we face the risk of being accused of “greenwashing” to the extent our practices and policies do not match such claims. In addition, the SEC has established a climate and ESG task force to develop initiatives to identify ESG-related misconduct consistent with increased investor reliance on climate and ESG-related disclosure and investment. As a result, the SEC has started to bring enforcement actions based on ESG disclosures not matching actual investment processes. In addition, the SEC is working on proposals for mandatory disclosure of certain ESG-related matters, including with respect to greenhouse gas emissions and climate change-related risks, and similar laws and regulations related to the disclosure and/or diligence of ESG and climate change-related risks have been enacted or proposed in U.S. states such as California, as well as the European Union and other jurisdictions. Compliance with any such new laws or regulations increases our regulatory burden and could make compliance more difficult and expensive, affect the manner in which we conduct our business and adversely affect our profitability and returns to our investors. We are subject to complex and evolving laws, regulations, rules, standards and contractual obligations regarding data privacy and security, which could increase the cost of doing business, compliance risks and potential liability. We are subject to complex and evolving laws, regulations, rules, standards and contractual obligations relating to data privacy and the security of personal information, and any failure to comply with these laws, regulations, rules, standards and contractual obligations could expose us to liability and/or reputational damage. The legal and regulatory environment surrounding data privacy and security in the U.S. and international jurisdictions is constantly evolving. New business initiatives have increased, and may continue to increase, the extent to which we are subject to such U.S. and international data privacy and security regulations. As new data privacy and security-related laws, regulations, rules and standards are implemented, the time and resources needed for us to comply with such laws, regulations, rules and standards, as well as our potential liability for noncompliance and reporting obligations in the case of cyberattacks, information security breaches or other similar incidents, may significantly increase. Compliance with these laws, regulations, rules and standards may require us to change our policies, procedures and technology for information security, which could, among other things, make us more vulnerable to operational failures and to monetary penalties for breach of such laws, regulations, rules and standards. In the U.S., there are numerous federal, state and local data privacy and security laws and regulations governing the collection, sharing, use, retention, disclosure, security, storage, transfer and other processing of personal information. At the federal level, we are subject to, among other laws and regulations, the Gramm Leach Bliley Act (which regulates the confidentiality and security of customer information obtained by financial institutions and certain other types of financial services businesses) and regulations under it. Additionally, numerous states have enacted, or are in the process of enacting or considering, comprehensive state-level data privacy and security laws and regulations. Moreover, laws in all 50 U.S. states require businesses to provide notice under certain circumstances to consumers whose personal information has been disclosed as a result of a data breach. Further, when required by applicable laws, regulations, rules and industry standards, we strive to provide or cause our service providers to provide privacy policies which are accurate and comprehensive. We cannot, however, ensure that the disclosure of these privacy policies and other statements regarding our practices will be sufficient to protect us from claims, proceedings, liability or adverse publicity relating to data privacy and security or with respect to the legally permissible sharing of data. Although we endeavor to comply with our privacy policies and to ensure our service providers do the same, occurrence of noncompliance or allegations of noncompliance are possible and could subject us to potential government or legal action, including action based on argument that the publication of these policies were deceptive, unfair, or misrepresentative of our actual practices. Any concerns about our data privacy and security practices, even if unfounded, could damage our reputation and adversely affect our business. Any failure or perceived failure by us to comply with our privacy policies, or applicable data privacy and security laws, regulations, rules, standards or contractual obligations, or any compromise of security that results in unauthorized access to, or unauthorized loss, destruction, use, modification, acquisition, disclosure, release or transfer of personal information, may result in requirements to modify or cease certain operations or practices, the expenditure of substantial costs, time and other resources, proceedings or actions against us, legal liability, governmental investigations, enforcement actions, claims, fines, judgments, awards, penalties, sanctions and costly litigation (including class actions). Any of the foregoing could harm our reputation, distract our management and technical personnel, increase our costs of doing business, adversely affect the demand for our products and services, and ultimately result in the imposition of liability, any of which could have a material adverse effect on our business, financial condition and results of operations. ANNALY CAPITAL MANAGEMENT, INC. AND SUBSIDIARIES Item 1A. Risk Factors 24
RkJQdWJsaXNoZXIy NDQ4NTc1