Table of Contents
Data Privacy and Cybersecurity Risks.
Cybersecurity incidents or vulnerabilities could disrupt the Company's internal operations or services provided to customers, which could adversely affect revenue, increase costs, and harm its
reputation, customer relationships, and stock price. To reduce these risks, the Company has programs and measures in place designed to detect and help safeguard against cybersecurity attacks.
Although we have implemented cybersecurity measures designed to detect and limit the risk of unauthorized access to our systems and acquisition of, loss, modification of, use, or disclosure of our
data, threat actors are using evolving, sophisticated, and ever-changing techniques to obtain unauthorized access to systems and data. The types and motivations of threat actors that may attempt to
access our systems also are evolving and expanding, and include sophisticated nation-state sponsored and organized cyber-criminals, who are targeting the financial services industry. As a result,
the risk of cyberattack is increasing. An attack, disruption, intrusion, denial of service, theft or other data or cybersecurity incident (such as phishing attack, virus, ransomware, or other malware
installation), or an inadvertent act by an employee or contractor, could result in unauthorized access to, acquisition of, loss, disclosure, or modification of, our systems, products, and data (or our third-
party service provider’s systems, products, and data), which may result in operational disruption, loss of business, claims (including by customers, financial institutions, cardholders, and consumers),
costs and reputational harm that could negatively affect our operating results. The Company could incur significant expenses in investigating and addressing cybersecurity incidents, including the
expenses of deploying additional personnel, enhancing or implementing new protection measures, training employees or hiring consultants, and such incidents could divert the attention of our
management and key personnel from our business operations. Further, remedial measures may later prove inadequate to prevent or reduce the impact of new or emerging threats. The Company
may face regulatory investigations or litigation relating to cybersecurity incidents, which may be costly to defend and which, if successful, may require the Company to pay damages and fines or
change its business practices. The Company also is subject to risks associated with cyberattacks involving our supply chain. We may also detect, or may receive notice from third parties (including
governmental agencies and those in our supply chain) regarding, potential vulnerabilities in our information technology systems, our products, or third-party products used in conjunction with our
products. Even if these potential vulnerabilities do not affect our products, services, data, or systems, their existence or claimed existence could adversely affect customer confidence and our
reputation in the marketplace, causing us to lose existing or potential customers. To the extent such vulnerabilities require remediation, such remedial measures could require significant resources,
may not be implemented before such vulnerabilities are exploited, and may not prevent or reduce the risk. As the cybersecurity landscape evolves, we may also find it necessary to make significant
further investments to protect data and infrastructure. We maintain cybersecurity insurance intended to cover some of these risks, but this insurance may not be sufficient to cover all of our losses
from future cybersecurity incidents the Company may experience.
We have experienced cybersecurity incidents in the past, but none of these incidents, individually or in the aggregate, has had a material adverse effect on our business, reputation, operations or
products. The Company has in place various information technology protections designed to detect and reduce cybersecurity incidents, although there can be no assurance that our protections will
be successful. The Company also regularly evaluates its protections against cybersecurity incidents, including through self-assessments and third-party assessments, and takes steps to enhance
those protections, in response to specific threats and as part of the Company’s information security program. There can be no assurance, however, that the Company will be able to prevent or
remediate all future cybersecurity incidents or that the cost associated with responding to any such incident or impact of such incident will not be significant or material.
Portions of the Company's IT infrastructure also may experience interruptions, delays or cessations of service or produce errors in connection with systems integration or migration work that takes
place from time to time. The Company may not be successful in implementing new systems, and transitioning data and other aspects of the process could be expensive, time consuming, disruptive
and resource-intensive. Such disruptions could adversely impact the ability to fulfill orders, service customers and interrupt other processes and, in addition, could adversely impact the Company’s
ability to maintain effective internal control over financial reporting. Delayed sales, lower margins, lost customers or diminished investor confidence resulting from these disruptions could adversely
affect the Company's financial results, stock price and reputation.
The Company’s actual or perceived failure to comply with increasing and increasingly stringent laws, regulations and contractual obligations relating to privacy, data protection and information
security could harm its reputation, subject the Company to significant fines and liability or loss of business, and decrease demand for the Company’s services. The Company and its customers are
subject to privacy, data protection, and information security laws and regulations (“Data Protection Laws”) in the United States and in jurisdictions around the globe that restrict the collection, use,
disclosure, transfer and processing of personal data, including financial data. For example, the Company and its customers are subject to the European Union General Data Protection Regulation
(“GDPR”), the U.K. General Data Protection Regulation, the California Consumer Privacy Act (“CCPA”), and the Brazilian Lei Geral de Proteção de Dados. Costs to comply with these Data Protection
Laws are significant. Failure to comply with these laws could result in material legal exposure and business impact, including the loss of customers and decreased demand for our products and
services. The GDPR, for example, imposes onerous accountability obligations on companies, with penalties for non-compliance of up to the greater of €20 and four percent of annual global revenue.
The GDPR, and other Data Protection Laws, also grant corrective powers to supervisory authorities, including the ability to impose a limit on processing personal data or ability to order companies to
cease operations.
10