Risks Related to Cybersecurity and Data Privacy
Cybersecurity and Privacy Considerations Could Impact the Company’s Business: There are numerous and evolving risks to cybersecurity and privacy, including risks originating from intentional acts of criminal hackers, hacktivists, nation states and competitors; from intentional and unintentional acts of customers, contractors, business partners, vendors, employees and other third parties; and from errors in processes or technologies, as well as the risks associated with an increase in the number of customers, contractors, business partners, vendors, employees and other third parties working remotely. Computer hackers and others routinely attack the security of technology products, services, systems and networks using a wide variety of methods, including ransomware or other malicious software and attempts to exploit vulnerabilities in hardware, software, and infrastructure. Attacks also include social engineering and cyber extortion to induce customers, contractors, business partners, vendors, employees and other third parties to disclose information, transfer funds, or unwittingly provide access to systems or data. The company is at risk of security breaches not only of our own products, services, systems and networks, but also those of customers, contractors, business partners, vendors, employees and other third parties, particularly as all parties increasingly digitize their operations. Cyber threats are continually evolving, making it difficult to defend against such threats and vulnerabilities that can persist undetected over extended periods of time. The company’s products, services, systems and networks, including cloud-based systems and systems and technologies that the company maintains on behalf of its customers, are used in critical company, customer or third-party operations, and involve the storage, processing and transmission of sensitive data, including valuable intellectual property, other proprietary or confidential data, regulated data, and personal information of employees, customers and others. These products, services, systems and networks are also used by customers in heavily regulated industries, including those in the financial services, healthcare, critical infrastructure and government sectors. Successful cybersecurity attacks or other security incidents could result in, for example, one or more of the following: unauthorized access to, disclosure, modification, misuse, loss, or destruction of company, customer, or other third party data or systems; theft or import or export of sensitive, regulated, or confidential data including personal information and intellectual property, including key innovations in artificial intelligence, quantum, or other disruptive technologies; the loss of access to critical data or systems through ransomware, crypto mining, destructive attacks or other means; and business delays, service or system disruptions or denials of service. In the event of such actions, the company, its customers and other third parties could be exposed to liability, litigation, and regulatory or other government action, including debarment, as well as the loss of existing or potential customers, damage to brand and reputation, damage to our competitive position, and other financial loss. In addition, the cost and operational consequences of responding to cybersecurity incidents and implementing remediation measures could be significant. In the company’s industry, security vulnerabilities are increasingly discovered, publicized and exploited across a broad range of hardware, software or other infrastructure, elevating the risk of attacks and the potential cost of response and remediation for the company and its customers. In addition, the fast-paced, evolving, pervasive, and sophisticated nature of certain cyber threats and vulnerabilities, as well as the scale and complexity of the business and infrastructure, make it possible that certain threats or vulnerabilities will be undetected or unmitigated in time to prevent or minimize the impact of an attack on the company or its customers. Cybersecurity risk to the company and its customers also depends on factors such as the actions, practices and investments of customers, contractors, business partners, vendors, the open source community and other third parties, including, for example, providing and implementing patches to address vulnerabilities. Cybersecurity attacks or other catastrophic events resulting in disruptions to or failures in power, information technology, communication systems or other critical infrastructure could result in interruptions or delays to company, customer, or other third party operations or services, financial loss, injury or death to persons or property, potential liability, and damage to brand and reputation. Although the company continuously takes significant steps to mitigate cybersecurity risk across a range of functions, such measures can never eliminate the risk entirely or provide absolute security. The company regularly addresses cybersecurity attacks and vulnerabilities with the potential for exploitation, and while the company continues to monitor for, identify, investigate, respond to and remediate such events, there have not been cybersecurity incidents or vulnerabilities that have had a material adverse effect on the company, though there is no assurance that there will not be cybersecurity incidents or vulnerabilities that will have a material adverse effect in the future.
As a global enterprise, the regulatory environment with regard to cybersecurity, privacy and data protection issues is increasingly complex and will continue to impact the company’s business, including through increased risk, increased costs, and expanded or otherwise altered compliance obligations, including with respect to the increased regulatory activity around the security of critical infrastructure, IoT devices, customer industries (e.g., financial services) and