STI 2018 Annual Report

21 Our operational or communications systems or infrastructure may fail or may be the subject of a breach or cyber-attack that, if successful, could adversely affect our business or disrupt business continuity. We depend on our ability to process, record, and monitor a large number of client transactions and to communicate with clients and other institutions on a continuous basis. As client, industry, public, and regulatory expectations regarding operational and information security have increased, our operational systems and infrastructure continue to be safeguarded and monitored for potential failures, disruptions, and breakdowns, whether as a result of events beyond our control or otherwise. Our business, financial, accounting, data processing, or other operating systems and facilities may stop operating properly or become disabled or damaged as a result of a number of factors, including events that are wholly or partially beyond our control. For example, there could be sudden increases in client transaction volume; electrical or telecommunications outages; natural disasters such as earthquakes, tornadoes, floods, and hurricanes; disease pandemics; events arising from local or larger scale political or social matters, including terrorist acts; occurrences of employee error, fraud, theft, ormalfeasance; disruptions caused by technology implementation, including hardware deployment and software updates; and, as described below, cyber-attacks. Although we have business continuity plans and other safeguards in place, our operations and communications may be adversely affected by significant and widespread disruption to our systems and infrastructure that support our businesses, clients, and teammates.While we continue to evolve andmodify our business continuity plans, there can be no assurance in an escalating threat environment that they will be effective in avoiding disruption and business impacts. Our insurance may not be adequate to compensate us for all resulting losses, and the cost to obtain adequate coverage may increase for us or the industry. Security risks for financial institutions such as ours have dramatically increased in recent years in part because of the proliferation of new technologies, the use of the internet and telecommunications technologies to conduct financial transactions, and the increased sophistication, resources, and activities of hackers, terrorists, activists, industrial spies, insider bad actors, organized crime, and other external parties, including nation state actors. In addition, to access our products and services, clientsmay use devices and/or software that are beyond our control environment, whichmay provide additional avenues for attackers to gain access to confidential information. Although we have information security procedures and controls in place, our technologies, systems, networks, and clients' devices and software may become the target of cyber-attacks, information security breaches, business email compromise, or information theft that could result in the unauthorized release, gathering, monitoring, misuse, loss, change, or destruction of our or our clients' or teammates' confidential, proprietary, or other information (including personal identifying information of individuals), or otherwise disrupt our or our clients' or our third parties' business operations. U.S. financial institutions and financial service companies have reported breaches in the security of their websites or other systems, including attempts to shut down access to their networks and/or systems in an attempt to extract compensation from them to regain control. Financial institutions, including SunTrust, have experienced distributed denial-of-service attacks, a sophisticated and targeted attack intended to disable or degrade internet service or to sabotage systems. We and others in our industry are regularly the subject of attempts by attackers to gain unauthorized access to our networks, systems, and data, or to obtain, change, or destroy confidential data (including personal identifying information of individuals) through a variety of means, including computer viruses, malware, business email compromise, and phishing. These attacks may result in unauthorized individuals obtaining access to our confidential information or that of our clients or teammates, or otherwise accessing, compromising, damaging, or disrupting our systems or infrastructure. We are continuously developing and enhancing our controls, processes, and practices designed to protect our systems, computers, software, data, and networks from attack, damage, or unauthorized access. This continued development and enhancement will require us to expend additional resources, including resources to investigate and remediate any information security vulnerabilities that may be detected. Despite our ongoing investments in security resources, talent, and business practices, we are unable to assure that any security measures will be effective. If our systems and infrastructure were to be breached, compromised, damaged, or disrupted, or if we were to experience a loss of our confidential information or that of our clients or teammates, we could be subject to serious negative consequences, including disruption of our operations, damage to our reputation, a loss of trust in us on the part of our clients, vendors or other counterparties, client or teammate attrition, reimbursement or other costs, increased compliance costs, significant litigation exposure and legal liability, or regulatory fines, penalties or intervention. Any of these could materially and adversely affect our results of operations, our financial condition, and/or our share price. A disruption, breach, or failure in the operational systems or infrastructure of our third party vendors or other service providers, including as a result of cyber-attacks, could adversely affect our business. Third parties perform significant operational services on our behalf. These third parties with whom we do business or that facilitate our business activities, including exchanges, clearing houses, central clearing counterparties, financial intermediaries, or vendors that provide services or security solutions for our operations, could also be sources of operational and information security risk to us, including from breakdowns or failures of their own systems or capacity constraints. In particular, operating our business requires us to provide access to client, teammate, and other sensitive Company information to our contractors, consultants, and other third parties and authorized entities. Controls and oversight mechanisms are in place that are designed to limit access to this information and protect it from unauthorized disclosure, theft, and disruption. However, control systems and policies pertaining to system