BlackRock is dependent on the effectiveness of the information and cybersecurity policies, procedures and capabilities it maintains to protect its computer and telecommunications systems and the data that resides on or is transmitted through them, including data provided by…
Read full text
BlackRock is dependent on the effectiveness of the information and cybersecurity policies, procedures and capabilities it maintains to protect its computer and telecommunications systems and the data that resides on or is transmitted through them, including data provided by third parties that is significant to portions of BlackRock's business and products. An information security incident or disruption, such as a cyber-attack including social engineering, deepfakes, phishing scams, business email compromise, malware, denial-of-service or ransomware attacks, or failures to control access to sensitive systems, could materially interrupt business operations or cause disclosure or modification of sensitive or confidential client or competitive information. Moreover, developments in BlackRock’s use of process automation and artificial intelligence (“AI”), as well as the use of remote access by employees and mobile and cloud technologies, heighten these and other operational risks, as certain aspects of the security of such technologies may be complex, unpredictable or beyond BlackRock’s control. BlackRock’s growing exposure to the public Internet, as well as reliance on mobile or cloud technology or any failure by mobile technology and cloud service providers to adequately safeguard their systems and prevent cyber-attacks, could disrupt BlackRock’s operations and result in misappropriation, corruption or loss of personal, confidential or proprietary information or third-party data. In addition, there is a risk that encryption and other protective measures may be circumvented, particularly to the extent that new computing technologies including quantum computing increase the speed and computing power available. The financial services industry has been the subject of cyber-attacks involving the dissemination, theft and destruction of corporate information or other assets, as a result of failure to follow procedures by employees or contractors or as a result of actions by third parties, including nation state actors, terrorist organizations, cyber criminals and hacktivists. BlackRock has been and continues to be the target of cyber-attacks, as well as the co-opting of its brand and fraudulent impersonations of the Company and members of management. It continues to monitor and develop its systems to protect its technology infrastructure and data from misappropriation or corruption, as the failure to do so could disrupt BlackRock’s operations and cause financial losses. Advances in technology, including generative AI, and use of such technology by malicious actors heighten these risks. Although BlackRock has implemented policies and controls, and takes protective measures involving significant expense, to help prevent and address potential data breaches, inadvertent disclosures, increasingly sophisticated cyber-attacks and cyber-related fraud, there can be no assurance that any of these measures proves fully effective. In addition, given the evolving nature of cyber threat actors and the increasing sophistication of cyber-attack methodology, a successful cyber-attack may persist for an extended period of time before being detected, and it may take a considerable amount of time for an investigation to be completed and the severity and potential impact to be known. Moreover, due to the complexity and interconnectedness of BlackRock’s systems, the process of upgrading or patching the Company’s protective measures could itself create a risk of security issues or system disruptions for the Company, as well as for clients who rely upon, or have exposure to, BlackRock’s systems. In addition, due to BlackRock’s interconnectivity with third-party vendors, advisors, central agents, exchanges, clearing houses and other financial institutions, BlackRock or any such third-party may be adversely affected if any of them (or their service providers) is subject to a successful cyber-attack or other information security event, including those arising due to the use of mobile technology or a third-party cloud environment. BlackRock also routinely transmits and receives personal, confidential or proprietary information by email and other electronic means. The Company collaborates with clients, vendors and other third parties to develop secure transmission capabilities and protect against cyber-attacks. However, BlackRock or such third parties may not have all appropriate controls in place to protect the confidentiality of such information. Any information security incident or cyber-attack against BlackRock or third parties with whom it is connected, including any interception, mishandling or misuse of personal, confidential or proprietary information or failure to disclose or communicate a cybersecurity incident appropriately, could result in material financial loss, loss of competitive position, regulatory fines and/or sanctions, breach of client contracts, reputational harm or legal liability, which, in turn, may cause BlackRock’s AUM, revenue and earnings to decline. In addition, BlackRock’s cybersecurity insurance may not cover all losses and damages from such events and BlackRock’s ability to maintain or obtain sufficient insurance coverage in the future may be limited. 23 23 Failure or unavailability of third-party dependencies may adversely affect Aladdin operations, which could cause reputational harm, lead to a loss of clients and impede BlackRock’s productivity and growth.BlackRock must maintain effective infrastructure, including a robust and secure technological framework, to maximize the benefit of the Aladdin platform. In so doing, it relies in part on certain third-party service providers, including for cloud hosting and technologies supporting cloud-based operations. For example, Aladdin’s data architecture depends on third-party providers of technology solutions, including the ability of such parties to scale and perform in response to Aladdin’s growth. In addition, the analytical capabilities of Aladdin depend on the ability of a number of third parties to provide data and other information as inputs into Aladdin’s analytical calculations. Although BlackRock has implemented internal controls and procedures and maintains a robust vendor management program designed to perform diligence and monitor third parties that support the Aladdin platform, there can be no assurance that these measures will prove effective. Any failure by third parties to maintain infrastructure that is commensurate with Aladdin’s size and growth, or provide the data or information required to support its varying capabilities, could compromise Aladdin’s resilience, result in operational difficulties, cause reputational harm and adversely impact BlackRock’s ability to provide services to its investment advisory and Aladdin clients.Continuing enhancements to Aladdin’s capabilities, as well as the expansion of the Aladdin platform into new markets and geographies, have led to significant growth in Aladdin’s processing scale, which may expose BlackRock to reputational harm, increased regulatory scrutiny and heightened operational, data management, cyber- and information security risks.The operation of BlackRock’s Aladdin platform routinely involves updating existing capabilities, configuration change management, developing, testing and rolling out new functionalities and expanding coverage into new markets and geographies, including in connection with inorganic transactions or to address client or regulatory requirements. These updates and expansion initiatives, which have led to significant growth in Aladdin’s processing scale, frequently occur on accelerated timeframes and may expose BlackRock to additional cyber- and information security risks, as well as increased execution, operational and data management risks. If BlackRock is unable to manage the pace of, or provide the operational resiliency and stability for, the expansion of Aladdin and associated growth of its processing scale, BlackRock may experience client attrition, reduced business, increased costs, reputational harm or regulatory fines and/or sanctions, which may cause BlackRock’s AUM, revenue and earnings to decline.In addition, the highly regulated business activities of many Aladdin clients may expose BlackRock to heightened regulatory scrutiny. For example, the changing political and regulatory environment in certain jurisdictions in which Aladdin clients are based has required BlackRock to open data centers in those jurisdictions in order to host client data in the client’s home location. Operating data centers in foreign jurisdictions may expose BlackRock to increased operational complexity, as well as additional regulatory risks associated with the compliance requirements of such jurisdictions. In addition, there has been increased regulatory scrutiny globally on technology and information providers, which may impact Aladdin and certain functionalities and tools.A failure to effectively manage the development and use of AI, combined with an evolving regulatory environment, could have an adverse effect on BlackRock’s growth, reputation or business.BlackRock uses machine learning and AI in its business and expects to continue to expand its AI capabilities, including through generative AI. AI technologies are complex and rapidly evolving, and the introduction of AI into new or existing processes may result in new or enhanced governmental or regulatory scrutiny, IP or other litigation, data protection, confidentiality or information security risks, social or ethical concerns, competitive harm or other complications. For example, the use of datasets to develop and test AI models, the content generated by AI systems, or the application of AI systems may be found to be insufficient, biased or harmful, or lead to adverse business decisions or operating errors. AI technologies, including generative AI, may create content that appears correct but is factually inaccurate or flawed. In addition, IP ownership and license rights, including copyright, surrounding AI technologies are still being developed and have not been fully addressed by US courts or federal, state or non-US laws or regulation. Furthermore, regulatory scrutiny of AI technologies and controls continues to evolve globally with new and forthcoming laws and regulations. The volume and reliance on data and algorithms may make AI, and BlackRock, more susceptible to cybersecurity threats, including the compromise of underlying models, training data or other IP. Efforts around use of these technologies require additional investment in operational controls and procedures, development and implementation of appropriate protections and safeguards for handling the use of data with AI, including with respect to data leakage, fraud prevention and regulatory compliance costs. AI technologies may also disrupt the competitive landscape for investment management and technology services, including in commercial and operational areas such as data aggregation and quantitative models. Any failure to successfully integrate AI technologies, respond to client or market demands, accurately communicate AI initiatives, comply with AI-related regulations, identify or address any legal or regulatory issues associated with AI or effectively manage the related risks could harm BlackRock’s growth and reputation, adversely impact product offerings, client interactions or business initiatives, and expose the Company to legal and regulatory liabilities and additional costs, including regulatory fines or sanctions, which may cause its AUM, revenue and earnings to decline.Failure to maintain adequate corporate and contingent liquidity may cause BlackRock’s AUM, liquidity and earnings to decline, as well as harm its prospects for growth.BlackRock’s ability to meet anticipated cash needs depends upon a number of factors, including its creditworthiness and ability to generate operating cash flows. In addition, while BlackRock, Inc. is not subject to regulatory capital or liquidity requirements, certain of its subsidiaries are subject to regulatory capital and liquidity frameworks as well as certain other prudential requirements and standards, which require them to maintain certain levels of capital and liquidity. Failure to maintain adequate liquidity could lead to unanticipated costs and force BlackRock to revise existing or future strategic and business initiatives. BlackRock’s access to equity and debt markets and its ability to issue public or private debt, or obtain lines of credit or commercial paper back-up lines, on reasonable terms may be limited by adverse market conditions, a reduction in its long- or short-term credit ratings, or changes in government regulations, including tax and interest rates. Failure to obtain funds and/or financing, or any adverse change to the cost of obtaining such funds and/or financing, may cause BlackRock’s AUM, liquidity and earnings to decline, curtail its operations and limit or impede its prospects for growth.Operating risks associated with BlackRock’s securities lending program may result in client losses.BlackRock lends securities to banks and broker-dealers as agent on behalf of certain of its clients. In these securities lending transactions, the borrower is required to provide and maintain collateral at or above regulatory minimums. Securities on loan are marked to market daily to determine if the borrower is required to provide additional collateral. BlackRock must manage this process and is charged with mitigating the associated operational risks. The failure of BlackRock’s controls to mitigate such operational risks could result in financial losses for the Company’s clients that participate in its securities lending programs (separate from any losses related to the risks of collateral investments), and BlackRock may be held liable for any failure to manage such risks.