Quiver Quantitative

Risk Factors Dashboard

Once a year, publicly traded companies issue a comprehensive report of their business, called a 10-K. A component mandated in the 10-K is the ‘Risk Factors’ section, where companies disclose any major potential risks that they may face. This dashboard highlights all major changes and additions in new 10K reports, allowing investors to quickly identify new potential risks and opportunities.

View risk factors by ticker

Search filings by term

Risk Factors - CVLT

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

Item 1A.Risk Factors

You should consider each of the following factors as well as the other information in this Annual Report in evaluating our business and our prospects. The risks and uncertainties described below are not the only ones we face. Additional risks and uncertainties not presently known to us or that we currently consider immaterial may also impair our business operations. If any of the following risks actually occur, our business and financial results could be harmed. In that case, the trading price of our common stock could decline. You should also refer to the other information set forth in this Annual Report, including our financial statements and the related notes.

Risks Related to Our Business

Our industry is intensely competitive, and many of our competitors have greater financial, technical and sales and marketing resources and larger installed customer bases, which could enable them to compete more effectively than we do.

Competitors vary in size and in the scope and breadth of the products and services offered.

The principal competitive factors in our industry include product functionality and integration, platform coverage, ability to scale, price, worldwide sales infrastructure, global technical support, brand recognition and reputation. If we are unable to address these factors, our competitive position could weaken and we could experience a decline in revenues that could adversely affect our business.

It is also costly and time-consuming to change data management systems. Most of our new customers have installed data management systems, which gives an incumbent competitor an advantage in retaining a customer because the incumbent already understands the network infrastructure, user demands and information technology needs of the customer, and because some customers are reluctant to invest the time and money necessary to change vendors.

New competitors entering our markets can have a negative impact on our competitive positioning. In addition, we expect to encounter new competitors as we enter new markets. Furthermore, many of our existing competitors are broadening their operating systems platform coverage. We also expect increased competition from OEMs, including those we partner with, and from systems and network management companies, especially those that have historically focused on the mainframe computer market and have been making acquisitions and broadening their efforts to include data protection products. We expect that competition will increase as a result of future industry consolidation. Increased competition could harm our business by causing, among other things, price reductions of our products, reduced profitability and loss of market share.

We rely significantly on our value-added resellers, systems integrators and corporate resellers, which we collectively refer to as resellers, for the marketing and distribution of our products and services. Resellers are our most significant distribution channel. However, our agreements with resellers are generally not exclusive, are generally renewable annually, typically do not contain minimum sales requirements and in many cases may be terminated by either party without cause. Many of our resellers carry data protection solutions that compete with ours. If a number of resellers were to discontinue or reduce the sales of our products, or were to promote our competitors’ products in lieu of our own, it could have a material adverse effect on our future revenues. Events or occurrences of this nature could seriously harm our sales and results of operations. If we fail to manage our resellers successfully, there may be conflicts between resellers or they could fail to perform as we anticipate, including required compliance with the terms and obligations of our agreement, either of which could reduce our sales or impact our reputation in the market. In addition, we expect that a portion of our sales growth will depend upon our ability to identify and attract new resellers. Our competitors also use reseller arrangements and may be more successful in attracting reseller partners and could enter into exclusive relationships with resellers that make it difficult to expand our reseller network. Any failure on our part to maintain and/or expand our network of resellers could impair our ability to grow revenues in the future.

Some of our resellers may, either independently or jointly with our competitors, develop and market solutions that compete with our offerings. If this were to occur, these resellers might discontinue marketing and distributing our solutions. In addition, these resellers would have an advantage over us when marketing their competing products and related services because of their existing customer relationships. The occurrence of any of these events could have a material adverse effect on our revenues and results of operations.

In addition, we have a non-exclusive distribution agreement with Arrow pursuant to which Arrow’s primary role is to enable a more efficient and effective distribution channel for our solutions by managing our resellers and leveraging their own industry experience. Arrow accounted for approximately 36% of our total revenues for fiscal 2024 and 37% of our total revenues in both fiscal 2023 and fiscal 2022. If Arrow were to discontinue or reduce the sales of our solutions or if our agreement with Arrow was terminated, and if we were unable to take back the management of our reseller channel or find another distributor to replace Arrow, there could be a material adverse effect on our future business.

Our OEMs sell and integrate our solutions which represents a material portion of our revenues. We have no control over the shipping dates or volumes of systems these OEMs sell and they have no obligation to sell systems incorporating our solutions. They also have no obligation to recommend or offer our solutions exclusively or at all. They have no minimum sales requirements and can terminate our relationship at any time. These OEMs also could choose to develop their own data protection solutions. Our OEM partners compete with one another. If one of our OEM partners views our arrangement with another OEM as competing, it may decide to stop doing business with us. Any material decrease in the volume of sales generated by OEMs could have a material adverse effect on our revenues and results of operations in future periods.

We also sell our solutions via marketplace offerings which enable customers to purchase our solutions through online platforms, typically hosted by a cloud provider. The marketplace allows us to publish an offer which an end user can then purchase directly, or through the assistance of a partner. Similar to our resellers and OEMs, marketplace providers have no obligation to sell or recommend our solutions or offer our solutions exclusively or at all. Sales through the marketplace have not been material to date; however, we anticipate an increase in revenue through this channel. Failure to effectively compete in the marketplace could have a material adverse effect on our revenues and results of operations in future periods.

Most of our support and maintenance agreements are for a one-year term and thereafter, we pursue renewal thereof. Historically, such renewals have represented a significant portion of our total revenue. If our customers do not renew their annual maintenance and support agreements either at all, or on terms that are less favorable to us, our business and financial performance might be adversely impacted.

Additionally, a significant amount of our revenues are from term-based software license and SaaS arrangements. The arrangements are typically one to three years in duration. If at the end of the initial term, customers elect to not renew, or they renew terms that are less favorable to us, our business and financial performance might be adversely impacted.

In periods of volatile economic conditions, our exposure to credit risk and payment delinquencies on our accounts receivable significantly increases.

Our outstanding accounts receivables are generally not secured. Our standard terms and conditions permit payment within a specified number of days following the receipt of our solution.

In addition, we have transitioned a more significant percentage of our revenue to subscription, or term-based, arrangements. In these arrangements, our customers may pay for solutions over a period of several years. Due to the potential for extended period of collection, we may be exposed to more significant credit risk.

We develop solutions that interoperate with certain products, operating systems and hardware developed by others, and if the developers of those operating systems and hardware do not cooperate with us or we are unable to devote the necessary resources so that our solutions interoperate with those systems, our development efforts may be delayed or foreclosed and our business and results of operations may be adversely affected.

Our solutions operate primarily on the Windows, UNIX, Linux and Novell Netware operating systems; used in conjunction with Microsoft SQL; and on hardware devices of numerous manufacturers. When new or updated versions of these operating systems, solution applications, and hardware devices are introduced, it is often necessary for us to develop updated versions of our solution applications so that they interoperate properly with these systems and devices. We may not accomplish these development efforts quickly or cost-effectively, and it is not clear what the relative growth rates of these operating systems and hardware will be.

We encounter long sales and implementation cycles, particularly for our larger customers, which could have an adverse effect on the size, timing and predictability of our revenues.

Potential or existing customers, particularly larger enterprise customers, generally commit significant resources to an evaluation of available solutions and require us to expend substantial time, effort and money educating them as to the value of our solutions. Sales often require an extensive education and marketing effort.

We could expend significant funds and resources during a sales cycle and ultimately fail to win the customer. Our sales cycle for all of our products and services is subject to significant risks and delays over which we have little or no control, including:

•our customers’ budgetary constraints;

•the timing of our customers’ budget cycles and approval processes;

•our customers’ willingness to replace their current solutions;

•our need to educate potential customers about the uses and benefits of our solutions; and

•the timing of the expiration of our customers’ current agreements for similar solutions.

If our sales cycles lengthen unexpectedly, they could adversely affect the timing of our revenues or increase costs, which may cause fluctuations in our quarterly revenues and results of operations. Finally, if we are unsuccessful in closing sales of our solutions after spending significant funds and management resources, our operating margins and results of operations could be adversely impacted, and the price of our common stock could decline.

Demand for data protection and cyber resilience solutions is linked to growth in the amount of data generated and stored, demand for data retention and management (whether as a result of regulatory requirements or otherwise) demand for and adoption of new backup devices and networking technologies, and ability to respond to and recover from data breaches in a secure environment.

Furthermore, the data protection and cyber resiliency market is dynamic and evolving. Our future financial performance will depend in large part on continued growth in the number of organizations adopting data protection and cyber resilience solutions for their environments. If this market fails to grow or grows more slowly than we currently anticipate, our sales and profitability could be adversely affected.

In addition, as we look to deliver new or different cloud-based services, we are making significant technology investments to deliver new capabilities and advance our software to deliver cloud-native customer experiences. Our revenues

related to SaaS offerings have increased in recent years. If these investments do not yield the expected return, or we are unable to decrease the cost of delivering our cloud services, our gross margins, overall financial results, business model and competitive position could suffer.

Therefore, any disruption or interference with our use of these services could adversely affect our business.

Our use of third-party hosting facilities requires us to rely on the functionality and availability of the third parties’ services, as well as their data security, which despite our due diligence, may be or become inadequate. Our continued growth depends in part on the ability of our existing and potential customers to use and access our cloud services or our website to download our software within an acceptable amount of time. Third-party service providers operate platforms that we access, and we are vulnerable to their service interruptions. We may experience interruptions, delays, and outages in service and availability due to problems with our third-party service providers’ infrastructure. This infrastructure’s lack of availability could be due to many potential causes, including technical failures, power shortages, natural disasters, fraud, terrorism, or security attacks that we cannot predict or prevent. Such outages could trigger our service level agreements and the issuance of credits to our customers, which may impact our business and consolidated financial statements.

If we are unable to renew our agreements with our cloud service providers on commercially reasonable terms, an agreement is prematurely terminated, or we need to add new cloud services providers to increase capacity and uptime, we could experience interruptions, downtime, delays, and additional expenses related to transferring to and providing support for these new platforms. Any of the above circumstances or events may harm our reputation and brand, reduce our platforms’ availability or usage, and impair our ability to attract new users, any of which could adversely affect our business, financial condition, and results of operations.

We sell a backup appliance which integrates our solution with hardware. If we fail to accurately predict manufacturing requirements and manage our supply chain we could incur additional costs or experience manufacturing delays that could harm our business.

We generally provide forecasts of our requirements to our supply chain partners on a rolling basis. If our forecast exceeds our actual requirements, a supply chain partner may assess additional charges or we may incur costs for excess inventory they hold, each of which could negatively affect our gross margins. If our forecast is less than our actual requirements, the applicable supply chain partner may have insufficient time or components to produce or fulfill our solutions' requirements, which could delay or interrupt manufacturing of our products or fulfillment of orders for our solutions, and result in delays in shipments, customer dissatisfaction, and deferral or loss of revenue. If we fail to accurately predict our requirements, we may be unable to fulfill those orders or we may be required to record charges for excess inventory. Any of the foregoing could adversely affect our business, financial condition or results of operations.

Our complex solutions may contain undetected errors, which could adversely affect not only their performance but also our reputation and the acceptance of our solutions in the market.

Our complex solutions may contain undetected errors or failures, especially when they are made generally available or new versions are released. Despite extensive testing by us and customers, we have discovered errors in our solutions in the past and will do so in the future. As a result of past discovered errors, we experienced delays and lost revenues while we corrected those solutions. In addition, customers in the past have brought to our attention “bugs” in our software created by the customers’ unique operating environments, which are often characterized by a wide variety of both standard and non-standard configurations that make pre-release testing very difficult and time consuming. Although we have been able to fix these bugs in the past, we may not always be able to do so. Our solutions may also be subject to intentional attacks by viruses that seek to take advantage of these bugs, errors or other weaknesses. Any of these events may result in the loss of, or delay in, market acceptance of our solutions or damage to our reputation, which would seriously harm our sales, results of operations and financial condition.

Incorrect or improper implementation or use of our data security solutions could result in customer dissatisfaction and harm our business, financial condition, and results of operations.

Our products are deployed by our customers and partners in a wide variety of IT infrastructures, including large-scale, complex technology environments, and we believe our future success will depend, at least in part, on our ability to support such deployments. Implementations of our products may be technically complicated, and it may not be easy to maximize the value of our products without proper implementation, training, and support. Some of our customers have experienced difficulties implementing our products in the past and may experience implementation difficulties in the future. If our customers and partners are unable to implement our products successfully, perceptions of our products may be impaired, our reputation and brand may suffer, or customers may choose not to renew their subscriptions or purchase additional products from us.

Any failure by customers or partners to appropriately implement our products could result in customer dissatisfaction, impact the perceived reliability of our products, result in negative press coverage, negatively affect our reputation, and harm our business, financial condition, and results of operations.

We may not receive significant revenues from our current research and development efforts for several years, if at all.

Our research and development expenses were $132.3 million, or 16% of our total revenues in fiscal 2024, $141.8 million, or 18% of our total revenues in fiscal 2023 and $153.6 million, or 20% of our total revenues in fiscal 2022. We believe that we must continue to dedicate a significant amount of resources to our research and development efforts to maintain our competitive position. However, we may not recognize significant revenues from these investments for several years, if at all.

Our ability to sell our solutions is highly dependent on the quality of our customer support and professional services, and failure to offer high quality customer support and professional services would have a material adverse effect on our sales and results of operations.

Our services include the assessment and design of solutions to meet our customers’ storage management requirements and the efficient installation and deployment of our software applications based on specified business objectives. Further, once our software applications are deployed, our customers depend on us to resolve issues relating to our software applications. A high level of service is critical for the successful marketing and sale of our software. If we or our partners do not effectively install or deploy our applications, or succeed in helping our customers quickly resolve post-deployment issues, it would adversely affect our ability to sell software products to existing customers and could harm our reputation with prospective customers. As a result, our failure to maintain high quality support and professional services would have a material adverse effect on our sales of software applications and results of operations.

We are currently subject, and may become further subject, to local, state, federal and foreign laws and regulations regarding the privacy and protection of personal data or other potentially sensitive information. In the United States, federal, state, and local governments have enacted numerous data privacy security laws, including data breach notification laws, data privacy laws, consumer protection laws, and other similar laws. For example, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, the "CCPA"), imposes obligations on certain businesses to provide specific disclosures in privacy notices and grants California residents certain rights related to their personal data. The CCPA imposes statutory fines for noncompliance (up to $7,500 per violation). Other states have enacted or proposed similar laws. These developments may increase legal risk and compliance costs for us and our customers.

Outside the United States, an increasing number of laws, regulations, and industry standards govern data privacy and security. For example, the European Union’s ("E.U.") General Data Protection Regulation ("E.U. GDPR"), and the United Kingdom’s ("U.K.") GDPR ("U.K. GDPR"), impose strict requirements for processing the personal data of individuals. Violations of these obligations carry significant potential consequences. For example, under the E.U. GDPR, government regulators may impose temporary or definitive bans on processing, as well as fines of up to €20 million or 4% of the annual global revenue, whichever is greater.

In addition, as a technology provider, our customers expect us to demonstrate compliance with current data privacy laws and further make contractual commitments and implement processes to enable the customer to comply with their own obligations under data privacy laws, and our actual or perceived inability to do so may adversely impact sales of our products and services, particularly to customers in highly regulated industries.

Our actual or perceived failure to comply with laws, regulations, contractual commitments, or other actual or asserted obligations, including certain industry standards, regarding personal information, or other confidential information of individuals could lead to costly legal action, brand and reputational damage, significant liability, inability to process data, and decreased demand for our services, which could adversely affect our business. In addition, any security breach that results in the release of, or unauthorized access to, personal information, or other confidential information of individuals could subject us to incident response, notice and remediation costs. Failure to safeguard data adequately or to destroy data securely could subject us to regulatory investigations or enforcement actions under applicable data security, unfair practices or consumer protection laws which could have an adverse effect on our business, financial condition or operating results. The scope and interpretation of these laws could change and the associated burdens and our compliance costs could increase in the future.

Sales to global federal, state, and local governmental agencies account for a portion of our revenue, and we may in the future increase sales to government entities. This customer base experiences budgetary constraints or shifts in spending priorities regularly which may adversely affect sales of our solutions to government entities.

Selling to government entities can be highly competitive, expensive and time consuming, often requiring significant upfront time and expense without any assurance that we will successfully sell our solutions. Government entities may require contract terms that differ from our standard terms and conditions including termination rights favorable for the customer, audit rights, and maintenance of certain security clearances for facilities and employees which can entail administrative time and effort resulting in costs and delays. Government demand for our solutions may be more volatile as they are affected by stringent regulations, public sector budgetary cycles, funding authorizations, and the potential for funding reductions or delays, making the time to close such transactions more difficult to predict.

Changes in senior management or key personnel could cause disruption in the Company and have a material effect on our business.

We have had, and could have, changes in senior management which could be disruptive to management and operations of the Company and could have a material effect on our business, operating results and financial conditions. Turnover at the senior management level may create instability within the Company, which could impede the Company’s day-to-day operations. Such instability could impede our ability to fully implement our business plan and growth strategy, which would harm our business and prospects.

We rely on our key personnel to execute our existing business operations and identify and pursue new growth opportunities. The loss of key employees could result in significant disruptions to our business, and the integration and training of replacement personnel could be costly, time consuming, cause additional disruptions to our business and be unsuccessful.

We have engaged, and may continue to engage, in strategic acquisitions or transactions, which could have a material adverse effect on our business, results of operations, financial condition and cash flows.

Acquisitions involve a number of risks, including diversion of management’s attention, ability to finance the acquisition on attractive terms, failure to retain key personnel or valuable customers, legal liabilities, the need to amortize acquired intangible assets, and intellectual property ownership and infringement risks, any of which could have a material adverse effect on our business, results of operations, financial condition and cash flows. Any additional future acquisitions may also result in the incurrence of indebtedness or the issuance of additional equity securities.

We could also experience financial or other setbacks if transactions encounter unanticipated problems, including problems related to governmental approval, execution, integration or underperformance relative to prior expectations. Acquisitions may not result in long-term benefits to us or we may not be able to further develop the acquired business in the manner we anticipated.

Following the completion of acquisitions, we may have to rely on the seller to provide administrative and other support, including financial reporting and internal controls, and other transition services to the acquired business for a period of time. There can be no assurance that the seller will do so in a manner that is acceptable to us.

Actual or threatened public health crises could adversely affect our business in a material way.

As a global company, with employees and customers located around the world in a variety of industries, our performance may be impacted by public health crises, including the COVID-19 pandemic and its variants, which has caused global economic uncertainty. The emergence of a public health threat could pose the risk that our employees, partners, and customers may be prevented from conducting business activities at full capacity for an indefinite period, due to the spread of the disease or suggested or mandated by governmental authorities. Moreover, these conditions can affect the rate of information technology spending and may adversely affect our customers’ willingness to purchase our solutions, delay prospective customers’ purchasing decisions, reduce the value or duration of their contracts, cause our customers to request concessions including extended payment terms or better pricing, or affect attrition rates, all of which could adversely affect our future sales and operating results. The global spread of COVID-19 has created significant uncertainty, and economic disruption. We have undertaken measures to protect our employees, partners, and customers, including allowing our employees to work remotely; however, there can be no assurance that these measures will be sufficient or that we can implement them without adversely affecting our business operations.

Borrowing against our revolving credit facility could adversely affect our operations and financial results.

We have a $100 million revolving credit facility. As of March 31, 2024, there were no borrowings under the credit facility. If we were to borrow substantially against this facility the indebtedness could have adverse consequences, including:

•requiring us to devote a portion of our cash flow from operations to payments of indebtedness, which would reduce the availability of cash flow to fund working capital requirements, capital expenditures and other general purposes;

•limiting our flexibility in planning for, or reacting to, general adverse economic conditions or changes in our business and the industry in which we operate in;

•placing us at a competitive disadvantage compared to our competitors that have less debt; and

•limiting our ability to fund potential acquisitions.

The credit facility also contains financial maintenance covenants, including a leverage ratio and interest coverage ratio, and customary events of defaults. Failure to comply with these covenants could result in an event of default, which, if not cured or waived, could accelerate our repayment obligations. For further discussion on our revolving credit facility, see Note 16 of the notes to the consolidated financial statements.

Risks Related to our International Operations

If we are unable to effectively manage certain risks and challenges related to our India operations, our business could be harmed.

Our India operations are a key factor to our success. We believe that our significant presence in India provides certain important advantages for our business, such as direct access to a large pool of skilled professionals and assistance in growing our business internationally. However, it also creates certain risks that we must effectively manage. Wage costs differentiate depending on regions throughout the world. Wages in India are increasing at a faster rate than in the many other countries, including the United States. These increases could result in us incurring increased costs for technical professionals and reduced margins. There is intense competition in India for skilled technical professionals, and we expect such competition to increase. As a result, we may be unable to cost-effectively retain our current employee base in India or hire additional new talent. In addition, India has experienced significant inflation, low growth in gross domestic product and shortages of foreign exchange. India also has experienced civil unrest and has been involved in conflicts with neighboring countries. The occurrence of any of these circumstances could result in disruptions to our India operations, which, if continued for an extended period of time, could have a material adverse effect on our business.

In recent years, India’s government has adopted policies that are designed to promote foreign investment, including significant tax incentives, relaxation of regulatory restrictions, liberalized import and export duties and preferential rules on foreign investment and repatriations. These policies may not continue. If we are unable to effectively manage any of the foregoing risks related to our India operations, our development efforts could be impaired, our growth could be slowed and our results of operations could be negatively impacted.

Volatility in the global economy could adversely impact our continued growth, results of operations and our ability to forecast future business.

As a global company, we have become increasingly subject to the risks arising from adverse changes in domestic and global economic and political conditions. Uncertainty in the macroeconomic environment and associated global economic conditions have resulted in volatility in credit, equity, debt and foreign currency markets.

These global economic conditions can result in slower economic activity, decreased consumer confidence, reduced corporate profits and capital spending, inflation, adverse business conditions and liquidity concerns. There has also been increased volatility in foreign exchange markets. These factors make it difficult for our customers, our vendors and us to accurately forecast and plan future business activities. These factors could cause customers to slow or defer spending on our solutions, which would delay and lengthen sales cycles and negatively affect our results of operations. If such conditions deteriorate or if the pace of economic recovery is slower or more uneven, our results of operations could be adversely affected, we may not be able to sustain the growth rates we have experienced recently, and we could fail to meet the expectations of stock analysts and investors, which could cause the price of our common stock to decline.

We continue to invest in our business internationally where there may be significant risks with overseas investments and growth prospects. Increased volatility or declines in the credit, equity, debt and foreign currency markets in these regions could cause delays in or cancellations of orders. Deterioration of economic conditions in the countries in which we do business could also cause slower or impaired collections on accounts receivable.

We may experience fluctuations in foreign currency exchange rates that could adversely impact our results of operations.

Our international sales are generally denominated in foreign currencies, and this revenue could be materially affected by currency fluctuations. Our primary exposure is to fluctuations in exchange rates for the U.S. dollar versus the Euro and, to a lesser extent, the Australian dollar, British pound sterling, Canadian dollar, Chinese yuan, Indian rupee, Korean won and Singapore dollar. Changes in currency exchange rates could adversely affect our reported revenues and could require us to reduce our prices to remain competitive in foreign markets, which could also have a material adverse effect on our results of operations. An unfavorable change in the exchange rate of foreign currencies against the U.S. dollar would result in lower revenues when translated into U.S. dollars, although operating expenditures would be lower as well.

In recent fiscal years, we have selectively hedged our exposure to changes in foreign currency exchange rates on the balance sheet. In the future, we may enter into additional foreign currency-based hedging contracts to

reduce our exposure to significant fluctuations in currency exchange rates on the balance sheet, although there can be no assurances that we will do so. However, as our international operations grow, or if dramatic fluctuations in foreign currency exchange rates continue or increase or if our hedging strategies become ineffective, the effect of changes in the foreign currency exchange rates could become material to revenue, operating expenses, and income.

Our international sales and operations are subject to factors that could have an adverse effect on our results of operations.

We have significant sales and services operations outside the United States and derive a substantial portion of our revenues from these operations. We generated approximately 48% and 47% of our revenues from outside the United States in fiscal 2024 and fiscal 2023, respectively. International revenue increased 9% in fiscal 2024 compared to fiscal 2023. Expansion of our international operations will require a significant amount of attention from our management and substantial financial resources and might require us to add qualified management in these markets.

In addition to facing risks similar to the risks faced by our domestic operations, our international operations are also subject to risks related to the differing legal, political, social and regulatory requirements and economic conditions of many countries, including:

•adverse effects in economic conditions in the countries in which we operate related specifically to the wars in Israel and Ukraine, the COVID-19 pandemic and the governmental regulations put in place as a result of the virus, and the financial instability of banking institutions;

•difficulties in staffing and managing our international operations;

•foreign countries may impose additional withholding taxes or otherwise tax our foreign income, impose tariffs or adopt other restrictions on foreign trade or investment, including currency exchange controls;

•difficulties in coordinating the activities of our geographically dispersed and culturally diverse operations;

•general economic conditions in the countries in which we operate, including seasonal reductions in business activity in the summer months in Europe and in other periods in other countries, could have an adverse effect on our earnings from operations in those countries;

•imposition of, or unexpected adverse changes in, foreign laws or regulatory requirements may occur, including those pertaining to sanctions, export restrictions, privacy and data protection, trade and employment restrictions and intellectual property protections;

•longer payment cycles for sales in foreign countries and difficulties in collecting accounts receivable;

•competition from local suppliers;

•greater risk of a failure of our employees and partners to comply with both U.S. and foreign laws, including antitrust regulations, the U.S. Foreign Corrupt Practices Act, the U.K. Bribery Act of 2010, and any trade regulations ensuring fair trade practices;

•costs and delays associated with developing solutions in multiple languages; and

•political unrest, war or acts of terrorism.

Our business in emerging markets requires us to respond to rapid changes in market conditions in those markets. Our overall success in international markets depends, in part, upon our ability to succeed in differing legal, regulatory, economic, social and political conditions. We may not continue to succeed in developing and implementing policies and strategies that will be effective in each location where we do business. The occurrence of any of the foregoing factors may have a material adverse effect on our business and results of operations.

Risks Related to Technology and Security

We may be subject to IT system failures, network disruptions, cybersecurity incidents and breaches in data security.

Bad actors regularly attempt to gain unauthorized access to our IT systems, and many such attempts are increasingly sophisticated. These attempts, which might be related to industrial, corporate or other espionage, criminal hackers or state-sponsored intrusions, include trying to covertly introduce malware or ransomware to our environments and impersonating authorized users.

Third-party service providers that we may rely on to back up and process our confidential information may also be subject to similar threats. Such threats could result in the misappropriation, theft, misuse, disclosure, loss or destruction of the technology, intellectual property, or the proprietary, confidential or personal information, of us or our employees, customers, licensees, suppliers or partners, as well as damage to or disruptions in our IT systems. These threats are constantly evolving, increasing the difficulty of successfully defending against them or implementing adequate preventative measures.

In addition, any failure to successfully implement new information systems and technologies, or improvements or upgrades to existing information systems and technologies in a timely manner could adversely impact our business, internal controls, results of operations, and financial condition.

We may not be successful in our initiatives that utilize AI, which could adversely affect our business, reputation, or financial results.

There are significant risks involved in utilizing AI and no assurance can be provided that such usage will enhance our business or assist our business in being more efficient or profitable. Known risks currently include accuracy, bias, toxicity, intellectual property infringement or misappropriation, data privacy, and cybersecurity and data provenance. In addition, AI may have errors or inadequacies that are not easily detectable. For example, certain AI may utilize historical data in its analytics. To the extent that such historical data is not indicative of the current or future conditions, or models fail to filter biases in the underlying data or collection methods, such AI usage may lead us to make determinations on behalf of our business, recommendations to our clients, or developments to our products and services, in each case, that may have an adverse effect on our business and financial results. If AI models are incorrectly designed or the data used to train them is overbroad, incomplete, inadequate or biased in some way, our use may inadvertently reduce our efficiency or cause unintentional or unexpected outputs that are incorrect, do not match our business goals, do not comply with our policies or interfere with the performance of our products and services, business and reputation.

AI is a complex and rapidly evolving regulatory landscape. The use of AI may increase intellectual property, cybersecurity and data protection, operational and technological risks, and our related efforts may result in new or enhanced governmental or regulatory scrutiny, litigation, ethical concerns, or other complications that could adversely affect our business, reputation, or financial results or subject us to legal liability. In particular, technologies underlying AI and their use cases are subject to a variety of laws, including intellectual property, cybersecurity and data protection, consumer protection and equal opportunity laws. If we do not have sufficient rights to use the data on which these models rely, we may incur liability through the violation of such laws, third-party privacy or other

rights or contracts to which we are a party. Changes in laws, rules, directives and regulations may adversely affect the ability of our business to develop and use AI.

We may also market our own products as containing AI features. Some of our customers, especially those in highly regulated industries, may be reluctant or unwilling to adopt such AI features which could reduce or delay customer adoption.

Any of these factors could adversely affect our business, reputation, or financial results or subject us to legal liability.

If we fail to adapt and respond effectively to rapidly changing technology, evolving industry standards, changing regulations, or to changing customer needs, requirements, or preferences, our products may become less competitive.

Our ability to attract new users and customers and increase revenue from existing customers depends in large part on our ability to enhance, improve, and differentiate our products, increase adoption and usage of our products, and introduce new products and capabilities. The market in which we compete is subject to rapid technological change, evolving industry standards, and changing regulations, as well as changing customer needs, requirements, and preferences. The success of our business will depend, in part, on our ability to adapt and respond effectively to these changes on a timely basis. If we are unable to enhance our products and keep pace with rapid technological change, or if new technologies emerge that are able to deliver competitive products at lower prices, more efficiently, more conveniently, or more securely than our products, our business, financial condition, and results of operations could be adversely affected.

Risks Related to Legal Matters

We have been, and may in the future become, involved in litigation that may have a material adverse effect on our business.

From time to time, we may become involved in various other legal proceedings relating to matters incidental to the ordinary course of our business, including intellectual property, commercial, product liability, employment, class action, whistleblower and other litigation and claims, and governmental and other regulatory investigations and proceedings. Such matters can be time-consuming, divert management’s attention and resources and cause us to incur significant expenses. Furthermore, because litigation is inherently uncertain, there can be no assurance that the results of any of these actions will not have a material adverse effect on our business, results of operations or financial condition.

Risks Related to Tax and Accounting

Our effective tax rate is difficult to project, and changes in such tax rate or adverse results of tax examinations could adversely affect our operating results.

We are a U.S.-based multinational company subject to tax in multiple U.S. and foreign tax jurisdictions. Our results of operations would be adversely affected to the extent that our geographical mix of income becomes more weighted toward jurisdictions with higher tax rates and would be favorably affected to the extent the relative geographic mix shifts to lower tax jurisdictions. Any change in our mix of earnings is dependent upon many factors and is therefore difficult to predict.

The process of determining our anticipated tax liabilities involves many calculations and estimates that are inherently complex and make the ultimate tax obligation determination uncertain. As part of the process of preparing our consolidated financial statements, we are required to estimate our income taxes in each of the jurisdictions in which we operate prior to the completion and filing of tax returns for such periods. These estimates involve complex issues, require extended periods of time to resolve, and require us to make judgments, such as anticipating the outcomes of audits with tax authorities and the positions that we will take on tax returns prior to our actually preparing the returns. In the normal course of business, we are subject to examination by taxing authorities throughout the world. The final determination of tax audits and any related litigation could be materially different from our historical tax provisions and accruals. For further discussion on income taxes, see Note 11 of the notes to the consolidated financial statements.

Furthermore, our overall effective income tax rate and tax expenses may be affected by various factors in our business, including changes in our entity structure, geographic mix of income and expenses, tax laws, and variations in the estimated and actual level of annual profits before income tax.

Our reported financial results may be adversely affected by changes in accounting principles generally accepted in the United States.

Generally accepted accounting principles in the United States are subject to interpretation by the Financial Accounting Standards Board, the SEC, and various bodies formed to promulgate and interpret appropriate accounting principles. A change in these principles or interpretations could have a significant effect on our reported financial results, and may even affect the reporting of transactions completed before the announcement or effectiveness of a change.

Risks Related to our Common Stock

Goodwill represents a portion of our assets and any impairment of these assets could negatively impact our results of operations.

At March 31, 2024, our goodwill was approximately $127.8 million, which represented approximately 14% of our total assets. We test goodwill for impairment at least annually at the reporting unit level, or more often if an event occurs or circumstances change that would more likely than not reduce the fair value of its carrying amount. Because there are inherent uncertainties involved in these factors, significant differences between these estimates and actual results could result in future impairment charges and could materially impact our future financial results.

Impairment charges of long-lived assets, including assets held for sale, could adversely affect our financial condition and results of operations.

We review our long-lived assets for impairment whenever events or changes in circumstances indicate that the carrying amount of the assets may not be fully recoverable. In January 2023, we entered into an exclusive agreement to sell our owned corporate headquarters and reclassified the assets as held for sale. As a result, we evaluated the carrying value of our long-lived assets related to the property and determined that the carrying value of those assets may not be fully recoverable, and as such, recorded an impairment charge of $53.5 million in the fourth quarter of fiscal 2023. As of March 31, 2024, the sale has not yet been finalized and the exclusivity of the agreement has expired. We are continuing to market the building for sale and expect the transaction to be completed within calendar year 2024. While classified as held for sale, we may need to reassess the fair value of the building at each of our reporting periods and determine whether the carrying value is recoverable. If the carrying value is not deemed to be recoverable based on current market conditions, we may be required to record additional impairment charges in the future. In addition, if certain events or changes in circumstances arise, such as being unable to sell the building within a reasonable timeframe or if selling the building would result in a negative economic future state, we may need to reclassify the building from “assets held for sale” to “assets held and used,” and record a cumulative catch-up on the depreciable assets, which may have a material impact on our operating results and could impact the market price of our common stock. See Note 5 of the notes to the consolidated financial statements for additional information on our assets held for sale.

We may experience a decline in revenues or volatility in our quarterly operating results, which may adversely affect the market price of our common stock.

We cannot predict our future quarterly revenues or operating results with certainty because of many factors outside of our control. A significant revenue or profit decline, lowered forecasts or volatility in our operating results could cause the market price of our common stock to decline substantially. Factors that could affect our revenues and operating results include the following:

•the unpredictability of the timing and magnitude of orders for our solutions, particularly transactions greater than $100,000, as a majority of our quarterly revenues were earned and recorded near the end of each quarter;

•failure to develop substantial sales pipeline for our products;

•failure to attract new customers and expand sales to our existing customers, including by effectively marketing and pricing our products;

•the possibility that our customers may cancel, defer or limit purchases as a result of reduced information technology budgets;

•the possibility that our customers may defer purchases of our solutions in anticipation of new solutions or updates from us or our competitors;

•the ability of our OEMs and resellers to meet their sales objectives;

•market acceptance of our new solutions and enhancements;

•our ability to control expenses;

•changes in our pricing, packaging and distribution terms or those of our competitors; and

•the demands on our management, sales force and customer services infrastructure as a result of the introduction of new solutions or updates.

Our expense levels are relatively fixed and are based, in part, on our expectations of future revenues. If revenue levels fall below our expectations and we are profitable at the time, our net income would decrease because only a small portion of our expenses varies with our revenues. Therefore, any significant decline in revenues for any period could have an immediate adverse impact on our results of operations for that period. We believe that period-to-period comparisons of our results of operations should not be relied upon as an indication of future performance. Our results of operations could be below expectations of public market analysts and investors in future periods which would likely cause the market price of our common stock to decline.

The price of our common stock may be highly volatile and may decline regardless of our operating performance.

The market price of our common stock could be subject to significant fluctuations in response to:

•variations in our quarterly or annual operating results;

•changes in financial estimates, treatment of our tax assets or liabilities or investment recommendations by securities analysts following our business or our competitors;

•the public’s response to our press releases, rumors, our other public announcements and our filings with the SEC;

•changes in accounting standards, policies, guidance or interpretations or principles;

•sales of common stock by our directors, officers and significant stockholders;

•announcements of technological innovations or enhanced or new products by us or our competitors;

•our failure to achieve operating results consistent with securities analysts’ projections;

•the operating and stock price performance of other companies that investors may deem comparable to us;

•broad market and industry factors, including financial instability of banking institutions; and

•other events or factors, including those resulting from war, incidents of terrorism or responses to such events.

The market prices of data protection solutions companies have been extremely volatile. Stock prices of many of those companies have often fluctuated in a manner unrelated or disproportionate to their operating performance. In the past, following periods of market volatility, stockholders have often instituted securities class

action litigation. Securities litigation could have a substantial cost and divert resources and the attention of management from our business.

Although we believe we currently have adequate internal control over financial reporting, we are required to assess our internal control over financial reporting on an annual basis, and any future adverse results from such assessment could result in a loss of investor confidence in our financial reports and have an adverse effect on our stock price.

Management has assessed that our internal control over financial reporting is effective and lacks any material weaknesses. Such assessment is made through subjective judgment of our management that may be open to interpretation. The effectiveness of our internal control in the future is subject to the risk that such internal controls may become inadequate. Any failure to implement required new or improved controls, or difficulties encountered in their implementation, could harm our operating results or cause us to fail to timely meet our regulatory reporting obligations.

Certain provisions of our certificate of formation and our amended and restated bylaws or Delaware law could prevent or delay a potential acquisition of control of our Company, which could decrease the trading price of our common stock.

Our certificate of formation, amended and restated bylaws and the laws in the State of Delaware contain provisions that are intended to deter coercive takeover practices and inadequate takeover bids by making such practices or bids unacceptably expensive to the prospective acquirer and to encourage prospective acquirers to negotiate with our Board of Directors rather than to attempt a hostile takeover. Delaware law also imposes restrictions on mergers and other business combinations between us and any holder of 15% or more of our outstanding common stock.

We believe that these provisions protect our shareholders from coercive or otherwise unfair takeover tactics by effectively requiring those who seek to obtain control of the Company to negotiate with our Board of Directors and by providing our Board of Directors with more time to assess any acquisition of control. However, these provisions could apply even if an acquisition of control of the Company may be considered beneficial by some shareholders and could delay or prevent an acquisition of control that our Board of Directors determines is not in the best interests of our Company and our shareholders.

General Risks

Our business could be materially and adversely affected as a result of natural disasters, terrorism or other catastrophic events.

Any economic failure or other material disruption caused by war, climate change or natural disasters, including fires, floods, hurricanes, earthquakes, and tornadoes; power loss or shortages; environmental disasters; telecommunications or business information systems failures or similar events could also adversely affect our ability to conduct business. If such disruptions result in cancellations of customer orders or contribute to a general decrease in economic activity or corporate spending on IT, or impair our ability to meet our customer demands, our operating results and financial condition could be materially adversely affected.

There is also an increasing concern over the risks of climate change and related environmental sustainability matters. In addition to physical risks, climate change risk includes longer-term shifts in climate patterns, such as extreme heat, sea level rise, and more frequent and prolonged drought. Such events could disrupt our operations or those of our customers or third parties on which we rely, including through direct damage to assets and indirect impacts from supply chain disruption and market volatility.

We currently, and may in the future, have assets held at financial institutions that may exceed the insurance coverage offered by the Federal Deposit Insurance Corporation (“FDIC”), the loss of which would have a severe negative affect on our operations and liquidity.

We may maintain our cash assets at financial institutions in the U.S. in amounts that may be in excess of the FDIC insurance limit of $250,000. Actual events involving limited liquidity, defaults, non-performance or other adverse developments that affect financial institutions, transactional counterparties or other companies in the financial services industry or the financial services industry generally, or concerns or rumors about any events of these kinds or other similar risks, have in the past and may in the future lead to market-wide liquidity problems. In the event of a failure or liquidity issues of or at any of the financial institutions where we maintain our deposits or other assets, we may incur a loss to the extent such loss exceeds the FDIC insurance limitation, which could have a material adverse effect upon our liquidity, financial condition and our results of operations.

Similarly, if our customers or partners experience liquidity issues as a result of financial institution defaults or non-performance where they hold cash assets, their ability to pay us may become impaired and could have a material adverse effect on our results of operations, including the collection of accounts receivable and cash flows.


Item 1B.			Unresolved Staff Comments

None.


Item 1C.Item 1A.			Cybersecurity

Risk Management and Strategy

Commvault has established a cybersecurity program for the benefit of the company, our customers, partners and stockholders. The cybersecurity program includes policies, processes and practices that are designed to assess, identify and manage material risks from cybersecurity threats and is integrated into our enterprise risk management program. Led by the Chief Information Security Officer (“CISO”), Commvault’s cybersecurity program leverages the National Institute of Standards and Technology ("NIST") Cybersecurity Framework, with the primary objective of securing systems and data from cyber threats. We procure security technologies, consistently work to mature our cybersecurity program, and partner with security service providers. We have established a Security Incident Response Plan ("SIRP") which outlines our processes for incident preparation, detection, analysis, containment, eradication, and post-incident analysis. In addition to the SIRP, we maintain a Crisis Management Plan to organize roles and responsibilities in the event of a crisis, a Disaster Recovery Plan to provide guidance in the recovery of systems following an outage, and a Business Continuity Plan to identify alternative means of conducting business in the event of business disruption. We partner with third parties to enhance monitoring and response capabilities and facilitate readiness activities including tabletop exercises and penetration testing. All employees are required to undergo annual security awareness training on current and potential cybersecurity threats and report suspicious activity. We also assess third-party service provider cybersecurity controls through a risk assessment questionnaire and include security and privacy terms in contracts as appropriate.

Commvault maintains a variety of third-party certifications and undergoes annual assessments for SOC 2 Type 2, ISO 27001, HIPAA, CJIS, and PCI DSS. In support of these certifications and assessments, our products also undergo security testing. Annually, internal auditors complete a risk assessment of specific business operations like privacy and sanctions compliance or travel & expense policy compliance, identify areas of heightened risk, and conduct dedicated audit engagements at the direction of Management. The findings, observations, and recommendations from these engagements are shared with Management and the Audit Committee, as appropriate.

To date, Commvault is not aware of any cybersecurity incidents that have materially affected Commvault’s financial condition or business operations. Given the increasingly complex and sophisticated cyber threat landscape, we try to be vigilant to predict and prevent attacks. Commvault has prioritized cyber resilience measures and leverages governance processes and procedures to mitigate potential business impacts if and when an adverse event occurs.

For additional description of cybersecurity risks and potential related impacts on Commvault, refer to the risk factor captioned “Risks Related to Technology and Security – We may be subject to IT system failures, network disruptions, cybersecurity incidents and breaches in data security” in Part 1, Item 1A. “Risk Factors.”

Governance

Commvault’s Board of Directors (the "Board") provides oversight of Commvault’s enterprise risk management strategy, which includes risks from cybersecurity threats. The Audit Committee of the Board of Directors receives quarterly briefings on the cybersecurity program from the CISO and briefings on the Enterprise Risk Management Committee (“ERMC”) and Cybersecurity Oversight Team (“CSOT”) from the Chief Legal and Compliance Officer (“CLCO”). The Board is kept apprised of cybersecurity updates through quarterly, or as needed, reporting from the Audit Committee Chair and annual, or as needed, reporting directly to the Board from the CISO.

Commvault’s Management, including the CEO, CFO, CLCO, CISO, Chief Information Officer (“CIO”), and Senior Vice President of Engineering, is responsible for our cybersecurity risk management strategy, operational decision-making, and incident preparedness and response. The current CISO holds a Bachelor of Science in Information Technology, industry certifications such as CISSP, CISA, CISM, is affiliated with various CISO professional working groups, and has over twenty-five years of experience in information security, compliance, technology, and program management across financial, telecommunications, audit, healthcare, retail, and professional services organizations. Management ensures cybersecurity risks are communicated through the establishment of the ERMC and the CSOT and regular, or as needed, reporting to the Audit Committee and the Board. The ERMC is responsible for the implementation, maintenance, and execution of our enterprise risk management program. The ERMC meets quarterly, or as needed, to assess, consider, and manage material risks including cybersecurity threats across the business. The CSOT is responsible for the significant operational decisions in the event of an active cybersecurity incident. The CSOT meets as needed, with the Audit Committee Chair as an optional attendee, to provide counsel and foster productive communication between Management and the Board.

Recently Filed

Click on a ticker to see risk factors

Ticker *	File Date
NKE	1 day, 5 hours ago
OPTT	1 day, 5 hours ago
ANGO	1 day, 5 hours ago
CTAS	1 day, 8 hours ago
RPM	1 day, 8 hours ago
CNXA	2 days, 3 hours ago
LW	2 days, 8 hours ago
HUDA	3 days, 4 hours ago
AXR	3 days, 5 hours ago
CALM	3 days, 5 hours ago
BUKS	3 days, 6 hours ago
NRAC	4 days, 2 hours ago
RGP	4 days, 6 hours ago
SING	1 week ago
CSBR	1 week ago
DRI	1 week ago
SCHL	1 week ago
GNLN	1 week, 1 day ago
AIR	1 week, 1 day ago
ABTI	1 week, 2 days ago
SHMP	1 week, 2 days ago
BXXY	1 week, 2 days ago
ACRG	1 week, 3 days ago
CARV	1 week, 3 days ago
FOMC	1 week, 3 days ago
KRFG	1 week, 3 days ago
GHMP	1 week, 3 days ago
GWTI	1 week, 3 days ago
VEII	1 week, 3 days ago
ZEST	1 week, 4 days ago
KITL	1 week, 4 days ago
ADMT	1 week, 4 days ago
ATAK	1 week, 4 days ago
BOTY	1 week, 4 days ago
DPLS	1 week, 4 days ago
FDX	1 week, 4 days ago
ECIA	1 week, 4 days ago
ATXG	1 week, 4 days ago
CRMT	1 week, 4 days ago
ELRE	1 week, 4 days ago
CAG	2 weeks, 1 day ago
KALV	2 weeks, 1 day ago
PAYX	2 weeks, 1 day ago
MEI	2 weeks, 1 day ago
BCRD	2 weeks, 1 day ago
FMHS	2 weeks, 2 days ago
ASPA	2 weeks, 2 days ago
STEK	2 weeks, 2 days ago
LEAI	2 weeks, 4 days ago
AIDG	3 weeks ago

OTHER DATASETS

House Trading

Dashboard

Corporate Flights

Dashboard

App Ratings

Dashboard

Strategies

Alerts

Browse Data

Risk Factors Dashboard

View risk factors by ticker

Search filings by term

Risk Factors - CVLT

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

Recently Filed

OTHER DATASETS

House Trading

Corporate Flights

App Ratings

TRADE SMARTER

TRADE SMARTER

Strategies

Alerts

Browse Data

Risk Factors Dashboard

View risk factors by ticker

Search filings by term

Risk Factors - CVLT

-New additions in green-Changes in blue-Hover to see similar sentence in last filing

Recently Filed

OTHER DATASETS

House Trading

Corporate Flights

App Ratings

TRADE SMARTER

TRADE SMARTER

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing