CASH 2018 Annual Report

63 The student loan portfolio purchases present risks to the Bank. The Bank purchased two separate student loan portfolios; the first in fiscal year 2017 and the second at the beginning of fiscal year 2018. The first portfolio included seasoned loans that were taken by medical school students who enrolled in non-U.S. medical schools and the second included more traditional loans made to higher education students. The servicing of these loans is done through a third-party. When the portfolios were purchased, they were insured by ReliaMax Surety Company ("RSC"); however, the South Dakota Division of Insurance placed RSC into liquidation in June 2018. As a result of the liquidation proceedings, the Bank's purchased student loan portfolios are no longer insured. Due to the cancellation of the insurance coverage with respect to the purchased student loan portfolios, we adjusted the allowance for loan and lease losses attributable to the purchased student loan portfolios to $2.8 million at September 30, 2018, and we expect to recognize additional ongoing provision expense on the purchased student loan portfolios until recovery of unearned premiums is collected. We cannot provide any assurances as to whether or to what extent we will be able to recover all or any portion of unearned premiums relating to the Bank's purchased student loan portfolios, whether as a result of the RSC liquidation plan, the New York Property/Casualty Insurance Security Fund, or otherwise. If our recovery of unearned premiums is less than expected (including if we do not recover any such amounts at all), we may recognize loan losses in the future in excess of our estimates, which may adversely affect our realized pre-tax yields on the Bank's purchased student loan portfolios and may otherwise have a material adverse impact on our financial condition and results of operations. A data security breach involving us, the Bank or any of our business vendors, marketers, or partners could expose us to liability and protracted and costly litigation, and could adversely affect our reputation and operating revenues. In connection with our businesses, we collect and retain significant volumes of personally identifiable information, including social security numbers of our customers and other personally identifiable information of our customers and employees. Our vendors, marketers, or partners may experience security breaches involving the receipt, transmission, and storage of confidential customer and other personally identifiable information; alternatively, we may directly experience such a security breach. Such security breaches could include account takeovers, unavailability of service, computer viruses, or other malicious code, cyberattacks, or other events. These threats may arise from human error, fraud or malice on the part of employees or third parties or from accidental technological failure. If one or more of these events occurs, it could result in the disclosure of confidential customer information, damage to our reputation with our customers and the market, additional costs (such as costs for repairing systems or adding new personnel or protection technologies), regulatory penalties, and financial losses for both us and our clients and customers. Such events could also cause interruptions or malfunctions in our operations, as well as the operations of our clients, customers, or other third parties with which we engage in business. Risks and exposures related to cybersecurity attacks are expected to remain high for the foreseeable future due to the rapidly evolving nature and sophistication of these threats and also due to the expanding use of technology-based products and services by us and our customers. There can be no assurance that we will not suffer losses related to a security breach in the future, and any such losses may be material. The continued occurrence of high-profile data breaches provides evidence of the serious threats faced by financial institutions globally with respect to information security. Our customers and employees, and those of our tax preparation and loan marketing partners, expect that we and our partners will adequately protect their personal information, and the regulatory environment surrounding information security and privacy is increasingly demanding. Improper access to or use of our or the tax preparation partners' or loan marketing partners' systems or databases could result in the theft, publication, deletion or modification of confidential customer and other information, any of which could have a material adverse effect on us and our operations. In addition, a data security breach at the tax preparation or loan marketing partners could result in significant reputational harm to us and cause the use and acceptance of our tax- related products and loan marketing-related products and services to decline, either of which could have an adverse impact on our operating revenues and future growth prospects. In March 2015, federal regulators issued two related statements regarding cybersecurity. One statement indicates that financial institutions should design multiple layers of security controls to establish lines of defense and to ensure that their risk management processes also address the risk posed by compromised customer credentials, including security measures to reliably authenticate customers accessing internet-based services of the financial institution. The other statement indicates that a financial institution’s management is expected to maintain sufficient business continuity planning processes to ensure the rapid recovery, resumption, and maintenance of the institution’s operations after a cyber-attack involving destructive malware. A financial institution is also expected to develop appropriate processes to enable recovery of data and business operations and address rebuilding network capabilities and restoring data if the institution or its critical service providers fall victim to this type of cyber-attack. If the Bank or its divisions fail to observe this regulatory guidance, the Bank could be subject to various regulatory sanctions, including financial penalties.