experienced any known cyber or physical security
events which have materially impacted our business, financial condition, operations, liquidity, or reputation to date, it is possible that we (and/or our members, vendors, partners, or others) have faced a cyber or physical security compromise that
is not (yet) known. Further, future threats could, among other consequences: cause harm to our business and our reputation; disrupt our operations; cost significant resources to address; expose us to potential liability, regulatory actions, and the
loss of business; and impact our results of operations materially. Due to the evolving nature of these security threats, we cannot predict the potential impact of any future incident.
Applicable data privacy and security obligations may require us to notify relevant stakeholders of security incidents. Such disclosures are costly, and the
disclosures or the failure to comply with such requirements could lead to adverse consequences. If we (or a third party upon whom we rely) experience a security incident or are perceived to have experienced a security incident, we may experience
adverse consequences. These consequences may include: government enforcement actions (for example, investigations, fines, penalties, audits, and inspections); additional reporting requirements and/or oversight; restrictions on processing data
(including personal data); litigation (including class claims); indemnification obligations; negative publicity; reputational harm; monetary fund diversions; interruptions in our operations (including availability of data); financial loss; and other
similar harms. Security incidents and attendant consequences may negatively impact our ability to grow and operate our business.
While we take measures
to protect the security of, and prevent unauthorized access to, our systems, facilities, and personal and proprietary information, the security controls for our systems and facilities, as well as other security practices we follow, may not prevent
unauthorized access or damage to our systems and facilities, or prevent the disablement or encryption of, use or misuse of, disclosure of, modification of, destruction of or loss of our data or the data of others (including personally identifiable
information and proprietary information). Any actual or perceived security incident could harm our business and results of operations and could result in, among other things, unfavorable publicity, governmental inquiry, oversight, and sanction,
difficulty in marketing our services, allegations by our members or partners that we have not performed our contractual obligations, litigation by affected parties including our members and possible financial obligations for damages related to the
theft or misuse of such information or inventory, any of which could negatively impact our business, financial condition, and results of operations.
75