Our business is highly dependent on our ability to process transactions, gather and disseminate information and manage various types of client and other data across numerous and diverse markets in many currencies. If any of our financial, accounting, human resources, or other data processing, e-mail, client accounting, funds processing, or electronic information management systems do not operate properly or are disabled, we could suffer a disruption of our businesses, liability to clients, loss of client data, loss of employee data, regulatory intervention, breach of confidentiality or other contract provisions, or reputational damage. These systems may fail to operate properly or become disabled as a result of events that are wholly or partially beyond our control, including disruptions of electrical or communications services, disruptions caused by natural disasters, political instability, terrorist attacks, sabotage, computer viruses, or problems with the Internet, deliberate attempts to disrupt our computer systems through "hacking," "phishing," or other forms of cyber-attack, or our inability to occupy one or more of our office buildings. As we outsource significant portions of our information technology functions to third-party providers, we bear the risk of having somewhat less direct control over the manner and quality of performance than we would if done by our own employees. An example of this is the increasing use of cloud computing, whereby we outsource to third parties the maintenance of increasing amounts of our business records, including electronically maintained documents and emails, rather than keeping them on our own servers.
We are exposed to the risk of cyber-attacks in the normal course of business. In general, cyber incidents can result from deliberate attacks or unintentional events. We have observed an increased level of attention focused on cyber-attacks that include gaining unauthorized access to digital systems for purposes of misappropriating assets or sensitive information, corrupting data, or causing operational disruption. During the last few years, some major corporations and other entities have reported that they had experienced broad-based theft of customer and internal data, with material financial and reputational consequences. To the extent that our technology systems interact with those of our clients, they may face similar potential problems and losses as the result of cyber-attacks through our systems that then impact their systems. Certain high-profile cyber-attacks at other firms have come through the systems of suppliers.
We have experienced various types of cyber-attack incidents, which to-date have been contained and have not been material to the organization as a whole. As the result of such incidents, we have continued to implement new governance, technical protections, and other procedures. We may incur substantial costs and suffer other negative consequences if we fall victim to other successful cyber-attacks. Such negative consequences could include: remediation costs that may include liability for stolen money and other assets or information and repairing system damage that may have been caused; increased cyber-security protection costs that may include organizational changes, deploying additional personnel and protection technologies, training employees, and engaging third-party experts and consultants; lost revenues resulting from unauthorized use of proprietary information or the failure to retain or attract clients following an attack; litigation; and reputational damage adversely affecting client or investor confidence.
We are increasingly recognizing both the challenges and opportunities involved in mining the data in our systems so that we "know what we know" and can use that knowledge for the benefit of our clients and our organization in the most sophisticated possible ways.
The development of new software systems used to operate one or more aspects of our business is complicated, particularly on a customized basis or in order to coordinate or consolidate financial, human resources or other types of infrastructure data reporting, client accounting, or funds processing. Additionally, the effort may result in costs that we cannot recoup in the event of the failure to complete a planned software development. A new software system that has defects may cause reputational issues and client or employee dissatisfaction and/or damages, with our incurring liabilities and/or experiencing lost business as possible results. The acquisition or development of software systems is often dependent to one degree or another on the quality, ability and/or financial stability of one or more third-party vendors, over which we may not have control beyond the rights we negotiate in our contracts. Privacy regulations vary by jurisdiction (or across a region such as the European Union) and may restrict our ability to share or collect data on a global basis, and this may limit the utility of otherwise available technology. When we transfer data between countries and continents for the purpose of managing and reporting on our global business, both internally within JLL or LaSalle systems and externally through third-party providers, we are exposed to the risk that our systems and operations may not meet all of the data privacy and protection laws of the countries from which the data originates. Furthermore, third-party providers who previously relied on the EU-U.S. Safe Harbor framework have now had to find alternative methods to meet EU standards for data transfers in the wake of the European Commission’s invalidation of Safe Harbor in late 2015. Although we try to stay abreast of data privacy laws worldwide and keep track of our data flows in order to assess where and what compliance requirements apply, the rapid development and changes in systems and technology, along with corresponding changes in laws and regulations, make this a difficult challenge.
Quick Finder »