16
Information security risks for financial institutions have increased recently in part because of new technologies, the
use of the Internet and telecommunications technologies (including mobile devices) to conduct financial and other
business transactions, and the increased sophistication and activities of organized crime, perpetrators of fraud,
hackers, terrorists and others. In addition to cyber-attacks or other security breaches involving the theft of sensitive
and confidential information, hackers recently have also engaged in denial of service attacks, designed to disrupt key
business services such as customer-facing web sites. While to date such attacks have primarily involved very large
financial institutions, insurance companies and other huge corporations, it is impossible to predict whether smaller
institutions such as our bank could become a target. Although we employ detection and response mechanisms
designed to identify, contain and mitigate security incidents, early detection may be thwarted by sophisticated attacks
and malware designed to avoid detection.
We also face risks related to cyber-attacks and other security breaches in connection with debit card transactions that
typically involve the transmission of sensitive information regarding our customers through various third parties.
Some of these parties have in the past been the target of security breaches and cyber-attacks, and because the
transactions involve third parties and environments that we do not control or secure, future security breaches or
cyber-attacks affecting any of these third parties could impact us through no fault of our own, and in some cases we
may have exposure and suffer losses for breaches or attacks relating to them. We also rely on third party service
providers to conduct certain other aspects of our business operations, and face similar risks relating to them. While
we regularly conduct security assessments on these third parties, we cannot be sure that their information security
protocols are sufficient to withstand a cyber-attack or security breach.
Any cyber-attack or other security breach involving the misappropriation, loss or other unauthorized disclosure of
confidential customer information could severely damage our reputation, erode confidence in the security of our
systems, products and services, expose us to the risk of litigation and liability, disrupt our operations, and have a
material adverse effect on our business.
If our information systems were to experience a system failure, our business and reputation could suffer.
We
rely heavily on communications and information systems to conduct our business. The computer systems and
network infrastructure we use could be vulnerable to unforeseen problems. Our operations are dependent upon our
ability to minimize service disruptions by protecting our computer equipment, systems, and network infrastructure
from physical damage due to fire, power loss, telecommunications failure or a similar catastrophic event. We have
protective measures in place to prevent or limit the effect of the failure or interruption of our information systems,
and will continue to upgrade our security technology and update procedures to help prevent such events. However, if
such failures or interruptions were to occur, they could result in damage to our reputation, a loss of customers,
increased regulatory scrutiny, or possible exposure to financial liability, any of which could have a material adverse
effect on our financial condition and results of operations.
We are subject to a variety of operational risks, including reputational risk, legal risk, compliance risk, the
risk of fraud or theft by employees or outsiders, and the risk of clerical or record-keeping errors, which may
adversely affect our business and results of operations.
If personal, non-public, confidential or proprietary
customer information in our possession were to be mishandled or misused, we could suffer significant regulatory
consequences, reputational damage and financial loss. This could occur, for example, if information was erroneously
provided to parties who are not permitted to have the information, either by fault of our systems, employees, or
counterparties, or where such information is intercepted or otherwise inappropriately taken by third parties.
Because the nature of the financial services business involves a high volume of transactions, certain errors may be
repeated or compounded before they are discovered and successfully remediated. Our necessary dependence upon
automated systems to record and process transactions and our large transaction volume may further increase the risk
that technical flaws or employee tampering or manipulation of those systems could result in losses that are difficult to
detect. We also may be subject to disruptions of our operating systems arising from events that are wholly or
partially beyond our control (for example, computer viruses or electrical or telecommunications outages, or natural
disasters, disease pandemics or other damage to property or physical assets) which may give rise to disruption of
service to customers and to financial loss or liability. We are further exposed to the risk that our external vendors
may be unable to fulfill their contractual obligations (or will be subject to the same risk of fraud or operational errors
by their employees) and to the risk that our (or our vendors’) business continuity and data security systems prove to
