NYCB 2017 Annual Report

28 information provided by customers. Our systems and those of our third-party service providers and customers are under constant threat, and it is possible that we or they could experience a significant event in the future that could adversely affect our business or operations. In addition, breaches of security may occur through intentional or unintentional acts by those having authorized or unauthorized access to our confidential or other information, or that of our customers, clients, or counterparties. If one or more of such events were to occur, the confidential and other information processed and stored in, and transmitted through, our computer systems and networks could potentially be jeopardized, or could otherwise cause interruptions or malfunctions in our operations or the operations of our customers, clients, or counterparties. This could cause us significant reputational damage or result in our experiencing significant losses. While we diligently assess applicable regulatory and legislative developments affecting our business, laws and regulations relating to cybersecurity have been frequently changing, imposing new requirements on us, such as the recently adopted New York State Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies regulation. In light of these conditions, we face the potential for additional regulatory scrutiny that will lead to increasing compliance and technology expenses and, in some cases, possible limitations on the achievement of our plans for growth and other strategic objectives. Furthermore, we may be required to expend significant additional resources to modify our protective measures or investigate and remediate vulnerabilities or other exposures arising from operational and security risks. Additional expenditures may be required for third-party expert consultants or outside counsel. We also may be subject to litigation and financial losses that either are not insured against or not fully covered through any insurance we maintain. In addition, we routinely transmit and receive personal, confidential, and proprietary information by e-mail and other electronic means. We have discussed, and worked with our customers, clients, and counterparties to develop secure transmission capabilities, but we do not have, and may be unable to put in place, secure capabilities with all of these constituents, and we may not be able to ensure that these third parties have appropriate controls in place to protect the confidentiality of such information. We maintain disclosure controls and procedures to ensure we will timely and sufficiently notify our investors of material cybersecurity risks and incidents, including the associated financial, legal, or reputational consequence of such an event, as well as reviewing and updating any prior disclosures relating to the risk or event. While we have established information security policies and procedures, including an Incident Response Plan, to prevent or limit the impact of systems failures and interruptions, we may not be able to anticipate all possible security breaches that could affect our systems or information and there can be no assurance that such events will not occur or will be adequately prevented or mitigated if they do. We maintain policies and procedures to prevent directors, certain officers, and corporate insiders from trading stock after being made aware of a material cybersecurity incident and to control the distribution of information about cybersecurity events that could constitute material information to the Company; however, we cannot be certain that a corporate insider who becomes aware of a Company material cybersecurity incident does not undertake to buy or sell Company stock before information about the incident becomes publicly available. The Company and the Banks rely on third parties to perform certain key business functions, which may expose us to further operational risk. We outsource certain key aspects of our data processing to certain third-party providers. While we have selected these third-party providers carefully, we cannot control their actions. Our ability to deliver products and services to our customers, to adequately process and account for our customers’ transactions, or otherwise conduct our business could be adversely impacted by any disruption in the services provided by these third parties; their failure to handle current or higher volumes of usage; or any difficulties we may encounter in communicating with them. Replacing these third-party providers also could entail significant delay and expense. Our third-party providers may be vulnerable to unauthorized access, computer viruses, phishing schemes, and other security breaches. Threats to information security also exist in the processing of customer information through various other third-party providers and their personnel. We may be required to expend significant additional resources to protect against the threat of such security breaches and computer viruses, or to alleviate problems caused by such security breaches or viruses. To the extent that the activities of our third-party providers or the activities of our customers involve the storage and transmission of confidential information, security breaches and viruses could expose us to claims, regulatory scrutiny, litigation, and other possible liabilities.