Citibank 2014 Annual Report Download - page 81

Download and view the complete annual report

Please find page 81 of the 2014 Citibank annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 327

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 209
  • 210
  • 211
  • 212
  • 213
  • 214
  • 215
  • 216
  • 217
  • 218
  • 219
  • 220
  • 221
  • 222
  • 223
  • 224
  • 225
  • 226
  • 227
  • 228
  • 229
  • 230
  • 231
  • 232
  • 233
  • 234
  • 235
  • 236
  • 237
  • 238
  • 239
  • 240
  • 241
  • 242
  • 243
  • 244
  • 245
  • 246
  • 247
  • 248
  • 249
  • 250
  • 251
  • 252
  • 253
  • 254
  • 255
  • 256
  • 257
  • 258
  • 259
  • 260
  • 261
  • 262
  • 263
  • 264
  • 265
  • 266
  • 267
  • 268
  • 269
  • 270
  • 271
  • 272
  • 273
  • 274
  • 275
  • 276
  • 277
  • 278
  • 279
  • 280
  • 281
  • 282
  • 283
  • 284
  • 285
  • 286
  • 287
  • 288
  • 289
  • 290
  • 291
  • 292
  • 293
  • 294
  • 295
  • 296
  • 297
  • 298
  • 299
  • 300
  • 301
  • 302
  • 303
  • 304
  • 305
  • 306
  • 307
  • 308
  • 309
  • 310
  • 311
  • 312
  • 313
  • 314
  • 315
  • 316
  • 317
  • 318
  • 319
  • 320
  • 321
  • 322
  • 323
  • 324
  • 325
  • 326
  • 327

64
Citi’s computer systems, software and networks are subject to ongoing
cyber incidents such as unauthorized access; loss or destruction of
data (including confidential client information); account takeovers;
unavailability of service; computer viruses or other malicious code; cyber
attacks; and other events. These threats may arise from human error,
fraud or malice on the part of employees or third parties, or may result
from accidental technological failure. Additional challenges are posed
by external parties, including extremist parties and certain foreign state
actors that engage in cyber activities as a means to promote political ends.
As further evidence of the increasing and potentially significant impact of
cyber incidents, during 2014, certain U.S. financial institutions reported
cyber incidents affecting their computer systems that resulted in the data
of millions of customers being compromised. In addition, several U.S.
retailers and other multinational companies reported cyber incidents that
compromised customer data.
While these incidents did not impact, or did not have a material impact,
on Citi, Citi has been subject to other intentional cyber incidents from
external sources over the last several years, including (i) denial of service
attacks, which attempted to interrupt service to clients and customers;
(ii) data breaches, which aimed to obtain unauthorized access to customer
account data; and (iii) malicious software attacks on client systems, which
attempted to allow unauthorized entrance to Citi’s systems under the guise
of a client and the extraction of client data. While Citi’s monitoring and
protection services were able to detect and respond to the incidents targeting
its systems before they became significant, they still resulted in limited losses
in some instances as well as increases in expenditures to monitor against the
threat of similar future cyber incidents. There can be no assurance that such
cyber incidents will not occur again, and they could occur more frequently
and on a more significant scale.
Although Citi devotes significant resources to implement, maintain,
monitor and regularly upgrade its systems and networks with measures
such as intrusion detection and prevention and firewalls to safeguard
critical business applications, there is no guarantee that these measures or
any other measures can provide absolute security. In addition, because the
methods used to cause cyber attacks change frequently or, in some cases, are
not recognized until launched, Citi may be unable to implement effective
preventive measures or proactively address these methods.
If Citi were to be subject to a cyber incident, it could result in the
disclosure of confidential client information, damage to Citi’s reputation
with its clients and the market, customer dissatisfaction, additional costs to
Citi (such as repairing systems, replacing customer payment cards or adding
new personnel or protection technologies), regulatory penalties, exposure to
litigation and other financial losses to both Citi and its clients and customers.
Such events could also cause interruptions or malfunctions in the operations
of Citi (such as the lack of availability of Citi’s online banking system or
mobile banking platform), as well as the operations of its clients, customers
or other third parties. Given Citi’s global footprint and the high volume of
transactions processed by Citi, certain errors or actions may be repeated or
compounded before they are discovered and rectified, which would further
increase these costs and consequences.
Third parties with which Citi does business may also be sources of
cybersecurity or other technological risks. Citi outsources certain functions,
such as processing customer credit card transactions, uploading content
on customer-facing websites, and developing software for new products and
services. These relationships allow for the storage and processing of customer
information by third-party hosting of or access to Citi websites, which could
result in service disruptions or website defacements, and the potential to
introduce vulnerable code, resulting in security breaches impacting Citi
customers. While Citi engages in certain actions to reduce the exposure
resulting from outsourcing, such as performing onsite security control
assessments, limiting third-party access to the least privileged level necessary
to perform job functions and restricting third-party processing to systems
stored within Citi’s data centers, ongoing threats may result in unauthorized
access, loss or destruction of data or other cyber incidents with increased
costs and consequences to Citi such as those discussed above. Furthermore,
because financial institutions are becoming increasingly interconnected
with central agents, exchanges and clearing houses, including as a result of
the derivatives reforms over the last few years, Citi has increased exposure to
operational failure or cyber attacks through third parties.
While Citi maintains insurance coverage that may, subject to policy terms
and conditions including significant self-insured deductibles, cover certain
aspects of cyber risks, such insurance coverage may be insufficient to cover
all losses.
Citi Maintains Co-Branding and Private Label
Relationships with Various Retailers and Merchants
Within Its U.S. Credit Card Businesses in NA GCB, and the
Failure to Maintain These Relationships Could Have a
Significant Negative Impact on the Results of Operations
or Financial Condition of Those Businesses.
Through its U.S. Citi-branded cards and Citi retail services credit card
businesses within North America Global Consumer Banking (NA GCB),
Citi maintains numerous co-branding and private label relationships with
third-party retailers and merchants in the ordinary course of business
pursuant to which Citi issues credit cards to customers of the retailers or
merchants. Citi’s co-branding and private label agreements provide for
shared economics between the parties and generally have a fixed term.
Competition among card issuers such as Citi for these relationships is
significant and these agreements may not be extended or renewed by
the parties. These agreements could also be terminated due to, among
other factors, a breach by Citi of its responsibilities under the applicable
agreement, a breach by the retailer or merchant under the agreement,
or external factors, including bankruptcies, liquidations, restructurings
or consolidations and other similar events that may occur. While various
mitigating factors could be available in the event of the loss of one or more
of these relationships, such as replacing the retailer or merchant or by Citi
offering new card products, the results of operations or financial condition of
Citi-branded cards or Citi retail services, as applicable, or NA GCB could be
negatively impacted, and the impact could be significant.