Citibank 2011 Annual Report Download - page 86

Download and view the complete annual report

Please find page 86 of the 2011 Citibank annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 320

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 209
  • 210
  • 211
  • 212
  • 213
  • 214
  • 215
  • 216
  • 217
  • 218
  • 219
  • 220
  • 221
  • 222
  • 223
  • 224
  • 225
  • 226
  • 227
  • 228
  • 229
  • 230
  • 231
  • 232
  • 233
  • 234
  • 235
  • 236
  • 237
  • 238
  • 239
  • 240
  • 241
  • 242
  • 243
  • 244
  • 245
  • 246
  • 247
  • 248
  • 249
  • 250
  • 251
  • 252
  • 253
  • 254
  • 255
  • 256
  • 257
  • 258
  • 259
  • 260
  • 261
  • 262
  • 263
  • 264
  • 265
  • 266
  • 267
  • 268
  • 269
  • 270
  • 271
  • 272
  • 273
  • 274
  • 275
  • 276
  • 277
  • 278
  • 279
  • 280
  • 281
  • 282
  • 283
  • 284
  • 285
  • 286
  • 287
  • 288
  • 289
  • 290
  • 291
  • 292
  • 293
  • 294
  • 295
  • 296
  • 297
  • 298
  • 299
  • 300
  • 301
  • 302
  • 303
  • 304
  • 305
  • 306
  • 307
  • 308
  • 309
  • 310
  • 311
  • 312
  • 313
  • 314
  • 315
  • 316
  • 317
  • 318
  • 319
  • 320

64
Citi’s operational systems and networks have been, and
will continue to be, vulnerable to an increasing risk of
continually evolving cybersecurity or other technological
risks which could result in the disclosure of confidential
client or customer information, damage to Citi’s
reputation, additional costs to Citi, regulatory penalties
and financial losses.
A significant portion of Citi’s operations relies heavily on the secure
processing, storage and transmission of confidential and other information
as well as the monitoring of a large number of complex transactions on a
minute-by-minute basis. For example, through its global consumer banking,
credit card and Transaction Services businesses, Citi obtains and stores an
extensive amount of personal and client-specific information for its retail,
corporate and governmental customers and clients and must accurately
record and reflect their extensive account transactions. These activities have
been, and will continue to be, subject to an increasing risk of cyber attacks,
the nature of which is continually evolving.
Citi’s computer systems, software and networks have been and will
continue to be vulnerable to unauthorized access, loss or destruction
of data (including confidential client information), account takeovers,
unavailability of service, computer viruses or other malicious code, cyber
attacks and other events. These threats may derive from human error, fraud
or malice on the part of employees or third parties, or may result from
accidental technological failure. If one or more of these events occurs, it
could result in the disclosure of confidential client information, damage to
Citi’s reputation with its clients and the market, additional costs to Citi (such
as repairing systems or adding new personnel or protection technologies),
regulatory penalties and financial losses, to both Citi and its clients and
customers. Such events could also cause interruptions or malfunctions
in the operations of Citi (such as the lack of availability of Citi’s online
banking system), as well as the operations of its clients, customers or other
third parties. Given the high volume of transactions at Citi, certain errors
or actions may be repeated or compounded before they are discovered and
rectified, which would further increase these costs and consequences.
Citi has recently been subject to intentional cyber incidents from external
sources, including (i) data breaches, which resulted in unauthorized
access to customer account data and interruptions of services to customers;
(ii) malicious software attacks on client systems, which in turn allowed
unauthorized entrance to Citi’s systems under the guise of a client and the
extraction of client data; and (iii) denial of service attacks, which attempted
to interrupt service to clients and customers. While Citi was able to detect
these prior incidents before they became significant, they still resulted in
losses as well as increases in expenditures to monitor against the threat
of similar future cyber incidents. There can be no assurance that such
incidents, or other cyber incidents, will not occur again, and they could occur
more frequently and on a more significant scale.
In addition, third parties with which Citi does business may also be
sources of cybersecurity or other technological risks. Citi outsources
certain functions, such as processing of customer credit card transactions,
which results in the storage and processing of customer information by
third parties. While Citi engages in certain actions to reduce the exposure
resulting from outsourcing, such as limiting third-party access to the least
privileged level necessary to perform job functions and restricting third-party
processing to systems stored within Citi’s data centers, unauthorized access,
loss or destruction of data or other cyber incidents could occur, resulting in
similar costs and consequences to Citi as those discussed above. Furthermore,
because financial institutions are becoming increasingly interconnected
with central agents, exchanges and clearing houses, including through the
derivatives provisions of the Dodd-Frank Act, Citi has increased exposure to
operational failure or cyber attacks through third parties.
While Citi maintains insurance coverage that may, subject to policy terms
and conditions including significant self-insured deductibles, cover certain
aspects of cyber risks, such insurance coverage may be insufficient to cover
all losses.
Citi’s financial statements are based in part on
assumptions and estimates, which, if wrong, could cause
unexpected losses in the future, sometimes significant.
Pursuant to U.S. GAAP, Citi is required to use certain assumptions and
estimates in preparing its financial statements, including in determining
credit loss reserves, reserves related to litigation and regulatory exposures,
mortgage representation and warranty claims and the fair value of certain
assets and liabilities, among other items. If the assumptions or estimates
underlying Citi’s financial statements are incorrect, Citi may experience
significant losses. For additional information on the key areas for which
assumptions and estimates are used in preparing Citi’s financial statements,
see “Significant Accounting Policies and Significant Estimates” below, and
for further information relating to litigation and regulatory exposures, see
Note 29 to the Consolidated Financial Statements.
Citi is subject to a significant number of legal and
regulatory proceedings that are often highly complex, slow
to develop and are thus difficult to predict or estimate.
At any given time, Citi is defending a significant number of legal and
regulatory proceedings. The volume of claims and the amount of damages
and penalties claimed in litigation, arbitration and regulatory proceedings
against financial institutions remain high, and could further increase
in the future. See, for example, “—Citi is subject to extensive litigation,
investigations and inquiries pertaining to a myriad of mortgage-related
activities that could take significant time to resolve and may subject Citi to
extensive liability, including in the form of penalties and other equitable
remedies, that could negatively impact Citi’s future results of operations.”
Proceedings brought against Citi may result in judgments, settlements,
fines, penalties, disgorgement, injunctions, business improvement orders or
other results adverse to it, which could materially and negatively affect Citi’s
businesses, financial condition or results of operations, require material