THG 2018 Annual Report

We may experience difficulties with technology, data security and/or outsourcing relationships, which could have a negative impact on our ability to conduct our business. We use computer systems to store, retrieve, evaluate and utilize customer and company data and information. Our computer, information technology and telecommunications systems, in turn, interface with and rely upon third-party systems, including cloud-based data storage. Our business is highly dependent on our ability, and the ability of certain third parties, to access these systems to perform necessary business functions, including, without limitation, providing insurance quotes, processing premium payments, making changes to existing policies, filing and paying claims, providing customer support and managing investment portfolios. Systems attacks, failures or outages could compromise our ability to perform these functions in a timely manner, which could harm our ability to conduct business and hurt our relationships with our business partners and customers. In the event of a disaster such as a natural catastrophe, an industrial accident, a blackout, a computer virus, a cyber security attack, a terrorist attack or war, or interference from solar flares, our systems or the external systems that we rely on may be inaccessible to our employees, customers or business partners for an extended period of time. Even if our employees are able to report to work, they may be unable to perform their duties for an extended period of time if our data or the systems that we rely on are disabled or destroyed or if our disaster recovery plans are inadequate or suffer from unforeseen consequences. This could result in a materially adverse effect on our business results and liquidity. In addition, we outsource certain technology and business process functions and data storage to third parties and may do so increasingly in the future. If we do not effectively develop, implement and monitor our outsourcing strategies, third-party providers do not perform as anticipated or we experience technological or other problems with a transition, we may not realize productivity improvements or cost efficiencies and may experience operational difficulties, increased costs and a loss of business. Our outsourcing of certain technology, data storage and business process functions to third parties may expose us to enhanced risk related to data security, which could result in monetary and reputational damages. In addition, our ability to receive services from third-party providers outside of the United States might be impacted by cultural differences, political instability, regulatory requirements or policies inside or outside of the United States. As a result, our ability to conduct our business might be adversely affected. Data security incidents, including, but not limited to, those resulting from a malicious cyber security attack on us or our business partners and service providers, could disrupt or otherwise negatively impact our business. Our systems and the systems that we rely on, like others in the financial services industry, are vulnerable to cyber security risks, and we are subject to disruption and other adverse effects caused by such activities. Large corporations such as ours are subject to daily attacks on their systems and other vulnerabilities to data security incidents. These attacks and incidents have included, or may in the future include: unauthorized access, viruses, malware or other malicious code, ransomware, deceptive social engineering campaigns (also NQRZQ DV ³SKLVKLQJ´ RU ³VSRRILQJ´ ORVV RU WKHIW RI DVVHWV HPSOR\HH HUURUV RU PDOIHDVDQFH WKLUG -party errors or malfeasance, as well as system failures and other security events. Such attacks may have various goals, from seeking confidential information or the misdirection of payments, to causing operational disruption. Such activities could result in material disruptions to our operations, financial loss or material damage to our reputation. Like other companies, we have from time to time experienced, and are likely to continue to experience, security events, and while none of these events to date have had a material adverse effect on our business, no assurances can be made that such attacks or security events will not have a material adverse effect on our business in the future. As the breadth and complexity of cyber security attacks and other data security events become more prevalent and the methods used to perpetrate them evolve, we may be required to devote additional personnel, or financial or systems resources, to protecting our data security or investigating or remediating vulnerabilities as a result of data security incidents. Such resources could be costly in time and expenses, and could detract from resources spent on our core property and casualty insurance operations. In addition, we may not be able to detect an incident, assess its severity or impact, or appropriately respond in a timely manner, which could increase our exposure to an incident. The third parties with whom we work are also subject to these same risks, and we are vulnerable if a cyber security attack or other data security incident involves a third party vendor or service provider. Such an event could threaten to disrupt our business if the third SDUW\¶V RSHUDWLRQV DUH FRPSURPLVHG RU SURYLGH DWWDFNHUV DQ DYHQXH WR SLYRW DQG DWWDFN RXU V\VWHPV E\ H[SORLWLQJ WKH UHODWLRQ ships that we have with our trusted business partners. While we take measures to protect against such events (e.g., utilizing secure transmission capabilities with third- SDUW\ YHQGRUV DQG RWKHUV ZLWK ZKRP ZH GR EXVLQHVV ZKHQ SRVVLEOH UHYLHZ DQG DVVHVV RXU WKLUG SDUW\ SURYLGHUV¶ cybersecurity controls, as appropriate, and make changes to our business processes to manage these risks, we cannot assure that our efforts will always be successful. 25 2018 ANNUAL REPORT | THE HANOVER INSURANCE GROUP