|Scott T. Parker
Executive Vice President &
Chief Financial Officer
July 16, 2012
Christian Windsor, Special Counsel
Division of Corporation Finance
United States Securities and Exchange Commission
100 F Street, N.W.
Washington, DC 20549
|Re:
|CIT Group Inc.
Form 10-K for the Fiscal Year Ended December 31, 2011
Filed February 29, 2012
Response dated May 15, 2012
File No. 001-31369
Dear Mr. Windsor:
This letter is submitted on behalf of CIT Group Inc. (the “Company”) in response to your comment letter dated July 6, 2012 relating to the Company’s Form 10-K for the fiscal year ended December 31, 2011 and our response dated May 15, 2012 to your previous comment letter.
Form 10-K for the Fiscal Year Ended December 31, 2011
Item 1A. Risk Factors
We rely on our systems, employees, and certain third party vendors .. . ., page 25
|1.
|In your response to prior comment 1, you identify a few data security incidents of third party vendors that impact CIT Group customers in the past two years. In order to provide the proper context, beginning with your next 10-Q, you should clearly state in your risk factor that your third party vendors have experienced attacks that affected some of your customers. Similar to your response, you may include language that indicates that the attacks were mitigated.
Company Response
As we advised in our response dated May 15, 2012, since the beginning of the fiscal year ended December 31, 2009, the Company has not experienced any cyber attacks and there were five information security breaches experienced by third party vendors that affected certain customers of the Company. The Company will revise its risk factor on cyber security in its next Form 10-Q as follows:
We rely on our systems, employees, and certain third party vendors and service providers in conducting our operations, and certain failures, including internal or
|CIT Group Inc.
|Tel:
|973-740-5555
|1 CIT Drive
|Fax:
|973-740-5264
|Livingston, NJ 07039
|scott.parker@cit.com
external fraud, operational errors, systems malfunctions, or cybersecurity incidents, could materially adversely affect our operations.
We are exposed to many types of operational risk, including the risk of fraud by employees and outsiders, clerical and recordkeeping errors, and computer or telecommunications systems malfunctions. Our businesses are dependent on our ability to process a large number of increasingly complex transactions. If any of our financial, accounting, or other data processing systems fail or have other significant shortcomings, we could be materially adversely affected. We are similarly dependent on our employees. We could be materially adversely affected if one of our employees causes a significant operational break-down or failure, either as a result of human error or where an individual purposefully sabotages or fraudulently manipulates our operations or systems. Third parties with which we do business, including vendors that provide services or security solutions for our operations, could also be sources of operational and information security risk to us, including from breakdowns, failures, or capacity constraints of their own systems or employees. Any of these occurrences could result in a diminished ability for us to operate one or more of our businesses, or cause financial loss, potential liability to clients, inability to secure insurance, reputational damage, or regulatory intervention, which could materially adversely affect us.
We may also be subject to disruptions of our operating systems arising from events that are wholly or partially beyond our control, which may include, for example, computer viruses or electrical or telecommunications outages, natural or man–made disasters, such as earthquakes, hurricanes, floods, or tornados, disease pandemics, or events arising from local or regional politics, including terrorist acts. Such disruptions may give rise to losses in service to clients and loss or liability to us. In addition, there is the risk that our controls and procedures as well as business continuity and data security systems prove to be inadequate. The computer systems and network systems we and others use could be vulnerable to unforeseen problems. These problems may arise in both our internally developed systems and the systems of third–party service providers. In addition, our computer systems and network infrastructure present security risks, and could be susceptible to hacking or identity theft. Any such failure could affect our operations and could materially adversely affect our results of operations by requiring us to expend significant resources to correct the defect, as well as by exposing us to litigation or losses not covered by insurance. Although we have business continuity plans and other safeguards in place, our business operations may be adversely affected by significant and widespread disruption to our physical infrastructure or operating systems that support our businesses and customers.
Information security risks for large financial institutions such as CIT have generally increased in recent years in part because of the proliferation of new technologies, the use of the Internet and telecommunications technologies to conduct financial transactions, and the increased sophistication and activities of organized crime, hackers, terrorists, activists, and other external parties. As noted above, our operations rely on the secure processing, transmission and storage of confidential information in our computer systems and networks. Our businesses rely on our digital technologies, computer and email systems, software, and networks to conduct their operations. Although we believe we have robust information security procedures and controls, our technologies, systems, networks, and our customers'
|2
devices may become the target of cyber attacks or information security breaches that could result in the unauthorized release, gathering, monitoring, misuse, loss or destruction of CIT's or our customers' confidential, proprietary and other information, or otherwise disrupt CIT's or its customers' or other third parties' business operations.
Since January 1, 2009, we have experienced several security breaches involving the release of customer information by third party service providers. These breaches typically involved an inadvertent release of customer information by the third party service provider to another financial institution or educational institution and the information was subsequently returned or destroyed. However, in two instances, data on consumer accounts serviced by a third party provider, including certain customers of the Company, were taken by insiders without authorization. In both instances, the suspects were identified and the data was recovered. There was no damage to either the Company or the customers as a result of either security breach. Although to date we have not experienced any material losses relating to cyber attacks or other information security breaches, there can be no assurance that we will not suffer such losses in the future. Our risk and exposure to these matters remains heightened because of, among other things, the evolving nature of these threats, the prominent size and scale of CIT and its role in the financial services industry, our plans to continue to implement our Internet banking channel strategies and develop additional remote connectivity solutions to serve our customers when and how they want to be served, our expanded geographic footprint and international presence, the outsourcing of some of our business operations, and the continued uncertain global economic environment. As a result, cyber security and the continued development and enhancement of our controls, processes and practices designed to protect our systems, computers, software, data and networks from attack, damage or unauthorized access remain a priority for CIT. As cyber threats continue to evolve, we may be required to expend significant additional resources to continue to modify or enhance our protective measures or to investigate and remediate any information security vulnerabilities.
Disruptions or failures in the physical infrastructure or operating systems that support our businesses and customers, or cyber attacks or security breaches of the networks, systems or devices that our customers use to access our products and services could result in customer attrition, regulatory fines, penalties or intervention, reputational damage, reimbursement or other compensation costs, and/or additional compliance costs, any of which could materially adversely affect our results of operations or financial condition.
* * *
|3
The Company acknowledges that:
|·
|the Company is responsible for the adequacy and accuracy of the disclosure in the filing;
|·
|Staff comments or changes to disclosure in response to Staff comments do not foreclose the Commission from taking any action with respect to the filing; and
|·
|the Company may not assert staff comments as a defense in any proceeding initiated by the Commission or any person under the federal securities laws of the United States.
If you have any questions concerning the matters discussed in this letter, please call the undersigned at (973) 740-5555.
|Sincerely,
|/s/ Scott T. Parker
|Scott T. Parker
|Executive Vice President &
|Chief Financial Officer
|4