Risk Factors Dashboard
Once a year, publicly traded companies issue a comprehensive report of their business, called a 10-K. A component mandated in the 10-K is the ‘Risk Factors’ section, where companies disclose any major potential risks that they may face. This dashboard highlights all major changes and additions in new 10K reports, allowing investors to quickly identify new potential risks and opportunities.
View risk factors by ticker
Search filings by term
Risk Factors - JKHY
-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing
ITEM 1A. RISK FACTORS
Jack Henry’s information and cybersecurity program is a core component of our overall enterprise risk management framework. It is maintained by a team of highly skilled cybersecurity professionals and supported by investments in modern technology, including artificial intelligence and machine learning. The program is designed to safeguard Jack Henry and client confidentiality and privacy by systematically identifying, assessing, and managing material risks and cybersecurity threats through comprehensive cyber defense, threat and vulnerability management, and cyber intelligence. The program safeguards Jack Henry and client confidentiality and privacy by systematically identifying, assessing, and managing material risks and cybersecurity threats through use of comprehensive cyber defense, threat and vulnerability management, and cyber intelligence. It includes continuous enterprise monitoring and well-defined and regularly tested business
resilience and incident response procedures. We also engage third-party vendors and consultants to assist in identifying, assessing, and mitigating cybersecurity risks. Jack Henry relies on third-party service providers to deliver certain services and products to our clients. We evaluate and seek to mitigate the cybersecurity risks associated with these providers through pre-engagement and periodic risk assessments to ensure our standards for security are maintained. Our strategic risk management committees review and address any identified risks. In fiscal year 2025, we did not identify any cybersecurity threats, including those arising from prior incidents, that materially affected our business strategy, results of operations, or financial condition. Our Board of Directors has ultimate oversight of risk management and has delegated responsibility for enterprise and operational risks, including cybersecurity, to the Board’s Risk and Compliance Committee. This Committee oversees Jack Henry’s risk assessment and management programs and reviews risk preparedness. The Audit Committee oversees financial risks and would be informed of any material cybersecurity incident that could potentially have a material impact on our financial statements. Our Audit Committee oversees financial risks and would also be informed of a material cybersecurity incident that could potentially have a material impact on our financial statements. The Chief Information Security Officer (“CISO”) reports quarterly to the Risk and Compliance Committee and to the full Board of Directors on information security matters. The CISO also meets with the Risk and Compliance Committee at least annually to evaluate our overall security environment and organization. Additionally, the CISO meets with the Risk and Compliance Committee at least annually to evaluate our overall security environment and organization. Our CISO, who reports to the Chief Operations Officer, has primary responsibility for Jack Henry’s information security strategy, policy, security engineering, operations, and cybersecurity threat detection and response.Our CISO, who reports directly to the Chief Risk Officer, has primary responsibility over Jack Henry’s overall information security strategy, policy, security engineering, operations, and cybersecurity threat detection and response. Our CISO brings more than 20 years experience in technology and cybersecurity, including senior leadership roles at major financial institutions. Our CISO has more than 20 years of technology and cybersecurity experience, including previous senior leadership roles at major financial institutions. Under the CISO's direction, the information security team continuously monitors cybersecurity trends and implements proactive and defensive measures to protect against cybersecurity threats.
The Company's business and the results of its operations are affected by numerous factors and uncertainties, some of which are beyond our control. The following is a description of some of the important risks and uncertainties that may cause our actual results of operations in future periods to differ materially from those expected or desired.
Business and Operating Risks
Data security breaches, failures, or other incidents could damage our reputation and business. Our business relies upon receiving, processing, storing, and transmitting sensitive information relating to our operations, associates, and clients. If we fail to maintain a sufficient digital security infrastructure, address security vulnerabilities and new threats, or deploy adequate technologies to secure our systems against attack, we may be subject to security breaches that compromise confidential information, including valuable intellectual property, proprietary information, trade secrets, know-how, or source code, which could lead to their theft, misuse, unauthorized disclosure, or misappropriation. If we fail to maintain a sufficient digital security infrastructure, address security vulnerabilities and new threats, or deploy adequate technologies to secure our systems against attack, we may be subject to security breaches that compromise confidential information, adversely affect our ability to operate our business, damage our reputation and business, adversely affect our results of operations and financial condition, and expose us to liability. Such incidents could adversely affect our ability to operate our business, damage our reputation and business, adversely affect our results of operations and financial condition, and expose us to liability. We rely on third parties for various business purposes, and these third parties face similar security risks. A security failure by one of these third parties could expose our data or subject our information systems to interruption of operations and security vulnerabilities. Our information systems rely on hardware, software, and other technological elements, whether developed in-house or provided by third parties, that occasionally need to be patched or updated to address existing or potential security vulnerabilities. If these vulnerabilities are not remediated in a timely manner, our systems and data may be at risk of compromise or interruption.
Our services and infrastructure are increasingly reliant on the internet. Computer networks and the internet are vulnerable to disruptive problems such as denial of service attacks or other cyber-attacks carried out by cyber criminals or state-sponsored actors. We are continually subject to attempts by unauthorized parties to access confidential information or to destroy data, often through the introduction of computer viruses, ransomware or malware, and cyber-attacks. The use of artificial intelligence increasingly enabling their sophistication and accelerating their evolution, including through automated phishing and the rapid development of new malware, which continue to evolve and can be difficult to detect. Those same parties may also attempt to fraudulently induce associates, clients, vendors, or other authorized users of our systems through phishing schemes or other social
14
engineering methods to disclose sensitive information to gain access to our data or that of our clients or their accountholders. Any such coordinated attacks, if successful, can lead to data loss and exfiltration, disruption to systems and services, and damage to our reputation as a secure financial technology company.
We are also subject to the risk that our associates may, unintentionally or with malicious intent, intercept and transmit unauthorized confidential or proprietary information or that corporate-owned computers used by associates are stolen, or client data media is lost in shipment.We are also subject to the risk that our associates may intercept and transmit unauthorized confidential or proprietary information or that corporate-owned computers used by associates are stolen, or client data media is lost in shipment. An interception, misuse, or mishandling of personal, confidential, or proprietary information being sent to or received from a client or third party could result in legal liability, remediation costs, regulatory action, and reputational harm, any of which could adversely affect our results of operations and financial condition.
Like other financial institution service providers, we continually face third-party attempts to discover and exploit system weaknesses or to circumvent our security measures.Like other financial institution service providers, we frequently face third-party attempts to discover and exploit system weaknesses or to circumvent our security measures. We anticipate that attempts to attack our systems, services, and infrastructure, and those of our clients, third-party service providers and other vendors, will grow in frequency and sophistication. We cannot be certain that our security controls and infrastructure will be adequate to continue to protect our systems and data and our efforts may not be sufficient to combat all current and future technological risks and threats. These risks are further heightened by the fact that a significant portion of our associates and contractors work remotely outside of Company-controlled facilities using networks and devices that are not physically controlled by the Company, potentially limiting the effectiveness of our security controls. Advances in computer capabilities, new discoveries in the field of cryptography, the use of artificial intelligence, or other events or developments may render our security measures inadequate. Security risks may result in liability to our clients or other third parties, damage to our reputation, and may deter financial institutions from purchasing our products. The significant amount of capital and other resources we currently expend to protect against the threat of security breaches may prove insufficient to prevent a breach. We cannot ensure that any limitation-of-liability provisions in our client and user agreements, contracts with third-party vendors, or other contracts are sufficient to protect us from liabilities or damages with respect to claims relating to a security breach or similar matters. The insurance coverage we maintain to address data security risks may be insufficient to cover all types of claims or losses that may arise, and there is no assurance that such insurance coverage will continue to be available to us on economically reasonable terms, or at all. In the event of a security breach, we may need to spend substantial additional capital and resources alleviating problems caused by such breach. Under state, federal, and foreign laws, including those requiring consumer notification of security breaches, the costs to remediate security breaches can be substantial. Under state, federal, and foreign laws requiring consumer notification of security breaches, the costs to remediate security breaches can be substantial. Addressing security problems may result in interruptions, delays, or cessation of service to users, any of which could harm our business.
Failure to maintain sufficient technological infrastructure or an operational failure in our outsourcing facilities could expose us to damage claims, increase regulatory scrutiny, and cause us to lose clients. Our products and services require substantial investments in technological infrastructure, and we have experienced significant growth in the number of users, transactions, and data that our technological infrastructure supports. If we fail to adequately invest in and support our technological infrastructure and processing capacity, we may not be able to support our clients’ processing needs and may be more susceptible to interruptions and delays in services. Damage or destruction that interrupts our outsourcing operations could cause delays and failures in processing which could hurt our relationship with clients, damage our reputation, expose us to damage claims, and cause us to incur substantial additional expenses to relocate operations and repair or replace damaged equipment. Events that could cause operational failures include, but are not limited to, hardware and software defects, breakdowns or malfunctions, cybersecurity incidents, human error, power losses, disruptions in telecommunications services, computer viruses or other malware, or other events. Our facilities are also subject to physical risks related to natural disasters or severe weather events, such as tornados, flooding, hurricanes, and heat waves. Climate change may increase the likelihood and severity of such events. Our back-up systems and procedures may prove insufficient or otherwise fail to prevent disruption, such as a prolonged interruption of our transaction processing services. If an interruption extends for more than several hours, we may experience data loss or a reduction in revenues due to such interruption. Any significant interruption of service could reduce revenue, have a negative impact on our reputation and the reputation of our clients, result in damage claims, lead our present and potential clients to choose other service providers, and lead to increased regulatory scrutiny of the critical services we provide to financial institutions, with resulting increases in compliance burdens and costs. Any significant interruption of service could reduce revenue, have a negative impact on our reputation, result in damage claims, lead our present and potential clients to choose other service providers, and lead to increased regulatory scrutiny of the critical services we provide to financial institutions, with resulting increases in compliance burdens and costs. Implementing modifications and upgrades to our technological infrastructure subjects us to inherent costs and risks associated with changing systems, policies, procedures, and monitoring tools. Implementing modifications and upgrades to our technological infrastructure subject us to inherent costs and risks associated with changing systems, policies, procedures, and monitoring tools.
15
Failures associated with payment transactions could result in financial loss. The volume and dollar amount of payment transactions that we process is significant and continues to grow. We direct the settlement of funds on behalf of financial institutions, other businesses, and consumers, and receive funds from clients, card issuers, payment networks, and consumers on a daily basis for a variety of transaction types. Transactions facilitated by us include debit card, credit card, electronic bill payment transactions, Automated Clearing House (“ACH”) payments, real-time payments through faster payment networks (such as Zelle, RTP, and FedNow), and check clearing that support consumers, financial institutions, and other businesses. If the continuity of operations, integrity of processing, or ability to detect or prevent fraudulent payments were compromised in connection with payments transactions, we could suffer financial as well as reputational loss. In addition, we rely on various third parties to process transactions and provide services in support of the processing of transactions and funds settlement for certain of our products and services that we cannot provide ourselves. If we are unable to obtain such services in the future or if the price of such services becomes unsustainable, our business, financial position, and results of operations could be materially and adversely affected. In addition, we may issue short-term credit to consumers, financial institutions, or other businesses as part of the funds settlement process. A default on this credit by a counterparty could result in a financial loss to us.
Failures of third-party service providers we rely upon could lead to financial loss. We rely on third-party service providers to support key portions of our operations. We also rely on third-party service providers to provide part, or all, of certain services we deliver to clients. As we continue to move more computing, storage, and processing services out of our data centers and facilities and into third-party hosting environments, our reliance on these providers and their systems will increase. This reliance is further concentrated as we use certain third-party vendors to provide large portions of our hosting needs. While we have selected these third-party vendors carefully, we do not control their actions. A failure of these services by a third party could have a material impact upon our delivery of services to our clients. Such a failure could lead to damage claims, loss of clients, and reputational harm, depending on the duration and severity of the failure. Third parties perform significant operational services on our behalf. These third-party vendors are subject to similar risks as us including, but not limited to, compliance with applicable laws and regulations, hardware and software defects, breakdowns or malfunctions, cybersecurity incidents, human error, failures in internal controls, power losses, disruptions in telecommunications services, computer viruses or other malware, natural disasters or severe weather events, or other events. One or more of our vendors may experience a cybersecurity event or operational disruption and, if any such event does occur, it may not be adequately addressed, either operationally or financially, by the third-party vendor. Certain of our vendors may have limited indemnification obligations or may not have the financial capacity to satisfy their indemnification obligations. If a critical vendor is unable to meet our needs in a timely manner or if the services or products provided by such a vendor are terminated or otherwise delayed and if we are not able to develop alternative sources for these services and products timely and cost-effectively, our clients could be negatively impacted, and it could have a material adverse effect on our business.
We operate in a competitive business environment and our business will be adversely affected if we fail to compete effectively. We vigorously compete with a variety of software vendors and service providers in all our major product lines. We compete on the basis of product quality, reliability, performance, ease of use, quality of support and services, integration with other products, and pricing. Some of our competitors may have advantages over us due to their size, product lines, greater marketing resources, or exclusive intellectual property rights. New competitors, including smaller start-ups, regularly appear with new products, services, and technology for financial institutions. If competitors offer more favorable pricing, payment or other contractual terms, warranties, or functionality, or otherwise attract our clients or prevent us from capturing new clients, we may need to lower prices or offer other terms that negatively impact our results of operations in order to successfully compete.
Failure to achieve favorable renewals of service contracts could negatively affect our business. Our contracts with our clients for outsourced data processing and electronic payment transaction processing services generally run for a period of six years. We will continue to experience a significant number of these contracts coming up for renewal each year. Renewal time presents our clients with the opportunity to consider other providers or to renegotiate their contracts with us, including reducing the services we provide or negotiating the prices paid for our services. Certain of our renewals have resulted in price compression between the former and renegotiated contracts. If that trend accelerates or becomes more pronounced, it could negatively impact our results of operations. If we are not successful in achieving high renewal rates upon favorable terms, revenues and profit margins will suffer. We may experience increased costs for services from our third-party vendors due to inflation or other cost expansion, but because our client contracts typically have longer terms than our vendor contracts, our ability to pass on those higher costs to clients may be limited. If inflation or costs outpace our contractual ability to adjust pricing during the contractual terms of our client contracts, our revenues and profit margins could be negatively impacted.
16
If we fail to adapt our products and services to changes in technology and the markets we serve, we could lose existing clients and be unable to attract new business. The markets for our products and services are characterized by changing client and regulatory requirements and rapid technological changes. These factors and new product introductions by our existing competitors or by new market entrants could reduce the demand for our existing products and services, and we may be required to develop or acquire new products and services. Our future success is dependent on our ability to enhance our existing products and services in a timely manner and to develop or acquire new products and services. If we are unable to develop or acquire new products and services to address the needs of our clients, or if we fail to sell the new or enhanced products and services in which we have invested, we may incur unanticipated expenses or fail to achieve anticipated revenues, as well as lose prospective sales.
The increasing adoption of artificial intelligence (AI), machine learning (ML), and generative artificial intelligence into our products introduces significant and evolving risks that could lead to unintended consequences, result in reputational harm, and increased litigation. Our business currently utilizes AI and ML and we continue to evaluate and expand their use, including generative AI, to augment our products and services. While these technologies offer distinct business opportunities, they also bring evolving legal, regulatory, and operational risks. Both state and federal regulations relating to these emerging technologies are quickly and constantly evolving and may require significant resources to modify and maintain business practices to comply with U.S. laws, the nature of which cannot be determined at this time. From an operational standpoint, AI algorithms and training methodologies may create accuracy issues, unintended biases, factual errors, misrepresentations, offensive language, inappropriate statements, or other unexpected outcomes that could undermine product and service quality or lead to errors in our decision-making and solution development. Ineffective or inadequate AI development, testing, evaluation, deployment, content labeling, or governance may impair public acceptance or cause harm, resulting in offerings not working as intended, and we also face explainability risk from our potential inability to interpret or justify AI model decisions, which may lead to concerns about trust, regulatory compliance, and accountability. Additionally, the use of AI tools by associates—whether authorized or not—for internal functions or business operations may result in unintended or unreliable outputs, which could negatively impact the quality, accuracy, or consistency of work product and decision-making. Our failure to accurately identify and address our responsibilities and liabilities in this new environment could negatively affect any solutions we develop incorporating such technology and could subject us to reputational harm, regulatory action, or litigation, which may harm our financial condition and operating results. These same risks apply to our third-party service providers who are implementing these tools into the products or services they provide to us. Any failures to manage and mitigate these risks by these third-party service providers may negatively affect the products and services we provide our clients.
Software defects or problems with installations and updates may harm our business and reputation and expose us to potential liability. Our software products are complex and may contain undetected defects, especially in connection with newly released products and software updates. Software defects may cause interruptions or delays to our services as we attempt to correct the problem. We may also experience difficulties in installing or integrating our products on systems used by our clients. Defects in our software, installation problems or delays, or other difficulties could result in negative publicity, loss of revenues, loss of competitive position, or claims against us by clients. In addition, we rely on technologies and software supplied by third parties that may also contain undetected errors or defects that could have a negative effect on our business and results of operations. If patches or updates are not properly tested prior to installation, or are not properly installed, our systems and data may be at risk of compromise or interruption as a result of such failures.
Expansion of services to non-traditional clients could expose us to new risks. We have expanded our services to business lines that are marketed outside our traditional, regulated, and litigation-averse base of financial institution clients. These non-regulated clients may entail greater operational, credit, and litigation risks than we have faced before and could result in increases in bad debts and litigation costs.
Regulatory and Compliance Risks
The software and services we provide to our clients are subject to government regulation that could hinder the development of our business, increase costs, or impose constraints on the way we conduct our operations. The financial services industry is subject to extensive and complex federal and state regulation. As a supplier of software and services to financial institutions, portions of our operations are subject to ongoing supervision and examination by the Office of the Comptroller of the Currency, the Federal Reserve Board, the Federal Deposit Insurance Corporation, the Consumer Financial Protection Bureau, and the National Credit Union Association, among other regulatory agencies. These agencies regulate services we provide and the way we operate, and we are required to comply with a broad range of applicable federal and state laws and regulations. We are routinely subject to the examination process with such regulators, which includes the identification of areas where we can improve our practices to better comply with the applicable regulations and guidelines. If regulators
17
identify significant issues, or if we fail to meet supervisory remediation expectations, we could be subject to regulatory actions that could harm our client relationships and reputation. Failure by third parties, with whom we contract or partner, to comply with regulations or guidelines could also harm our relationships and reputation. Such failures could require significant expenditures to correct and could negatively affect our ability to retain clients and obtain new clients.
In addition, existing laws, regulations, and policies could be amended or interpreted differently by regulators in a manner that imposes additional costs and has a negative impact on our existing operations or that limits our future growth or expansion. New regulations could require additional programming or other costly changes in our processes or personnel. Our clients are also regulated entities, and actions by regulatory authorities could influence both the decisions they make concerning the purchase of data processing and other services and the timing and implementation of these decisions. We will be required to apply substantial research and development and other corporate resources to adapt our products to this evolving, complex, and often unpredictable regulatory environment. Our failure to provide compliant solutions could result in significant fines or consumer liability on our clients, for which we may bear ultimate liability.
Compliance with new and existing data privacy and cybersecurity laws, regulations, and rules may adversely impact our expenses, development, and strategy.Compliance with new and existing privacy laws, regulations, and rules may adversely impact our expenses, development, and strategy. We are subject to complex laws, rules, and regulations related to data privacy and cybersecurity. If we fail to comply with such requirements, we could be subject to reputational harm, regulatory enforcement, and litigation. The use, confidentiality, and security of private client information is under increased scrutiny. Regulatory agencies, Congress, state legislatures, and foreign regulatory and governmental bodies are considering numerous regulatory and statutory proposals to protect the interests of consumers and to require compliance with standards and policies that have not been defined. The number of state privacy and cybersecurity laws and regulations has grown tremendously over the past several years, resulting in an increasingly complex and fragmented regulatory landscape. The number of state privacy and cybersecurity laws and regulations has grown tremendously over the past several years, creating an increasingly complex patchwork of data privacy and security requirements. These laws often include industry-specific requirements and board consumer data protection obligations. While many of these frameworks share common principles each jurisdiction imposes unique compliance standards, definitions, and obligations that may not align with one another. This lack of uniformity, combined with frequent legislative updates and regulatory amendments, creates ongoing challenges for organizations seeking to maintain consistent and compliant data governance practices across multiple jurisdictions. Further, the FTC and state attorneys general may interpret federal and state consumer protection laws as imposing standards for the collection, use, dissemination, and security of data. In addition, compliance with these laws and regulations may require changes to our technology and our internal processes and procedures, including the way that we handle, process, and store data, which could divert company resources and negatively impact growth opportunities. We will also be affected by these regulations as a third-party provider to clients who are subject to such regulations and will seek our assistance in their compliance efforts.
Failure to comply or readily address compliance and regulatory rule changes made by payment card networks could adversely affect our business. We are subject to card association and network compliance rules governing the payment networks we serve, including Visa, MasterCard, Zelle, FedNow, and The Clearing House’s RTP network, and all rules governing the Payment Card Data Security Standards. If we fail to comply with these rules and standards, we could be fined or our certifications could be suspended or terminated, which could limit our ability to service our clients and result in reductions in revenues and increased costs of operations. Changes made by the networks, even when complied with, may result in reduction in revenues and increased costs of operations.
Economic Conditions Risks
Natural disasters, public health crises, wars, acts of terrorism, other armed conflict, and workforce shortages could adversely affect our results of operations. The occurrence of, or threat of, natural disasters, widespread public health crises, political unrest, war, acts of terrorism, other armed conflicts involving the United States or foreign countries, or general workforce shortages can result in significant economic disruptions and uncertainties and could adversely affect our business, results of operation, and financial condition. The conditions caused by such events may affect the rate of spending by our clients and their ability to pay for our products and services, delay prospective clients’ purchasing decisions, interfere with our associates’ ability to support our business function, disrupt the ability of third-party providers we rely upon to deliver services, adversely impact our ability to provide on-site services or installations to our clients, or reduce the number of transactions we process, all of which could adversely affect our results of operation and financial position. We are unable to accurately predict the impact of such events on our business due to a number of uncertainties, including the duration, severity, geographic reach and governmental responses to such events, the impact on our clients’ and vendors' operations, and our ability to continue to provide products and services, including the ability of our associates to work remotely. If we are not able to respond to and manage the impact of such events effectively, our business will be harmed.
18
Our business may be adversely impacted by general U.S. and global market and economic conditions or specific conditions in the financial services industry. We derive most of our revenue from products and services we provide to the financial services industry. If the general economic environment worsens, including if inflation or interest rates continue to increase or remain at higher than recent historical levels, or if conditions or regulatory requirements within the financial services industry change—such as if financial institutions are required to increase reserve amounts, become subject to new regulatory assessments, or if tariffs or other trade restrictions are imposed or increased—clients may be less willing or able to pay the cost of our products and services, and we could face a reduction in demand from current and potential clients for our products and services, which could have a material adverse effect on our business, results of operations, and financial condition. If the general economic environment worsens, including if inflation or interest rates continue to increase or remain at higher than recent historical levels, or if conditions or regulatory requirements within the financial services industry change, such as if financial institutions are required to increase reserve amounts or become subject to new regulatory assessments, clients may be less willing or able to pay the cost of our products and services, and we could face a reduction in demand from current and potential clients for our products and services, which could have a material adverse effect on our business, results of operations, and financial condition. In addition, a growing portion of our revenue is derived from transaction processing fees, which depend heavily on levels of consumer and business spending. Deterioration in general economic conditions could negatively impact consumer confidence and spending, resulting in reduced transaction volumes and our related revenues.
Consolidation and failures of financial institutions will continue to reduce the number of our clients and potential clients. Our primary market consists of approximately 4,440 commercial and savings banks and more than 4,550 credit unions. The number of commercial banks and credit unions in the United States has experienced a steady decrease over recent decades due to mergers and acquisitions and financial failures and we expect this trend to continue as more consolidation occurs. Such events may reduce the number of our current and potential clients, which could negatively impact our results of operations. A client who merges with, or is acquired by, an entity that is not our client, or a client that is closed by regulatory action, can lead to a reduction or loss of services and negatively impact our results of operation.
Acquisition Risks
Our growth may be affected if we are unable to find or complete suitable acquisitions. We have augmented the growth of our business with a number of acquisitions and we plan to continue to acquire appropriate businesses, products, and services. This strategy depends on our ability to identify, negotiate, and finance suitable acquisitions. Merger and acquisition activity in our industry has affected the availability and pricing of such acquisitions. If we are unable to acquire suitable acquisition candidates, we may experience slower growth.
Acquisitions subject us to risks and may be costly and difficult to integrate. Acquisitions are difficult to evaluate, and our due diligence may not identify all potential liabilities or valuation issues. We may also be subject to risks related to cybersecurity incidents or vulnerabilities of the acquired company and the acquired systems. We may not be able to successfully integrate acquired companies. We may encounter problems with the integration of new businesses, including: financial control and computer system compatibility; unanticipated costs and liabilities; unanticipated quality or client problems with acquired products or services; differing regulatory and industry standards; diversion of management's attention; adverse effects on existing business relationships with suppliers and clients; loss of key associates; and significant depreciation and amortization expenses related to acquired assets. To finance future acquisitions, we may have to increase our borrowing or sell equity or debt securities to the public. If we fail to integrate our acquisitions, our business, financial condition, and results of operations could be materially and adversely affected. Failed acquisitions could also produce material and unpredictable impairment charges as we review our acquired assets.
Intellectual Property Risks
If others claim that we have infringed their intellectual property rights, we could be liable for significant damages or could be required to change our processes. We have agreed to indemnify many of our clients against claims that our products and services infringe on the proprietary rights of others. We also use certain open- source software in our products, which may subject us to suits by persons claiming ownership of what we believe to be open-source software. Infringement claims have been and will in the future be asserted with regard to our software solutions and services. Such claims, whether with or without merit, are time-consuming, may result in costly litigation and may not be resolved on terms favorable to us. If our defense of such claims is not successful, we could be forced to pay damages or could be subject to injunctions that would cause us to cease making or selling certain applications or force us to redesign applications.
Our failure to protect our intellectual property and proprietary rights may adversely affect our competitive position. Our success and ability to compete depend in part upon protecting our proprietary systems and technology. Unauthorized parties may attempt to copy or access systems or technology that we consider proprietary. We actively take steps to protect our intellectual property and proprietary rights, including entering into agreements with users of our services for that purpose and maintaining security measures. However, these steps may be inadequate to prevent misappropriation. Policing unauthorized use of our proprietary rights is difficult and misappropriation or litigation relating to such matters could have a material negative effect on our results of operation.
19
General Risk Factors
A material weakness in our internal controls could have a material adverse effect on us. Effective internal controls are necessary for us to provide reasonable assurance with respect to our financial reports and to mitigate risk of fraud. If material weaknesses in our internal controls are discovered or occur in the future, our consolidated financial statements may contain material misstatements and we could be required to restate our financial results, which could materially and adversely affect our business and results of operations or financial condition, restrict our ability to access the capital markets, require us to expend significant resources to correct the weaknesses or deficiencies, subject us to fines, penalties or judgments, harm our reputation, or otherwise cause a decline in investor confidence.
The loss of key associates and difficulties in hiring and retaining associates could adversely affect our business. We depend on the contributions and abilities of our senior management and other key associates. Our Company has grown significantly in recent years and our management remains concentrated in a small number of highly qualified individuals. If we lose one or more of our key associates, we could suffer a loss of managerial experience, and management resources would have to be diverted from other activities to compensate for this loss. We do not have employment agreements with any of our executive officers. We continue to face a competitive market for hiring and retaining skilled associates. Further, we continue to face a competitive market for hiring and retaining skilled associates. Difficulties in hiring and retaining skilled associates may restrict our ability to adequately support our business needs and/or result in increased personnel costs. These challenges are further compounded by the fact that a substantial portion of our workforce operate in hybrid or fully remote arrangements, which introduces additional complexities related to employee engagement, collaboration, training, and the preservation of corporate culture. As we navigate these dynamics, there is no assurance that we will be able to attract and retain the personnel necessary to maintain the Company’s strategic direction.
Unfavorable resolution of tax contingencies or unfavorable future tax law changes could adversely affect our tax expense. Our income tax positions result in a significant net deferred income tax liability on our consolidated balance sheet. Unfavorable future tax law changes, including increasing U.S. corporate tax rates, could increase this net liability and negatively impact our provision for income taxes, net income, and cash flow.
The impairment of a significant portion of our goodwill and intangible assets would adversely affect our results of operations. Our balance sheet includes goodwill and intangible assets that represent a significant portion of our total assets as of June 30, 2025. On an annual basis, and whenever circumstances require, we review our goodwill and intangible assets for impairment. If the carrying value of a material asset is determined to be impaired, it will be written down to fair value by a charge to operating earnings. An impairment of a significant portion of our goodwill or intangible assets could have a material negative effect on our operating results.
Changes in interest rates could increase our borrowing costs or result in decreased interest income. Although our debt borrowing levels have historically been low, we may require additional or increased borrowings in the future under existing or new debt facilities to support operations, finance acquisitions, or fund stock repurchases. Our current credit facilities bear interest at variable rates. Increases in interest rates on variable-rate debt would increase our interest expense, which could negatively impact our results of operations. Conversely, if interest rates substantially decrease, we would collect less interest income on settlement accounts.
ITEM 1B. UNRESOLVED STAFF COMMENTS
None.
ITEM 1C. CYBERSECURITY
Cyber Risk Management and Strategy
In today's interconnected environment, information is inherently exposed to a wide range of risks, threats, and vulnerabilities. As a provider of products and services to financial institutions, Jack Henry integrates industry-standard frameworks, policies, and procedures to securely process and store sensitive information, prioritizing the protection of our associates, clients, and their private data in an ever-evolving cyber threat landscape.
20
Jack Henry systems and services are subject to regular reviews by the same regulatory agencies that oversee financial institutions, including the Federal Reserve Bank (“FRB”), FDIC, Office of the Comptroller of the Currency (“OCC”), NCUA, and the CFPB, among others. These reviews, including those conducted by the Federal Banking Agencies (comprised of the FDIC, FRB, and the OCC) help identify potential security gaps or control deficiencies. In addition, critical services provided to our clients undergo annual System and Organization Controls (“SOC”) reviews by independent auditors. Critical services provided to our clients are subject to annual System and Organization Controls (“SOC”) reviews by independent auditors.
Our associates and contractors play a vital role in the safeguarding of systems and data. All are required to complete annual security awareness training to ensure they stay current on best practices and emerging cyber threats. We also conduct routine phishing exercises to help associates and contractors recognize and appropriately respond to suspicious emails. Supplemental training is provided throughout the year to individuals and teams with elevated-risk profiles.
As a large financial technology provider, we continually face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect our business strategy, results of operations, or financial condition. Despite our efforts to identify and respond to cybersecurity threats, we cannot guarantee that we will not experience a material cybersecurity incident in the future or that an undetected incident has not already occurred. Despite our efforts to identify and respond to cybersecurity threats, we cannot ensure that we will not experience material cybersecurity incidents in the future or that we have not experienced an undetected incident. For further discussion of cybersecurity risks, see the section entitled “Risk Factors” in Item 1A. For a full discussion of cybersecurity risks, see the section entitled “Risk Factors” in Item 1A.
CyberSecurity Governance and Oversight
While the Board of Directors, through the Risk and Compliance Committee, maintains oversight of cybersecurity risks, management is primarily responsible for identifying, assessing, and managing these risks within our broader risk management program. The Enterprise Risk Management Committee , composed of senior executives, monitors governance, risk, and compliance enterprise-wide, including cybersecurity. Management has adopted specific policies and procedures to monitor and mitigate cybersecurity threats including an incident response program, led by the CISO and staffed by professionals with diverse expertise. Incidents meeting pre-established thresholds are escalated to management for threat assessment, mitigation, remediation, and, if necessary, disclosure to clients, third-parties, and regulators.
Recently Filed
Click on a ticker to see risk factors
| Ticker * | File Date |
|---|---|
| ARAY | 16 hours ago |
| IREN | 16 hours ago |
| BILL | 16 hours ago |
| MBUU | 23 hours ago |
| LUCK | 1 day, 1 hour ago |
| PAHC | 1 day, 16 hours ago |
| BCRD | 1 day, 16 hours ago |
| MCFT | 1 day, 17 hours ago |
| PSEC | 2 days, 15 hours ago |
| QMCO | 2 days, 16 hours ago |
| WOLF | 2 days, 16 hours ago |
| ELMD | 2 days, 16 hours ago |
| UFI | 2 days, 22 hours ago |
| STRT | 3 days, 16 hours ago |
| NSSC | 3 days, 18 hours ago |
| JKHY | 3 days, 20 hours ago |
| OSIS | 3 days, 23 hours ago |
| ZONE | 6 days, 15 hours ago |
| KE | 6 days, 15 hours ago |
| FLXS | 6 days, 16 hours ago |
| ETD | 6 days, 17 hours ago |
| PH | 1 week ago |
| HOVR | 1 week ago |
| UI | 1 week ago |
| TECH | 1 week ago |
| SYY | 1 week ago |
| SLQT | 1 week ago |
| SYNA | 1 week ago |
| COTY | 1 week ago |
| AX | 1 week ago |
| QNST | 1 week ago |
| KRNY | 1 week ago |
| SCSC | 1 week, 1 day ago |
| AXIL | 1 week, 1 day ago |
| MZTI | 1 week, 1 day ago |
| EL | 1 week, 1 day ago |
| LITE | 1 week, 2 days ago |
| PINC | 1 week, 3 days ago |
| FN | 1 week, 3 days ago |
| EXTR | 1 week, 3 days ago |
| BIVI | 1 week, 6 days ago |
| EAT | 1 week, 6 days ago |
| AMCR | 1 week, 6 days ago |
| HRB | 1 week, 6 days ago |
| TEAM | 1 week, 6 days ago |
| AIT | 2 weeks ago |
| INBS | 2 weeks ago |
| TAYD | 2 weeks ago |
| COHR | 2 weeks ago |
| AVT | 2 weeks ago |
