SunTrust 2015 Annual Report Download - page 42

Download and view the complete annual report

Please find page 42 of the 2015 SunTrust annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 196

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196

14
by us in reports we file or submit under the Exchange Act is
accurately accumulated and communicated to management, and
recorded, processed, summarized, and reported within the time
periods specified in the SEC's rules and forms. We believe that
any disclosure controls and procedures or internal controls and
procedures, no matter how well conceived and operated, can
provide only reasonable, not absolute, assurance that the
objectives of the control system are met, due to certain inherent
limitations. These include the realities that judgments in decision
making can be faulty, that alternative reasoned judgments can
be drawn, or that breakdowns can occur because of a simple error
or mistake. Additionally, controls can be circumvented by the
individual acts of some persons, by collusion of two or more
people or by an unauthorized override of the controls.
Accordingly, because of the inherent limitations in our control
system, misstatements due to error or fraud may occur and not
be detected, which could result in a material weakness in our
internal controls over financial reporting and the restatement of
previously filed financial statements.
We are at risk of increased losses from fraud.
Criminals committing fraud increasingly are using more
sophisticated techniques and in some cases are part of larger
criminal rings, which allow them to be more effective.
The fraudulent activity has taken many forms, ranging from
check fraud, mechanical devices attached to ATM machines,
social engineering and phishing attacks to obtain personal
information or impersonation of our clients through the use of
falsified or stolen credentials. Additionally, an individual or
business entity may properly identify themselves, yet seek to
establish a business relationship for the purpose of perpetrating
fraud. Further, in addition to fraud committed against us, we may
suffer losses as a result of fraudulent activity committed against
third parties. Increased deployment of technologies, such as chip
card technology, defray and reduce aspects of fraud; however,
criminals are turning to other sources to steal personally
identifiable information, such as unaffiliated healthcare
providers and government entities, in order to impersonate the
consumer to commit fraud. Many of these data compromises
were widely reported in the media in 2015. Further, as a result
of the increased sophistication of fraud activity, we have
increased our spending on systems and controls to detect and
prevent fraud. This will result in continued ongoing investments
in the future.
A failure in or breach of our operational or security systems
or infrastructure, or those of our third party vendors and
other service providers, including as a result of cyber-attacks,
could disrupt our businesses, result in the disclosure or
misuse of confidential or proprietary information, damage
our reputation, increase our costs and cause losses.
We depend upon our ability to process, record, and monitor
a large number of client transactions on a continuous basis. As
client, public, and regulatory expectations regarding operational
and information security have increased, our operational systems
and infrastructure must continue to be safeguarded and
monitored for potential failures, disruptions, and breakdowns.
Our business, financial, accounting, data processing, or other
operating systems and facilities may stop operating properly or
become disabled or damaged as a result of a number of factors,
including events that are wholly or partially beyond our control.
For example, there could be sudden increases in client transaction
volume; electrical or telecommunications outages; natural
disasters such as earthquakes, tornadoes, and hurricanes; disease
pandemics; events arising from local or larger scale political or
social matters, including terrorist acts; and, as described below,
cyber-attacks. Although we have business continuity plans and
other safeguards in place, our business operations may be
adversely affected by significant and widespread disruption to
our physical infrastructure or operating systems that support our
businesses and clients.
Information security risks for large financial institutions
such as ours have generally increased in recent years in part
because of the proliferation of new technologies, the use of the
internet and telecommunications technologies to conduct
financial transactions, and the increased sophistication and
activities of organized crime, hackers, terrorists, activists, and
other external parties, including hostile nation state actors. As
noted above, our operations rely on the secure processing,
transmission, and storage of confidential information in our
computer systems and networks. Our banking, brokerage,
investment advisory, and capital markets businesses rely on our
digital technologies, computer and email systems, software, and
networks to conduct their operations. In addition, to access our
products and services, our clients may use personal smartphones,
tablet PCs, personal computers, and other mobile devices or
software that are beyond our control. Although we have
information security procedures and controls in place, our
technologies, systems, networks, and our clients' devices and
software may become the target of cyber-attacks or information
security breaches that could result in the unauthorized release,
gathering, monitoring, misuse, loss or destruction of our or our
clients' confidential, proprietary and other information, or
otherwise disrupt our or our clients' or other third parties'
business operations. The Internet and computing devices in
general are prime targets for criminals and others who utilize
sophisticated technology to seek, discover and exploit
vulnerabilities that may, or may not, be generally known.
Third parties with whom we do business or that facilitate
our business activities, including exchanges, clearing houses,
financial intermediaries, or vendors that provide services or
security solutions for our operations, could also be sources of
operational and information security risk to us, including from
breakdowns or failures of their own systems or capacity
constraints.
Although to date we have not experienced any material
losses relating to cyber-attacks or other information security
breaches, there can be no assurance that we will not suffer such
losses in the future. Our risk and exposure to these matters
remains heightened because of, among other things, the evolving
nature of these threats, our prominent size and scale, our role in
the financial services industry, our plans to continue to
implement our internet banking and mobile banking channel
strategies and develop additional remote connectivity solutions
to serve our clients, our expanded geographic footprint, the
outsourcing of some of our business operations, and the
continued uncertain global economic and political environment.
As a result, cyber-security and the continued development and
enhancement of our controls, processes, and practices designed
to protect our systems, computers, software, data and networks