data provided by third parties that is significant to our business. An information security incident, such as a cyber-attack involving a phishing scam, business email compromise, malware, or ransomware attack, or an internally caused incident or disruption, such as misuse or a failure to control access to sensitive systems, could materially interrupt our business operations or cause disclosure or modification of sensitive or confidential investor or competitive information. Moreover, our growing reliance on mobile and cloud technology and any failure by mobile technology and cloud service providers to adequately safeguard their systems and prevent cyber-attacks could disrupt our operations and result in misappropriation, corruption, or loss of personal, confidential, or proprietary information or third-party data. Additionally, although we take precautions to password protect and encrypt our laptops and other mobile electronic hardware, if such hardware is stolen, misplaced, or left unattended, it may become vulnerable to hacking or other unauthorized use, creating a possible security risk and resulting in potentially costly actions. Furthermore, there is a risk that encryption and other protective measures may be circumvented, particularly to the extent that new computing technologies increase the speed and computing power available.
The financial services industry has been the subject of cyber-attacks involving the dissemination, theft, and destruction of corporate information or other assets as a result of failure to follow procedures by employees or as a result of actions by third parties, including actions by terrorist organizations and nation-state actors. Although we have implemented policies and controls to prevent and address potential data breaches, inadvertent disclosures, increasingly sophisticated cyber-attacks, and cyber-related fraud, there can be no assurance that any of these measures will prove effective. Because the techniques used to obtain unauthorized access, disable, or degrade service or sabotage systems change frequently and often are not recognized until launched against a target, we may be unable to anticipate these techniques, to implement adequate preventative measures, or to address them until they are discovered. In addition, a successful cyber-attack may persist for an extended period of time before being detected, and it may take a considerable amount of time for an investigation to be completed and the severity and potential impact to be known. While such an investigation is ongoing, we may not necessarily know the extent of the harm or how best to remediate it, certain errors or actions could be repeated or compounded before they are discovered and remediated, and communication to the public, regulators, shareholders, and investors in the Hennessy Funds may be inaccurate, any or all of which could further increase the costs and consequences of an information security incident.
If any of these events were to occur, we could suffer a financial loss, a disruption of our business, liability to the Hennessy Funds and their investors, regulatory intervention, or reputational damage, any of which could have a material adverse effect on our business, results of operations, and financial condition. We also may be required to expend significant additional resources to modify our protective measures or to investigate and remediate vulnerabilities or other exposures. In addition, our cybersecurity insurance may not cover all losses and damages from such events and our ability to maintain or obtain sufficient insurance coverage in the future may be limited.
Finally, cybersecurity and data privacy have become high priorities for regulators, and many jurisdictions are enacting laws and regulations in these areas. Two such laws are the California Consumer Privacy Act of 2018, which took effect in 2020, and the California Privacy Rights Act of 2020, which will take effect in 2023. Enactment of new privacy laws or regulations could, among other things, result in additional costs of compliance or litigation. In addition, while we strive to comply with the relevant laws and regulations, any failure to comply could result in regulatory investigations and penalties as well as negative publicity, which could materially adversely affect our business, results of operations, and financial condition.
We are exposed to legal risk and litigation, which could increase our expenses and reduce our profitability.
We are subject to a number of sources of potential legal liability, including, by way of example, investors in the Hennessy Funds, our own shareholders, our employees, or regulators. Lawsuits or investigations that we may become involved in could be very expensive and highly damaging to our reputation, even if the underlying claims are without merit.
Our business is extensively regulated, which increases our costs of doing business, and our failure to comply with regulatory requirements may harm our financial condition.
Our business is subject to extensive regulation in the United States, particularly by the SEC. We are subject to regulation under the Securities Act of 1933, as amended, the Exchange Act, the Investment Company Act of 1940, the Investment Advisers Act of 1940, and various other statutes. The laws to which we are subject are designed primarily to protect investors in the Hennessy Funds as opposed to our shareholders. In addition to an
26