Tiptree Financial (TIPT) Risk Factors

The success of our businesses depend on their ability to attract and retain experienced personnel and seasoned key executives who are knowledgeable about their industry and business. The pool of talent from which they actively recruit is limited and may fluctuate based on market dynamics specific to their industry and independent of overall economic conditions. As such, higher demand for employees having the desired skills and expertise could lead to increased compensation expectations for existing and prospective personnel, making it difficult for them to retain and recruit key personnel and maintain labor costs at desired levels. Should any of their key executives cease to be employed by them, or if they are unable to retain and attract talented personnel, they may be unable to maintain their current competitive position in the specialized markets in which they operate, which could have a material adverse effect on their results of operations.

Most states require insurance companies licensed to do business in their state to participate in guaranty funds, which require the insurance companies to bear a portion of the unfunded obligations of impaired, insolvent or failed insurance companies. These obligations are funded by assessments, which are expected to continue in the future. State guaranty associations levy assessments, up to prescribed limits, on all member insurance companies in the state based on their proportionate share of premiums written in the lines of business in which the impaired, insolvent or failed insurance companies are engaged. Accordingly, the assessments levied on our insurance subsidiaries may increase as they increase their written premiums. These funds are supported by either assessments or premium surcharges based on incurred losses. In addition, as a condition to conducting business in some states, insurance companies are required to participate in residual market programs to provide insurance to those who cannot procure coverage from an insurance carrier on a negotiated basis. Insurance companies generally can fulfill their residual market obligations by, among other things, participating in a reinsurance pool where the results of all policies provided through the pool are shared by the participating insurance companies. Although our insurance subsidiaries price their insurance to account for their potential obligations under these pooling arrangements, they may not be able to accurately estimate their liability for these obligations. Accordingly, mandatory pooling arrangements may cause a decrease in their profits. Further, the impairment, insolvency or failure of other insurance companies in these pooling arrangements would likely increase the liability for other members in the pool. The effect of assessments and premium surcharges or increases in such assessments or surcharges could reduce our insurance subsidiaries' profitability in any given period or limit the ability to grow their business.

Some of our subsidiaries collect, use, store, transmit, retrieve, retain and otherwise process confidential and personally identifiable information in their information systems in and across multiple jurisdictions, and they are subject to a variety of confidentiality obligations and privacy, data protection and information security laws, regulations, orders and industry standards in the jurisdictions in which they do business. The regulatory environment surrounding information security, data privacy and cybersecurity is evolving and increasingly demanding and there has been an increasing focus on privacy and data protection issues with the potential to affect our businesses. A number of our subsidiaries are subject to numerous U.S. federal and state laws and non-U.S. regulations governing the collection, transmission, storage, use and protection of personally identifiable and confidential information of their customers and employees. Failure to comply with any of these laws and regulations could result in enforcement action against us, including fines, imprisonment of company officials and public censure, claims for damages by affected individuals, damage to our reputation and loss of goodwill, any of which could have a material adverse effect on our business, results of operations, financial condition and cash flows. On October 24, 2017, the NAIC adopted an Insurance Data Security Model Law, which requires licensed insurance entities to comply with detailed information security requirements. The NAIC model law has been adopted by certain states and is under consideration by others. It is not yet known whether or not, and to what extent, states legislatures or insurance regulators where our insurance subsidiaries operate will enact the Insurance Data Security Model Law in whole or in part, or in a modified form. Such enactments, especially if inconsistent between states or with existing laws and regulations, could raise compliance costs or increase the risk of noncompliance, and noncompliance could subject our insurance subsidiaries to regulatory enforcement actions and penalties, as well as reputational harm. Any such events could potentially have an adverse impact on our insurance subsidiaries' business, results of operations, financial condition and cash flows. Our insurance and mortgage subsidiaries are subject to the privacy regulations of the Gramm-Leach-Bliley Act of 1999 (the "Gramm-Leach-Bliley Act"), along with its implementing regulations, which restricts certain collection, processing, storage, use and disclosure of personal information, requires notice to individuals of privacy practices, provides individuals with certain rights to prevent the use and disclosure of certain nonpublic or otherwise legally protected information and imposes requirements for the safeguarding and proper destruction of personal information through the issuance of data security standards or guidelines. In addition, on March 1, 2017, new cybersecurity rules took effect for financial institutions, insurers and certain other companies, like our insurance and mortgage subsidiaries, supervised by the NY Department of Financial Services (the "NY DFS Cybersecurity Regulation"). The NY DFS Cybersecurity Regulation imposes significant regulatory burdens intended to protect the confidentiality, integrity and availability of information systems. Our insurance and mortgage subsidiaries also have contractual obligations to protect confidential and personally identifiable information we obtain from third parties. These obligations generally require them, in accordance with applicable laws, to protect such information to the same extent that they protect their own such information. Many states in which our insurance and mortgage subsidiaries operate have laws that protect the privacy and security of sensitive and personal information. Certain current or proposed state laws may be more stringent or broader in scope, or offer greater individual rights, with respect to sensitive and personal information than federal, international or other state laws, and such laws may differ from each other, which may complicate compliance efforts. For example, certain of our insurance and mortgage businesses are subject to the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, the "CCPA"), which among other things, requires companies covered by the legislation to provide disclosures to California consumers and affords such consumers rights of access and deletion of personal information. Internationally, many jurisdictions have established their own data security and privacy legal framework with which our insurance subsidiaries operating in such jurisdictions, or their customers, may need to comply, including, but not limited to, the EU. The EU has adopted the General Data Protection Regulation, or the GDPR, which contains numerous requirements, robust obligations on data processors and heavier documentation requirements for data protection compliance programs by companies. The GDPR imposes significant penalties for non-compliance with fines of up to 4% of total annual worldwide turnover or €20 million (whichever is higher), depending on the type and severity of the violation. In addition, following Brexit, the U.K. General Data Protection Regulation (i.e., a version of the GDPR as implemented into U.K. law) went into effect, which may expose us to burdens and risks comparable to those of the GDPR. Because the interpretation and application of many privacy and data protection laws along with contractually imposed industry standards are uncertain, it is possible that these laws may be interpreted and applied in a manner that is inconsistent with our insurance subsidiaries' existing data management practices or the features of their services and platform capabilities. Any failure or perceived failure by our insurance subsidiaries, or any third parties with which they do business, to comply with their posted privacy policies, changing consumer expectations, evolving laws, rules and regulations, industry standards, or contractual obligations to which they or such third parties are or may become subject, may result in actions or other claims against our insurance subsidiaries by governmental entities or private actors, the expenditure of substantial costs, time and other resources or the incurrence of significant fines, penalties or other liabilities. In addition, any such action, particularly to the extent our insurance subsidiaries were found to be guilty of violations or otherwise liable for damages, would damage their reputation and adversely affect their business, financial condition and results of operations. Even if our businesses are not determined to have violated these laws, government investigations into these issues typically require the expenditure of significant resources and generate negative publicity, which could harm our businesses, financial condition, and results of operations.

We operate in highly competitive markets for business opportunities in each of our areas of focus. Many of our competitors have financial, personnel and other resource advantages relative to us and may be better able to react to market conditions. These factors may place us at a competitive disadvantage in successfully competing for future business opportunities and personnel, which could impede our growth and negatively impact our business, financial condition and results of operations. Our insurance subsidiaries face competition from other specialty insurance companies, standard insurance companies and underwriting agencies, as well as from diversified financial services companies that are larger than we are and that have greater financial, marketing, personnel and other resources than we do. Many of these competitors have more experience and market recognition than our insurance subsidiaries. In addition, it may be difficult or prohibitively expensive for our insurance subsidiaries to implement technology systems and processes that are competitive with the systems and processes of these larger companies. In particular, competition in the insurance industry is based on many factors, including price of coverage, general reputation and perceived financial strength, relationships with brokers, terms and conditions of products offered, ratings assigned by independent rating agencies, speed of claims payment and reputation, and the experience and reputation of the members of an underwriting team in the particular lines of insurance they seek to underwrite. In recent years, the insurance industry has undergone increasing consolidation, which may further increase competition. A number of new, proposed or potential industry or legislative developments could further increase competition in the insurance industry. These developments include: - an increase in capital raising by companies in the industry, which could result in new entrants to the insurance markets and an excess of capital in the industry; and - the deregulation of commercial insurance lines in certain states and the possibility of federal regulatory reform of the insurance industry, which could increase competition from standard carriers. Our insurance subsidiaries may not be able to continue to compete successfully in one or more insurance markets. Increased competition in these markets could result in a change in the supply and demand for insurance, affect our insurance subsidiaries' ability to price their products at risk-adequate rates and retain existing business, or underwrite new business on favorable terms. If this increased competition limits our insurance subsidiaries' ability to transact business, their results of operations would be adversely affected. Additionally, our E&S insurance operations cover risks that are typically more complex and unusual than standard risks and require a high degree of specialized underwriting. As a result, E&S risks do not often fit the underwriting criteria of standard insurance carriers, and are generally considered higher risk than those covered in the standard market. If our underwriting staff inadequately judges and prices the risks associated with the business underwritten in the E&S market, our financial results could be adversely impacted.

The financial performance of the insurance industry has historically fluctuated with periods of lower premium rates and excess underwriting capacity resulting from increased competition (a "soft market") followed by periods of higher premium rates and reduced underwriting capacity resulting from decreased competition (a "hard market"). Soft markets occur when the supply of insurance capital in a given market or territory is greater than the amount of insurance coverage demanded by all potential insureds in that market. When this occurs, insurance prices tend to decline and policy terms and conditions become more favorable to insureds. Conversely, hard markets occur when there is not enough insurance capital capacity in the market to meet the needs of potential insureds, causing insurance prices to generally rise and policy terms and conditions to become more favorable to insurers. Although an individual insurance company's financial performance depends on its own specific business characteristics, the profitability of most P&C insurance companies tends to follow this cyclical market pattern. Further, this cyclical market pattern can be more pronounced in the E&S market than in the standard insurance market. When the standard insurance market hardens, the E&S market typically hardens, and growth in the E&S market can be significantly more rapid than growth in the standard insurance market. Similarly, when conditions begin to soften, many customers that were previously driven into the E&S market may return to the admitted carrier market, exacerbating the effects of rate decreases. Some of our insurance subsidiaries' specialty programs are exposed to these hard and soft market cycles. Our insurance subsidiaries' business generally impacted by P&C commercial market cycles is primarily reported in their property and short-tail, general liability and professional liability lines. Across these lines, they manage various multiline and monoline programs that are impacted in different ways by market cycles. Currently, our insurance subsidiaries believe the following specialty programs and lines of business are in, to varying degrees, a hard market: programs in the property and short-tail lines; within general liability line of business, contractors, excess liability and manufactured home parks programs; and programs in the professional liability line of business. Our insurance subsidiaries seek to limit the potential impact of these trends through their underwriting process that includes, but is not limited to, maintaining a diverse book of business with exposures to various lines, and products, limiting their risk exposures through reinsurance, carefully crafting their underwriting guidelines and monitoring how their distribution partners adhere to those guidelines. Additionally, our insurance subsidiaries believe that other insurance lines, specifically personal lines and alternative risks, are not influenced by the hard and soft market cycles to the same degree as P&C commercial lines. Furthermore, adverse economic factors, including recession, inflation, periods of high unemployment or lower economic activity, could result in the sale of fewer policies than expected or an increase in the frequency of claims and premium defaults, and even the falsification of claims, or a combination of these effects, which, in turn, could affect our insurance subsidiaries' growth and profitability. In an economic downturn that is characterized by higher unemployment, declining spending and reduced corporate revenue, the demand for insurance products is generally adversely affected, which directly affects their premium levels and profitability. Negative economic factors may also affect their ability to receive the appropriate rate for the risk they insure with their policyholders and may adversely affect the number of policies they can write, and their opportunities to underwrite profitable business. In an economic downturn, our insurance subsidiaries' customers may have less need for insurance coverage, cancel existing insurance policies, modify their coverage or not renew their policies. Existing policyholders may exaggerate or even falsify claims to obtain higher claims payments. Some of our insurance subsidiaries' lines of business that provide reconstruction, replacement or repair benefits may be negatively affected by higher rates for labor or the cost of replacement parts, and they have also experienced temporarily higher claims severities, in particular for their service contracts lines of business. In addition, high inflation may impact the creditworthiness of reinsurers and counterparties that our insurance subsidiaries contract with, which may negatively impact the ability of such parties to make timely payments pursuant to our insurance subsidiaries' contracts with them. These outcomes would reduce their underwriting profit to the extent these factors are not reflected in the rates they charge, including to the extent their distribution partners are unable or unwilling to effectively implement pricing or coverage to mitigate these impacts. The financial performance of the mortgage segment largely depends on the health of the U.S. residential real estate industry, which is seasonal, cyclical, and affected by changes in general economic conditions beyond our control. Economic factors such as increased interest rates, slow economic growth or recessionary conditions, the pace of home price appreciation or the lack of it, changes in household debt levels, and increased unemployment or stagnant or declining wages affect our clients' income and thus their ability and willingness to make loan payments. National or global events affect all such macroeconomic conditions. Weak or a significant deterioration in economic conditions reduce the amount of disposable income consumers have, which in turn reduces consumer spending and the willingness of qualified potential clients to take out loans. As a result, such economic factors affect loan origination volume.

We believe that maintaining and enhancing our insurance subsidiaries' brand identity is critical to their relationships with their existing customers and partners and to their ability to attract new customers and partners. They also intend to grow their brand awareness among consumers and potential program partners in order to further expand their reach and attract new customers and program partners. The promotion of their brand in these and other ways may require them to make substantial investments and it is anticipated that, as their market becomes increasingly competitive, these branding initiatives may become increasingly difficult and expensive. Our insurance subsidiaries' brand promotion activities may not be successful or yield increased revenue, and to the extent that these activities yield increased revenue, the increased revenue may not offset the expenses they incur and their results of operations could be harmed. If they do not successfully maintain and enhance their brand, their business may not grow and they could lose their relationships with customers or partners, which would harm their business, results of operations, financial condition and cash flows. Our insurance subsidiaries may be adversely affected by negative publicity relating to brand and activities. For instance, if their brand receives negative publicity, the number of customers visiting their platforms could decrease, and their cost of acquiring customers could increase as a result of a reduction in the number of consumers coming from their direct customer acquisition channel.

Unforeseen or catastrophic events, such as severe weather, natural disasters, pandemics (e.g. the COVID 19 pandemic) cybersecurity attacks, acts of war or terrorism and other adverse external events could have a significant impact on the Company's ability to conduct business. Although the Company and its subsidiaries have established disaster recovery plans, there is no guarantee that such plans will allow the Company and its subsidiaries to operate without disruption if such an event was to occur and the occurrence of any such event could have a material adverse effect on the Company's business, which, in turn, could have a material adverse effect on the Company's financial condition and results of operations. Acts of war may disrupt international trade, create market volatility in debt, equity and commodities markets and result in import bans, export control regulations, increased costs, and sanctions by governmental authorities. These effects, individually or in the aggregate, could materially adversely impact our businesses, operations, financial condition, operating results, liquidity and cash flows and such adverse impacts may be material to our results of operations and liquidity position. Whether or to what extent damage that may be caused by natural events, such as wildfires, severe tropical storms and hurricanes, will affect our insurance subsidiaries' ability to write new insurance policies and reinsurance contracts is unknown, but,to the extent our insurance subsidiaries' policies are concentrated in the specific geographic areas in which these events occur, any increase in frequency and severity of such events and the total amount of our loss exposure in the impacted areas of such events may adversely affect their business, financial condition and results of operations. In addition, although our insurance subsidiaries have historically had limited exposure to catastrophic risk, claims from catastrophe events could reduce their earnings and cause substantial volatility in their business, financial condition and results of operations for any period. Assessing the risk of loss and damage associated with natural and catastrophic events remains a challenge and might adversely affect their business, results of operations, financial condition and cash flows. Our business, particularly our insurance subsidiaries' business, is exposed to risks associated with severe weather conditions and other catastrophes. Catastrophes can be caused by various events, including natural events such as severe winter weather, tornadoes, windstorms, earthquakes, hailstorms, severe thunderstorms and fires, and other events such as explosions, war, terrorist attacks and riots. The incidence and severity of catastrophes and severe weather conditions are inherently unpredictable. For example, our insurance subsidiary underwrites property risks in geographies that are subject to earthquakes, such as California, in geographies that are subject to wildfires, such as the southwestern United States, and in geographies that are subject to windstorms, such as the southeastern United States. The extent of losses from catastrophes is a function of the total amount of insured value, the number of insureds affected, the frequency and severity of the events, the effectiveness of our catastrophe risk management program and the adequacy of our reinsurance coverage. Insurance companies are not permitted to reserve for a catastrophe until it has occurred. Severe weather conditions and catastrophes can cause losses in our property lines and generally result in both an increase in the number of claims incurred and an increase in the dollar amount of each claim asserted, which may require us to increase our reserves, causing our liquidity and financial condition to deteriorate. In addition, our inability to obtain reinsurance coverage at reasonable rates, and in amounts adequate to mitigate the risks associated with severe weather conditions and other catastrophes, could have a material adverse effect on our business and results of operations. Further toward mitigating these risks, we underwrite a diversified mix of programs that span across multiple lines of business, industries, geographies and distribution channels. In addition, while policy terms and conditions for our insurance subsidiaries' lines of business preclude coverage for virus-related claims, court decisions and governmental actions may challenge the validity of any exclusions or our interpretation of how such terms and conditions operate. If pandemics, disease outbreaks and other events occur or re-occur and measures that are put into place by various governmental authorities to stabilize the economy are not effective, our business, financial condition, results of operations and cash flows may be materially adversely affected. U.S. insurers are required by state and federal law to offer coverage for acts of terrorism in certain commercial lines. The Terrorism Risk Insurance Act, as extended by the Terrorism Risk Insurance Program Reauthorization Act of 2015 ("TRIPRA") requires commercial property and casualty ("P&C") insurance companies to offer coverage for acts of terrorism, whether foreign or domestic, and established a federal assistance program through the end of 2020 to help cover claims related to future terrorism-related losses. The likelihood and impact of any terrorist act is unpredictable, and the ultimate impact on our insurance subsidiaries would depend upon the nature, extent, location and timing of such an act. Although our insurance subsidiaries reinsure a portion of the terrorism risk they retain under TRIPRA, such terrorism reinsurance does not provide full coverage for an act stemming from nuclear, biological or chemical terrorism. To the extent an act of terrorism, whether a domestic or foreign act, is certified by the Secretary of Treasury, our insurance subsidiaries may be covered under TRIPRA for their losses for certain P&C lines of insurance. However, any such coverage would be subject to a mandatory deductible based on 20% of earned premium for the prior year for the covered commercial P&C insurance.

Our insurance subsidiaries' success and ability to compete depend in part on their ability to establish, maintain, protect and enforce their intellectual property and proprietary rights, which includes their rights in their technology platform and their brand. Our insurance subsidiaries primarily rely on a combination of intellectual property rights, such as copyrights, trade secrets and trademarks, in addition to confidentiality agreements, procedures and contractual provisions with their employees, clients, service providers, partners and other third parties to establish, maintain, protect and enforce their proprietary or confidential information and intellectual property rights. Our insurance subsidiaries also rely on agreements under which they contract to own, or license rights to use, intellectual property developed by employees, contractors and other third parties. In addition, while they generally enter into confidentiality agreements with employees and third parties to protect their trade secrets, know-how, business strategy and other proprietary information, such confidentiality agreements could be breached or otherwise may not provide meaningful protection for their trade secrets and know-how. Similarly, while they seek to enter into agreements with all of their employees who develop intellectual property during their employment to assign the rights in such intellectual property to our insurance subsidiaries, they may fail to enter into such agreements with all relevant employees, such agreements may be breached or may not be self-executing, and they may be subject to claims that such employees misappropriated relevant rights from their previous employers. The steps our insurance subsidiaries take to protect their intellectual property may be inadequate and despite their efforts to protect their proprietary rights and intellectual property, unauthorized parties may attempt to copy aspects of their solutions or to obtain and use information that they regard as proprietary, and third parties may attempt to independently develop similar technology. Policing unauthorized use of their technology and intellectual property rights may be difficult and may not be effective. Litigation brought to protect and enforce their intellectual property rights could be costly, time-consuming and distracting to management and could result in the impairment or loss of portions of their intellectual property. The litigation process is subject to inherent uncertainties, and they may not prevail in litigation matters regardless of the merits of their position. Further, adequate remedies may not be available in the event of an unauthorized use or disclosure of their trade secrets. Additionally, their efforts to enforce their intellectual property rights may be met with defenses, counterclaims and countersuits attacking the validity and enforceability and scope of their intellectual property rights. Our insurance subsidiaries' failure to secure, protect, defend and enforce their intellectual property rights could adversely affect their brand and adversely affect their business. Our insurance subsidiaries' success also depends in part on them not infringing, misappropriating or otherwise violating the intellectual property rights of others. Their competitors and other third parties may own or claim to own intellectual property relating to our insurance subsidiaries' industry and, in the future, may claim that our insurance subsidiaries are infringing, misappropriating or otherwise violating their intellectual property rights, and our insurance subsidiaries may be found to be infringing on such rights. The outcome of any claims or litigation, regardless of the merits, is inherently uncertain. The disposition of any such claims, whether through settlement or licensing discussions or litigation, could cause our insurance subsidiaries to incur significant expenses and, if successfully asserted against them, could require that they pay substantial damages or ongoing royalty payments, prevent them from offering certain of their products and services, require them to change their technology or business practices or require that they comply with other unfavorable terms. Even if our insurance subsidiaries were to prevail in such a dispute, any litigation could be costly and time-consuming, divert the attention of their management and key personnel from their business operations and materially adversely affect their business, financial condition and results of operations.

Tiptree's businesses are highly dependent upon the effective operation of their information systems and those of their third-party service providers and their ability to collect, use, store, transmit, retrieve and otherwise process personally identifiable information and other data, manage significant databases and expand and upgrade their information systems. Our businesses rely on these systems for a variety of functions, including marketing and selling their products and services, performing their services, managing their operations, processing claims and applications, providing information to customers, performing actuarial analyses and maintaining financial records. Some of these systems may include or rely on third-party systems not located on their premises or under their control. The interruption or loss of their information processing capabilities, or those of their third-party service providers, through cybersecurity attacks, computer hacks, theft, malicious software, phishing, employee error, ransomware, malware, denial-of-service attacks, social engineering, viruses, worms, other malicious software programs, the loss of stored data, programming errors, the breakdown or malfunctioning of computer equipment or software systems, telecommunications and electrical failure or damage caused by weather or natural disasters, war, catastrophes, terrorist attacks, industrial accidents or any other significant disruptions or security breaches could harm our businesses by hampering their ability to generate revenues and could negatively affect their partner relationships, competitive position and reputation. In addition, our business's information systems may be vulnerable to physical or electronic intrusions, computer viruses or other attacks which could disable their information systems and their security measures may not prevent such attacks. Such information systems are additionally vulnerable to security incidents from inadvertent or intentional actions by our employees, third-party vendors, contractors, consultants, business partners, or other third parties, or from cyberattacks by malicious third parties. There are numerous and evolving risks to cybersecurity and privacy from cyber threat actors, including criminal hackers, state-sponsored intrusions, industrial espionage and employee malfeasance. There is also a potential heightened risk of cybersecurity incidents as a result of geopolitical events outside of our control, such as the ongoing Russia-Ukraine conflict, as well as other geographical conflicts. Global cybersecurity threats can range from uncoordinated individual attempts to gain unauthorized access to our IT systems and those of our business partners or third-party service providers to sophisticated and targeted measures known as advanced persistent threats. These cyber threat actors are becoming more sophisticated and coordinated in their attempts to access IT systems and data, including the IT systems of cloud providers and third parties with whom our businesses conduct or may conduct business. Although our businesses devote significant resources to prevent, detect, address and mitigate unwanted intrusions and other threats and protect their systems and data, whether such data is housed internally or by external third parties, such internal controls may not be adequate or successful in protecting against all security breaches and cybersecurity attacks, social-engineering attacks, computer break-ins, theft and other improper activity. Our businesses have experienced immaterial cybersecurity incidents and they and their third-party service providers will likely continue to experience cybersecurity incidents of varying degrees. Because the techniques used to obtain unauthorized access or to sabotage systems change frequently, generally are not recognized until launched against a target and can originate from a wide variety of sources, our businesses and the third parties with whom they do business may be unable to anticipate these techniques or to implement adequate preventative measures effective against all such security threats. With the increasing frequency of cyber-related fraud to obtain inappropriate payments and other threats related to cybersecurity attacks, our businesses may find it necessary to expend resources to remediate cyber-related incidents or to enhance and strengthen their cybersecurity. Such remediation efforts may not be successful and could result in interruptions, delays or cessation of service. Our businesses have also implemented physical, administrative and logical security systems with the intent of maintaining the physical security of their facilities and systems and protecting their and their customers' confidential and personally identifiable information against unauthorized access through their information systems or by other electronic transmission or through misdirection, theft or loss of data. Despite such efforts, they have in the past, and may in the future, be subject to a breach of their security systems that results in unauthorized access to their facilities or the information they are trying to protect. Anyone who is able to circumvent their security measures or those of their third-party service providers and penetrate their information systems could access, view, misappropriate, alter, destroy, misuse or delete any information in such systems, including personally identifiable information and proprietary business information (their own or that of third parties) or compromise of their control networks or other critical systems and infrastructure, resulting in disruptions to their business operations or access to their financial reporting systems. While our businesses have implemented business contingency plans and other reasonable plans to protect their systems, sustained or repeated system failures or service denials could severely limit their ability to write and process new and renewal business, provide customer service or otherwise operate in the ordinary course of business. In addition, most states require that customers be notified if a security breach results in the disclosure of personally identifiable customer information and the trend toward general public notification of such incidents could exacerbate the harm to our companies' business, financial condition and results of operations. Any failure, interruption or compromise of the security of our business's information systems or those of their third-party service providers that result in inappropriate disclosure of such information could result in, among other things, significant financial losses, unfavorable publicity and damage to their reputation, governmental inquiry and oversight, difficulty in marketing their services, loss of customers, significant civil and criminal liability related to legal or regulatory violations, litigation and the incurrence of significant technical, legal and other expenses, any of which may have a material adverse effect on their business, results of operations, financial condition and cash flows. Additionally, the costs related to significant security breaches or disruptions could be material and cause our businesses to incur significant expenses, and any cybersecurity insurance that our businesses may have in place may not cover such expenses. In some cases, our businesses rely on the safeguards put in place by third parties to protect against security threats. These third parties, including vendors that provide products and services for their operations, could also be a source of security risk to them in the event of a failure or a security incident affecting such third parties' own security systems and infrastructure. If the information technology systems of our business's third-party service providers become subject to disruptions or security breaches, our businesses may have insufficient recourse against such third parties and our businesses may have to expend significant resources to mitigate the impact of such an event and to develop and implement protections to prevent future events of this nature from occurring. Our business's network of ecosystem partners could also be a source of vulnerability to the extent their applications interface with our businesses, whether unintentionally or through a malicious backdoor. Our businesses do not review the software code included in third-party integrations in all instances.