CHFC 2018 Annual Report

Our controls and procedures may fail or be circumvented. Management regularly reviews and updates our internal controls and corporate governance policies and procedures. Any system of controls, however well designed and operated, is based in part on certain assumptions and can provide only reasonable, not absolute, assurances that the objectives of the system are met. A significant failure or circumvention of our controls and procedures or failure to comply with regulations related to controls and procedures could have a material adverse effect on our business, results of operations and financial condition. A failure in or breach of our operational or security systems or infrastructure, or those of our third party vendors and other service providers or other third parties, including as a result of cyberattacks, could disrupt our businesses, result in the disclosure or misuse of confidential or proprietary information, damage our reputation, increase our costs and cause losses. Our operations rely on the secure processing, storage and transmission of confidential and other sensitive business and consumer information on our computer systems and networks and third party providers. Under various federal and state laws, we are responsible for safeguarding such information. For example, our business is subject to the Gramm-Leach-Bliley Act which, among other things: (1) imposes certain limitations on our ability to share nonpublic personal information about our customers with nonaffiliated third parties; (2) requires that we provide certain disclosures to customers about our information collection, sharing and security practices and afford customers the right to "opt out" of any information sharing by us with nonaffiliated third parties (with certain exceptions); and (3) requires that we develop, implement and maintain a written comprehensive information security program containing appropriate safeguards based on our size and complexity, the nature and scope of our activities, and the sensitivity of customer information we process, as well as plans for responding to data security breaches. Ensuring that our collection, use, transfer and storage of personal information complies with all applicable laws and regulations can increase our costs. Although we take protective measures to maintain the confidentiality, integrity and availability of information across all geographic and product lines, and endeavor to modify these protective measures as circumstances warrant, the nature of the threats continues to evolve. As a result, our computer systems, software and networks may be vulnerable to unauthorized access, loss or destruction of data (including confidential client information), account takeovers, unavailability of service, computer viruses or other malicious code, cyber-attacks and other events that could have an adverse security impact. Despite the defensive measures we take to manage our internal technological and operational infrastructure, these threats may originate externally from third parties such as foreign governments, organized crime and other hackers, and outsource or infrastructure-support providers and application developers, or may originate internally from within our organization. Furthermore, we may not be able to ensure that all of our clients, suppliers, counterparties and other third parties have appropriate controls in place to protect the confidentiality of the information that they exchange with us, particularly where such information is transmitted by electronic means. Given the increasingly high volume of our transactions, certain errors may be repeated or compounded before they can be discovered and rectified. In addition, the increasing reliance on technology systems and networks and the occurrence and potential adverse impact of attacks on such systems and networks, both generally and in the financial services industry, have enhanced government and regulatory scrutiny of the measures taken by companies to protect against cyber-security threats. As these threats, and government and regulatory oversight of associated risks, continue to evolve, we may be required to expend additional resources to enhance or expand upon the security measures we currently maintain. In particular, information pertaining to us and our customers is maintained, and transactions are executed, on the networks and systems of us, our customers and certain of our third-party partners, such as our online banking or reporting systems. The secure maintenance and transmission of confidential information, as well as execution of transactions over these systems, are essential to protect us and our customers against fraud and security breaches and to maintain our clients’ confidence. While we have not experienced any material breaches of information security, such breaches may occur through intentional or unintentional acts by those having access or gaining access to our systems or our customers’or counterparties’confidential information, including employees. In addition, increases in criminal activity levels and sophistication, advances in computer capabilities, new discoveries, vulnerabilities in third-party technologies (including browsers and operating systems) or other developments could result in a compromise or breach of the technology, processes and controls that we use to prevent fraudulent transactions and to protect data about us, our customers and underlying transactions, as well as the technology used by our customers to access our systems. We cannot be certain that the security measures or third party processors we have in place to protect this sensitive data will be successful or sufficient to protect against all current and emerging threats designed to breach our systems or those of processors. Although we have developed, and continue to invest in, systems and processes that are designed to detect and prevent security breaches and cyber-attacks and periodically test our security, a breach of our systems, or those of processors, could result in losses to us or our customers; loss of business and/or customers; damage to our reputation; the incurrence of additional expenses (including the cost of notification to consumers, credit monitoring and forensics, and fees and fines imposed by the card networks); disruption to our business; our inability to grow our online services or other businesses; additional regulatory scrutiny or penalties; or our exposure 28