American Express 2015 Annual Report Download - page 48

Download and view the complete annual report

Please find page 48 of the 2015 American Express annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 196

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196

Global financial institutions like us have experienced a significant increase in information security risk in recent years and
will likely continue to be the target of increasingly sophisticated cyber-attacks, including computer viruses, malicious or
destructive code, social engineering attacks (including phishing), denial of service attacks and security breaches. For
example, we and other U.S. financial services providers have been the targets of distributed denial-of-service attacks from
sophisticated third parties.
Our networks and systems are subject to constant attempts to identify and exploit potential vulnerabilities in our
operating environment with intent to disrupt our business operations and capture various types of information relating to
corporate trade secrets, customer information, including Card Member and loyalty program account information, employee
information and other sensitive business information. There are a number of motivations for cyber threat actors, including
criminal activities such as fraud, identity theft and ransom, corporate or nation-state espionage, public embarrassment with
the intent to cause financial or reputational harm, intent to disrupt information technology systems, and to expose and
exploit potential security and privacy vulnerabilities in corporate systems and websites. As outsourcing and specialization of
functions within the payments industry increase, there are more third parties involved in processing transactions using our
cards and there is a risk the confidentiality, privacy and/or security of data held by third parties, including merchants that
accept our cards and our business partners, may be compromised, which could lead to unauthorized transactions on our
cards and costs associated with responding to the compromise.
We develop and maintain systems and processes aimed at detecting and preventing data breaches and fraudulent
activity, which require significant investment, maintenance and ongoing monitoring and updating as technologies and
regulatory requirements change and as efforts to overcome security measures become more sophisticated. Despite our
efforts, the possibility of data breaches, malicious social engineering and fraudulent or other malicious activities and human
error or malfeasance cannot be eliminated entirely, and risks associated with each of these remain, including the unauthorized
disclosure, release, gathering, monitoring, misuse, loss or destruction of confidential, proprietary and other information
(including account data information), online accounts and systems. These risks will likely evolve as new technology is
deployed. For example, with the increased use of EMV technology, we may see a decrease in traditional fraud risk, but
sophisticated fraudsters may develop new ways to commit fraud and we may see an increase in online fraud.
Our information technology systems, including our transaction authorization, clearing and settlement systems, and data
centers may experience service disruptions or degradation because of technology malfunction, sudden increases in customer
transaction volume, natural disasters, accidents, power outages, telecommunications failures, fraud, denial-of-service and
other cyber-attacks, terrorism, computer viruses, physical or electronic break-ins, or similar events. Service disruptions could
prevent access to our online services and account information, compromise company or customer data, and impede
transaction processing and financial reporting. Inadequate infrastructure in lesser developed countries could also result in
service disruptions, which could impact our ability to do business in those countries.
If our information technology systems experience a significant disruption or breach or if actual or perceived fraud levels or
other illegal activities involving our cards or customer online accounts were to rise due to a data breach at a business partner,
merchant or other market participant, employee error, malfeasance or otherwise, it could lead to the loss of data or data
integrity, regulatory investigations and intervention (such as mandatory card reissuance), increased litigation (including class
action litigation), remediation and response costs, greater concerns of customers and/or business partners relating to the
privacy and security of their data, and reputational and financial damage to our brand, which could reduce the use and
acceptance of our cards, and have a material adverse impact on our business. If such disruptions or breaches are not detected
immediately, their effect could be compounded. Data breaches and other actual or perceived failures to maintain
confidentiality, integrity, privacy and/or data protection, including leaked business data, may also disrupt our operations,
undermine our competitive advantage through the disclosure of sensitive company information, divert management attention
and resources and negatively impact the assessment of us and our subsidiaries by banking regulators and rating agencies.
Successful cyber-attacks or data breaches at other large financial institutions, large retailers or other market participants,
whether or not we are impacted, could lead to a general loss of customer confidence that could negatively affect us, including
harming the market perception of the effectiveness of our security measures or the financial system in general, which could
result in reduced use of our products and services. Although we have insurance for losses related to cyber-risks and attacks
and information security and privacy liability, it may not be sufficient to offset the impact of a material loss event.
We face substantial and increasingly intense competition for partner relationships, which could result in a loss
or renegotiation of these arrangements that could have a material adverse impact on our business and results
of operations.
In the ordinary course of our business we enter into different types of contractual arrangements with business partners in
a variety of industries. For example, we have partnered with Delta Air Lines, as well as many others globally, to offer cobranded
cards for consumers and small businesses, and through our Membership Rewards program we have partnered with
businesses in many industries, including the airline industry, to offer benefits to Card Member participants. Competition for
relationships with key business partners is very intense and there can be no assurance we will be able to grow or maintain
these partner relationships. Establishing and retaining attractive cobrand card partnerships is particularly competitive among
card issuers and networks as these partnerships typically have high-spending loyal customers. Our entire cobrand portfolio
37