predictive models may be substantially higher or lower for certain assets than actual market prices. Furthermore, since predictive models are usually constructed based on historical data supplied by third parties, the success of relying on such models may depend heavily on the accuracy and reliability of the supplied historical data and the ability of these historical models to accurately reflect future periods. All valuation models rely on correct market data inputs. If incorrect market data is entered into even a well-founded valuation model, the resulting valuations will be incorrect. However, even if market data is inputted correctly, “model prices” will often differ substantially from market prices, especially for securities with complex characteristics, such as derivative instruments or structured notes. We are highly dependent on information systems and networks, many of which are operated by third parties, and any failure of these systems or networks could materially and adversely affect our business. Our business is highly dependent on communications and information systems and networks. Any failure or interruption of our systems or networks or cyberattacks or other information security breaches of our networks or systems could cause delays or other problems in our securities trading activities, including mortgage-backed securities trading activities. In addition, we also face the risk of operational failure, termination or capacity constraints of any of the third parties with which we do business or that facilitate our business activities, including clearing agents or other financial intermediaries we use to facilitate our securities transactions, if their respective systems experience failure, interruption, cyberattacks, or other information security breaches. Certain third parties provide information needed for our financial statements that we cannot obtain or verify from other sources. If one of those third parties experiences a system or network failure or cybersecurity incident, we may not have access to that information or may not have confidence in its accuracy. Any failure to maintain performance, reliability and security of our technical infrastructure, systems or networks, or any such failure by third parties upon whom we rely, could materially and adversely affect our business. Cyberattacks or other information security breaches could adversely affect our business, reputation and financial condition. Cybersecurity risks for financial services businesses have significantly increased in recent years in part because of the proliferation of new technologies, including generative artificial intelligence, and the increased sophistication and activities of organized crime, hackers, terrorists, nation-states, state-sponsored actors and other external parties. Computer malware, ransomware, viruses, computer hacking, denial-of-service attacks, and social engineering attacks (including phishing attacks) have become more prevalent in our industry and we are subject to such attempted attacks. Cybersecurity risks also may derive from fraud or malice on the part of our employees or third parties, or may result from human error, software bugs, server malfunctions, software or hardware failure or other technological failure. Such threats may be difficult to detect for long periods of time and also may be further enhanced in frequency or effectiveness through threat actors’ use of artificial intelligence. We rely heavily on our financial, accounting and other data processing systems. A cyberattack or other information security breach of such systems could lead to unauthorized access to and release, misuse, loss or destruction of our confidential information or personal or confidential information of our clients, employees or third parties, which could lead to regulatory fines, costs of remediating the breach, reputational harm, financial losses, litigation and increased difficulty doing business with third parties that rely on us to meet their own data protection requirements. While we generally perform cybersecurity diligence on our key service providers, we do not control our service providers and our ability to monitor their cybersecurity is limited. Some of our service providers may store or have access to our data and may not have effective controls, processes, or practices to protect our information from loss, unauthorized disclosure, unauthorized use or misappropriation, cyberattacks or other information security breach. A vulnerability in our service providers’ software or systems, a failure of our service providers’ safeguards, policies or procedures, or a cyberattack or other information security breach affecting any of these third parties could harm our business. Although we have not detected a material cybersecurity breach to date, other financial institutions have reported material breaches of their systems, some of which have been significant. Even with all reasonable security efforts, not every breach can be prevented or even detected. It is possible that we have experienced an undetected breach. There is no assurance that we, or the third parties that facilitate our business activities, have not or will not experience a breach. We may be held responsible if certain third parties that facilitate our business activities experience a breach. Additionally, we cannot be certain that our insurance coverage will be adequate for cybersecurity liabilities actually incurred, that insurance will continue to be available to us on economically reasonable terms, or at all, or that our insurer will not deny coverage as to any future claim. We may face increased costs as we continue to evolve our cyber defenses in order to contend with changing risks, and possible increased costs of complying with cybersecurity laws and regulations. These costs and losses associated with these risks are difficult to predict and quantify, but could have a significant adverse effect on our operating results. ANNALY CAPITAL MANAGEMENT, INC. AND SUBSIDIARIES Item 1A. Risk Factors 37
RkJQdWJsaXNoZXIy NDQ4NTc1