through theft or misuse), sophisticated nation-states, and nation-state-supported actors. We and the third parties
upon which we rely are subject to a variety of evolving threats, including but not limited to social-engineering
attacks, malicious code, malware (, denial-of-service attacks, personnel misconduct or error, ransomware attacks,
supply-chain attacks, software bugs, server malfunctions, software or hardware failures, loss of data or other
information technology assets, adware, telecommunications failures and other similar threats. In particular,
ransomware attacks are becoming increasingly prevalent and can lead to significant interruptions in our
operations, loss of data and income, reputational harm, and diversion of funds. Extortion payments may alleviate
the negative impact of a ransomware attack, but we may be unwilling or unable to make such payments due to,
for example, applicable laws or regulations prohibiting such payments. Similarly, supply-chain attacks have
increased in frequency and severity, and we cannot guarantee that third parties and infrastructure in our supply
chain or our third-party partners’ supply chains have not been compromised. Further, a partially remote
workforce created by the COVID-19 global pandemic poses increased risks to our information technology
systems and data, as certain employees work from home on a full or part-time basis, utilizing network
connections outside our premises. Business transactions (such as acquisitions or integrations) could expose us to
additional cybersecurity risks and vulnerabilities, as our systems could be negatively affected by vulnerabilities
present in acquired or integrated entities’ systems and technologies.
Any of the previously identified or similar threats could cause a security incident or other interruption that could
result in unauthorized, unlawful, or accidental acquisition, modification, destruction, loss, alteration, encryption,
disclosure of, or access to our sensitive information. A security incident or other interruption could disrupt our
ability (and that of third parties upon whom we rely) to provide our services. We may expend significant
resources or modify our business activities to try to protect against security incidents. Certain data privacy and
security obligations may require us to implement and maintain specific security measures, industry-standard or
reasonable security measures to protect our information technology systems and sensitive information. While we
have implemented security measures designed to protect against security incidents, there can be no assurance that
these measures will be effective. We take steps to detect and remediate vulnerabilities, but may not be able to
detect and remediate all vulnerabilities because the threat and techniques used to exploit change frequently and
are often sophisticated in nature. Therefore, such vulnerabilities could be exploited but, may not be detected until
after a security incident has occurred. These vulnerabilities pose material risk to our business. Further, we may
experience delays in developing and deploying remedial measures designed to address any such identified
vulnerabilities.
Applicable data privacy and security obligations may require us to notify relevant stakeholders of security
incidents. Such disclosures are costly, and the disclosures or the failure to comply with such requirements could
lead to adverse consequences. If we (or a third party upon whom we rely) experience a security incident or are
perceived to have experienced a security incident, we may experience adverse consequences, such as:
government enforcement actions (; additional reporting requirements and/or oversight; restrictions on processing
sensitive information; litigation; indemnification obligations; negative publicity; reputational harm; monetary
fund diversions; interruptions in our operations; financial loss; and other similar harms. Security incidents and
attendant consequences may cause customers to stop using our services, deter new customers from using our
services, and negatively impact our ability to grow and operate our business. Our contracts may not contain
limitations of liability, and even where they do, there can be no assurance that limitations of liability in our
contracts are sufficient to protect us from liabilities, damages, or claims related to our data privacy and security
obligations. We cannot be sure that our insurance coverage will be adequate or sufficient to protect us from or to
mitigate liabilities arising out of our privacy and security practices, that such coverage will continue to be
available on commercially reasonable terms or at all, or that such coverage will pay future claims.
Shutdowns or service disruptions of our information systems or network caused by power outages, natural
disasters, extreme weather, terrorist attacks, pandemics (such as the COVID-19 global pandemic), wars (such as
Russia’s invasion of Ukraine), or other similar events pose increasing risks. Shutdowns or disruption from such
events could have an adverse impact on us and our customers, including degradation or disruption of service, loss
of data, release or threatened release of data publicly, misuse or threatened misuse of data, and damage to
36