Risk Factors Dashboard
Once a year, publicly traded companies issue a comprehensive report of their business, called a 10-K. A component mandated in the 10-K is the ‘Risk Factors’ section, where companies disclose any major potential risks that they may face. This dashboard highlights all major changes and additions in new 10K reports, allowing investors to quickly identify new potential risks and opportunities.
View risk factors by ticker
Search filings by term
Risk Factors - NCNO
-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing
Item 1A. Risk Factors
nCino has implemented a variety of cybersecurity processes, technologies, and controls to aid in our efforts to identify, assess, and manage material risks. Our approach includes (i) nCino’s Enterprise Risk Management Program, as managed by the Internal Audit & Enterprise Risk Management Department and overseen by the Audit Committee of the Board, who provide formal oversight of our cybersecurity risk; (ii) cybersecurity risk and threat assessments; (iii) vulnerability management programs designed to identify hardware and software vulnerabilities; (iv) variety of tools designed to monitor our networks and systems for suspicious activity; and (v) incident response plans and trainings. The Enterprise Risk Management Program includes a cybersecurity risk management process and a formal Information Security Management System (“ISMS”) as foundational components of the program covering cybersecurity. Within this process, we routinely assess risks that could affect the organization’s ability to meet its business objectives and provide reliable services to our customers. We routinely assess risks that could affect the organization's ability to meet its business objectives and provide reliable services to our customers. nCino conducts annual cybersecurity risk and threat assessments which include detailed control analyses for measuring both inherent and residual risk factors. These assessments are performed by nCino Information Security as part of ISO 27001 ISMS requirements, framework and certification. Our annual risk assessment, aligned to ISO 27001 and National Institute of Standards and Technology (“NIST”), is the basis for security risk identification, with additional assessments to address risks that threaten the achievement of established control objectives. Threats to security, confidentiality, and availability
nCino’s CISO reports cybersecurity risk assessment results at the Enterprise Risk Management Committee, Information Security, and Board and Audit Committee Meetings. nCino uses formal and informal education and training efforts to identify and mitigate cybersecurity risk,
You should consider and read carefully all of the risks and uncertainties described below, as well as other information included in this Annual Report on Form 10-K, including the section titled “Management’s Discussion and Analysis of Financial Condition and Results of Operations” and our consolidated financial statements and related notes before making an investment decision with respect to our common stock. The risks described below are not the only ones we face. The occurrence of any of the following risks or additional risks and uncertainties not presently known to us or that we currently believe to be immaterial could materially and adversely affect our business, financial condition, or results of operations. In such case, the trading price of our common stock could decline, and you may lose all or part of your investment.
Summary Risk Factors
The below summary of risk factors provides an overview of many of the risks we are exposed to in the normal course of our business activities. As a result, the below summary risks do not contain all of the information that may be important to you, and you should read the summary risks together with the more detailed discussion of risks set forth following this section under the heading “Risk Factors,” as well as elsewhere in this Annual Report on Form 10-K. Additional risks, beyond those summarized below or discussed elsewhere in this Annual Report on Form 10-K, may apply to our activities or operations as currently conducted or as we may conduct them in the future or in the markets in which we operate or may in the future operate. Consistent with the foregoing, we are exposed to a variety of risks, including risks associated with the following:
•Our growth strategy increasingly depends on the adoption and effective use of our AI capabilities by our customers, and if customer adoption rates or usage do not meet our expectations, our business, results of operations, and competitive position could be adversely affected.
•Our increased focus on the development and use of AI/ML technologies in our solutions and our business, as well as our potential failure to effectively implement, use, and market these technologies, may result in reputational harm or liability, or could otherwise adversely affect our business.Our increased focus on the development and use of artificial intelligence and machine learning technologies in our solutions and our business, as well as our potential failure to effectively implement, use, and market these technologies, may result in reputational harm or liability, or could otherwise adversely affect our business.
•The markets in which we participate are intensely competitive and highly fragmented, and pricing pressure, rapidly evolving technologies, including the increasing adoption of AI/ML offerings by our competitors, or other competitive dynamics could adversely affect our business and results of operations.
•We derive most of our revenues from customers in the cloud-based financial services industry, and any downturn or consolidation or decrease in technology spend in the cloud-based financial services industry could adversely affect our business.Risks Relating to Our Business and IndustryWe derive all of our revenues from customers in the financial services industry, and any downturn or consolidation or decrease in technology spend in the financial services industry could adversely affect our business.
•Our future operating results are difficult to predict, in part because we do not have an extensive operating history at the current scale of our business, and we may not achieve our expected operating results in the future.We have a limited operating history at the current scale of our business, which makes it difficult to predict our future operating results, and we may not achieve our expected operating results in the future.
•We have a history of losses, and while we have achieved profitability, we may not be able to sustain profitability on a generally accepted accounting principles in the United States of America (“GAAP”) basis in the future.
•If we are unable to attract new customers or continue to broaden our existing customers’ use of our solutions, our revenue growth will be adversely affected.
•If we fail to accurately anticipate and respond to rapid technological changes in the cloud-based financial services industry in which we operate, including AI/ML developments, our ability to attract and retain customers could be impaired and our competitive position could be harmed.
•We may not be able to sustain or increase our revenue growth rate in the future.We may not be able to sustain our revenue growth rate in the future.
9
•Our quarterly results may fluctuate significantly and may not fully reflect the underlying performance of our business.
•The failure to attract and retain additional qualified personnel could prevent us from executing our business strategy.
•We may not accurately predict the long-term rate of customer subscription renewals or adoption of our solutions, or any resulting impact on our revenues or operating results.
•Because we recognize subscription revenues over the term of the contract, downturns or upturns in our business may not be reflected in our results of operations until future periods.
•Our business faces significant risks from diverse and evolving cybersecurity threats, including increased threats from the use of AI/ML.Our business faces significant risks from diverse security threats. A breach of our security or privacy measures or those we rely on could result in unauthorized access to, or disclosure of, customer or their clients’ data, which may materially and adversely impact our reputation, business, and results of operations. A breach of our security measures or those we rely on could result in unauthorized access to customer or their clients’ data, which may materially and adversely impact our reputation, business, and results of operations. A breach of our security measures or those we rely on could result in unauthorized access to customer or their clients’ data, which may materially and adversely impact our reputation, business, and results of operations.
•Privacy and data security concerns, data collection and transfer restrictions and related domestic or foreign regulations may limit the use and adoption of our solutions and adversely affect our business and results of operations.
•Fundamental elements of the nCino Platform are built on the Salesforce Platform and we rely on our agreement with Salesforce to provide this solution to our customers.Fundamental elements of the nCino Bank Operating System are built on the Salesforce Platform and we rely on our agreement with Salesforce to provide this solution to our customers.
•We depend on data centers operated by or on behalf of Salesforce, AWS, and other third parties, and any disruption in the operation of these facilities could adversely affect our business and subject us to liability.
•Our customers are highly regulated.Our customers are highly regulated and subject to a number of challenges and risks. Our failure to comply with laws and regulations applicable to us as a technology provider to FIs could adversely affect our business and results of operations, increase costs, and impose constraints on the way we conduct our business.
•We have and may continue to acquire or invest in companies, pursue business partnerships or divest products or assets, which may divert our management’s attention or result in dilution to our stockholders, and we may be unable to integrate acquired businesses and technologies successfully or achieve the expected benefits of such acquisitions, investments, partnerships, or divestitures.
Risks Relating to Our Business and Industry
Our growth strategy increasingly depends on the adoption and effective use of our AI capabilities by our customers, and if customer adoption rates or usage do not meet our expectations, our business, results of operations, and competitive position could be adversely affected.
We have invested, and expect to continue to invest, significant resources in developing and integrating AI-driven features and functionality into our platform. The success of these investments depends in part on our customers’ willingness and ability to adopt, implement, and utilize our AI capabilities in a manner that generates measurable operational efficiencies, enhanced decision-making, and other tangible benefits. If customers are slow to adopt our AI offerings, choose not to enable or fully deploy AI features, or limit their usage to pilot programs or narrow use cases, we may not realize the anticipated return on our investments.
Even where customers adopt our AI capabilities, they may not use them in ways that generate meaningful value. Customers may lack the internal expertise, data quality, governance frameworks, management processes, or risk tolerance necessary to effectively leverage AI-driven tools. Regulatory uncertainty, data privacy concerns, model risk management requirements, or internal compliance policies may also restrict how customers use AI functionality. If customers fail to achieve expected productivity gains, cost savings, revenue enhancements, or other benefits from our AI offerings, they may reduce usage, decline to expand deployments, delay renewals, negotiate lower pricing, or elect not to purchase additional AI-enabled solutions. If we are unable to effectively quantify and communicate the benefits of our AI capabilities, our sales cycles may lengthen, expansion opportunities may decrease, and our ability to justify pricing or drive incremental AI-related revenue may be adversely affected.
10
Our revenue growth and competitive positioning increasingly depend on our ability to differentiate our platform through AI-enabled innovation. If customers do not broadly embrace our AI capabilities, or if competing solutions offer AI features that are perceived as more effective, easier to deploy, more transparent, more compliant, less expensive, or better aligned with customer needs, we may experience reduced demand for our solutions. Competitors, including established financial technology providers, may be able to devote greater resources to AI research and development, respond more quickly to evolving customer expectations, or offer more compelling pricing models. Failure to achieve widespread, value-generating adoption of our AI offerings could diminish our brand perception as an innovation leader and negatively impact customer acquisition, retention, and expansion.
Moreover, if anticipated AI-driven efficiencies do not materialize at the pace or scale we expect, our operating margins may be adversely affected, particularly if we continue to incur significant research and development, infrastructure, and compliance costs associated with AI initiatives without corresponding revenue growth. Any of the foregoing could materially and adversely affect our business, financial condition, results of operations, and long-term growth prospects.
Our increased focus on the development and use of AI/ML technologies in our solutions and our business, as well as our potential failure to effectively implement, use, and market these technologies, may result in reputational harm or liability, or could otherwise adversely affect our business.Our increased focus on the development and use of artificial intelligence and machine learning technologies in our solutions and our business, as well as our potential failure to effectively implement, use, and market these technologies, may result in reputational harm or liability, or could otherwise adversely affect our business.
AI/ML is being embedded throughout nCino’s platform to help our customers maximize their productivity. We increasingly have incorporated and may continue to incorporate AI/ML solutions and features into our solutions, and otherwise within our business, and these solutions and features continue to become more vital to our operations and to our future growth over time. We have incorporated and may continue to incorporate AI/ML solutions and features into our solutions, and otherwise within our business, and these solutions and features may become more important to our operations or to our future growth over time. There can be no assurance that we will realize the desired or anticipated benefits from AI/ML, or at all, and we may fail to properly implement or market our AI/ML solutions and features. The legal, regulatory, and policy environments around AI/ML are evolving rapidly, and we may become subject to new legal and other obligations in connection with our use of AI/ML, which could require us to make significant changes to our policies and practices, necessitating expenditure of significant time, expense, and other resources. For example, in the EU/UK, laws and regulations regarding AI are developing at a fast pace. For example, in the EU/UK, laws and regulation regarding AI are developing at a fast pace. On August 1, 2024, the EU’s standalone law to govern the offering and use of AI systems in the EU (the “AI Act”) entered into force - which becomes enforceable in a gradual manner between 2025 and 2027 depending on the specific requirements. The U.The E. K. has not to date adopted dedicated AI legislation, instead looking to rely on a principles-based, sector-specific approach to AI regulation. In the United States, several states, such as Colorado, Utah, and California, have passed or are considering legislation or regulation governing development or use of AI technologies, or supplementing the existing privacy, consumer protection and other regulatory guidance that may apply to the use of AI technologies in our business, and which may impact our use of technology.
More generally, our use of AI/ML technologies may present additional risks and challenges that could affect their adoption and therefore our business. For example, the development of our AI/ML solutions may present ethical or social issues. If we enable or offer solutions that draw controversy due to their perceived or actual impact in privacy, employment, or in other social contexts, we may experience new or enhanced governmental or regulatory scrutiny, brand or reputational harm, competitive harm or legal liability, especially in the context of an environment with heightened geopolitical volatility. Inadequate or ineffective AI/ML development, deployment, content labeling or governance by us or others that result in controversy could also impair the acceptance of AI/ML solutions or result in unintended performance of the services. This in turn could undermine confidence in the decisions, predictions, analysis or other content that our AI/ML solutions produce, subjecting us to competitive harm, legal liability and brand or reputational harm. The rapid evolution of AI/ML will require the application of resources to develop, test and maintain our products and services to help ensure that AI/ML is implemented ethically and compliantly in order to minimize unintended, harmful impact. Uncertainty around new and emerging AI/ML applications such as generative AI content creation and AI/ML agents will require additional investment in compliance, governance and the licensing or development of proprietary datasets, machine learning models and systems to test for accuracy, safety, security, bias and other variables, which are often complex, may be costly and could impact our results of operations and financial condition. Moreover, the development of generative AI/ML solutions brings additional risks and responsibility. Known risks of generative AI/ML currently include risks related to accuracy, bias, toxicity, privacy and security and data provenance. For example, AI/ML technologies, including generative AI, may create content that appears correct but may be factually inaccurate or flawed, or contain copyrighted or other protected material, and if our customers or others use this flawed or protected content to their detriment, or the owners of such copyrighted material seek to enforce their rights, we may be exposed to brand or reputational harm, competitive harm and/or legal liability. Developing, testing and deploying AI/ML systems may also increase the cost profile of our offerings due to the nature of the computing costs involved in such systems. If we are unable to mitigate these risks, or if we incur excessive expenses in our efforts to do so, our reputation, business, operating results and financial condition may be harmed.
11
The markets in which we participate are intensely competitive and highly fragmented, and pricing pressure, rapidly evolving technologies, including the increasing adoption of AI/ML offerings by our competitors, or other competitive dynamics could adversely affect our business and results of operations.
We currently compete with providers of technology and services in the cloud-based financial services industry, primarily point solution vendors that focus on building functionality that competes with specific components of our solutions.We currently compete with providers of technology and services in the financial services industry, primarily point solution vendors that focus on building functionality that competes with specific components of our solutions. From time to time, we also compete with systems internally developed by FIs. Many of our competitors have significantly more financial, technical, marketing and other resources than we have, may devote greater resources to the development, promotion, sale and support of their systems than we can, have more extensive customer bases and broader customer relationships than we have and have longer operating histories and greater name recognition than we do.
We may also face competition from systems internally developed by FIs leveraging large language models as well as new companies entering our markets, which may include large established businesses that decide to develop, market or resell competitive technology, acquire one of our competitors or form a strategic alliance with one of our competitors or with Salesforce.We may also face competition from new companies entering our markets, which may include large established businesses that decide to develop, market or resell cloud-based banking technology, acquire one of our competitors or form a strategic alliance with one of our competitors or with Salesforce. In addition, new companies entering our markets may choose to offer cloud-based banking solutions at little or no additional cost to the customer by bundling them with their existing solutions, including adjacent banking technologies. In addition, new companies entering our markets may choose to offer cloud-based banking applications at little or no additional cost to the customer by bundling them with their existing applications, including adjacent banking technologies. Competition from these new entrants may make attracting new customers and retaining our current customers more difficult, which may adversely affect our results of operations.
Additionally, as we continue to increase building AI/ML into many of our solutions, we face more competition as AI/ML technologies are increasingly integrated into the markets in which we compete. New AI/ML offerings may disrupt workforce needs and negatively impact demand for our solutions, or our competitors may be able to incorporate AI/ML into their offerings more efficiently or successfully than we are able to incorporate it into our solutions, and thereby achieve greater and faster adoption. Even if our AI/ML solutions are more effective than the products and services that our competitors offer, potential customers might select competitive products and services in lieu of purchasing our services.
If we are unable to compete in this environment, sales and renewals of the nCino Platform could decline and adversely affect our business and results of operations.If we are unable to compete in this environment, sales and renewals of the nCino Bank Operating System could decline and adversely affect our business and results of operations. With the introduction of rapidly evolving technologies and potential new entrants into the cloud-based banking technology market, we expect competition to intensify in the future, which could harm our ability to increase sales and maintain profitability. With the introduction of new technologies and potential new entrants into the cloud-based banking technology market, we expect competition to intensify in the future, which could harm our ability to increase sales and achieve profitability.
We derive most of our revenues from customers in the cloud-based financial services industry, and any downturn or consolidation or decrease in technology spend in the cloud-based financial services industry could adversely affect our business.Risks Relating to Our Business and IndustryWe derive all of our revenues from customers in the financial services industry, and any downturn or consolidation or decrease in technology spend in the financial services industry could adversely affect our business.
Most of our revenues are derived from FIs whose industry has experienced significant pressure in recent years due to economic uncertainty, fluctuating interest rates, liquidity concerns and increased regulation.All of our revenues are derived from FIs whose industry has experienced significant pressure in recent years due to economic uncertainty, fluctuating interest rates, liquidity concerns and increased regulation. In recent years, some FIs have experienced consolidation, distress and failure and a number of other FIs experienced turbulence and a precipitous decline in market value. It is possible these conditions may persist, deteriorate or reoccur. If, as a result of these or other factors, any of our customers merge with or are acquired by other entities, such as FIs that have internally developed banking technology solutions or that are not our customers or use our solutions less, we may lose business. If as a result of these or other factors any of our customers merge with or are acquired by other entities, such as FIs that have internally developed banking technology solutions or that are not our customers or use our solutions less, we may lose business. Additionally, changes in management of our customers could result in delays or cancellations of the implementation of our solutions. It is also possible that the larger FIs that result from business combinations could have greater leverage in negotiating price or other terms with us or could decide to replace some or all of the elements of our solutions. It is also possible that the larger FIs that result from 10Table of Contentsbusiness combinations could have greater leverage in negotiating price or other terms with us or could decide to replace some or all of the elements of our solutions. Our business may also be materially and adversely affected by weak economic conditions in the financial services industry. Any downturn or prolonged disruption in the financial services industry may cause our customers to reduce their spending on technology or cloud-based banking solutions or to seek to terminate or renegotiate their contracts with us. Moreover, economic fluctuations caused by factors such as the U.S. Federal Reserve changing interest rates may cause potential new customers and existing customers to forego or delay purchasing our solutions or reduce the amount of spend with us, which would materially and adversely affect our business.
Our future operating results are difficult to predict, in part because we do not have an extensive operating history at the current scale of our business, and we may not achieve our expected operating results in the future.We have a limited operating history at the current scale of our business, which makes it difficult to predict our future operating results, and we may not achieve our expected operating results in the future.
As a result of our limited operating history at the current scale of our business, our ability to forecast our future operating results, including revenues, cash flows, and profitability, is limited and subject to a number of uncertainties. We have encountered and will encounter risks and uncertainties frequently experienced by growing companies in the technology industry, such as the risks and uncertainties described in this Annual Report on Form 10-K and others we may not be able to presently identify. If our assumptions regarding these risks and uncertainties are incorrect or change due to changes in our
12
markets, or if we do not address these risks successfully, our operating and financial results may differ materially from our expectations and our business may suffer.
We have a history of losses, and while we have achieved profitability, we may not be able to sustain profitability on a GAAP basis in the future.We have a history of losses and while we have achieved profitability in a quarterly period, we may not be able to achieve or sustain profitability on a GAAP basis in the future.
We began operations in late 2011 and experienced net losses until fiscal 2026. We generated net income (loss) attributable to nCino of $(42.3) million, $(37.9) million, and $5.2 million for the fiscal years ended January 31, 2024, 2025, and 2026, respectively. We had an accumulated deficit of $375.8 million at January 31, 2026. While we have been profitable on a GAAP basis, we may not be able to maintain or increase our level of profitability. We intend to continue to support further growth and extend the functionality of our solutions in future periods. We will also continue to face increased costs associated with growth and the expansion of our customer base and the costs of being a public company. We will also face increased costs associated with growth and the expansion of our customer base and have seen increased costs in being a public company. Our continuing efforts to grow our business may be more costly than we expect, and we may not be able to increase our revenues enough to offset our increased operating expenses. Our efforts to grow our business may be more costly than we expect, and we may not be able to increase our revenues enough to offset our increased operating expenses. We may, depending on a number of factors, continue to incur losses on a GAAP basis as we continue to invest in product development, and we cannot predict whether we will sustain profitability on a GAAP basis. We expect, depending on a number of factors, to continue to incur losses on a GAAP basis as we continue to invest in product development, and we cannot predict whether or when we will achieve or sustain profitability on a GAAP basis. If we are unable to sustain profitability, the value of our business and common stock may significantly decrease. If we are unable to achieve and sustain profitability, the value of our business and common stock may significantly decrease.
If we are unable to attract new customers or continue to broaden our existing customers’ use of our solutions, our revenue growth will be adversely affected.
To increase our revenues, we will need to continue to attract new customers and succeed in having our current customers expand the use of our solutions across their institution. For example, our revenue growth strategy includes increased penetration of markets outside the U.S. as well as selling our solutions to existing and new customers, and failure in either respect would adversely affect our revenue growth. In addition, for us to maintain or improve our results of operations, it is important that our customers renew their subscriptions with us on the same or more favorable terms to us when their existing subscription term expires. Our revenue growth rates may decline or fluctuate as a result of a number of factors, including customer spending levels, customer dissatisfaction with our solutions, decreases in the number of users at our customers, changes in the type and size of our customers, pricing changes, competitive conditions, the loss of our customers to other companies, and general economic conditions. Our customers may also require fewer subscriptions for our solutions as their use may enable them to operate more efficiently over time. Therefore, we cannot assure you that our current customers will renew or expand their use of our solutions. If we are unable to sign new customers or retain or attract new business from current customers, our business and results of operations may be materially and adversely affected.
If we fail to accurately anticipate and respond to rapid technological changes in the cloud-based financial services industry in which we operate, including AI/ML developments, our ability to attract and retain customers could be impaired and our competitive position could be harmed.
The cloud-based financial services industry is subject to rapid change and the introduction of new technologies to meet the needs of this industry will continue to have a significant effect on competitive conditions in our market.The financial services industry is subject to rapid change and the introduction of new technologies to meet the needs of this industry will continue to have a significant effect on competitive conditions in our market. The introduction of new technologies, including AI/ML, continues to significantly affect competitive conditions. Competitors may introduce new or alternative solutions, particularly AI-enabled offerings, that reduce demand for our platform or render aspects of our solutions less competitive. If we are unable to successfully expand our product offerings, enhance existing functionality or develop and commercialize new technologies in a timely and cost-effective manner, our customers could migrate to competitors who may offer a broader or more attractive range of products and services. For example, in fiscal 2025, we launched our Commercial Onboarding and Account Opening solution and we may fail to achieve the market acceptance we expect of this or other new offerings. For example, in fiscal 2022, we launched our Commercial Pricing and Profitability solution, powered by nIQ, and we may fail to achieve market acceptance of this offering. Developing and integrating new technologies, particularly AI/ML-enabled capabilities, is complex, costly, and time-consuming and may require significant investment in specialized personnel, data, infrastructure, and third-party technology. If we fail to keep pace with industry and technological developments, our business, financial condition, and results of operations could be adversely affected.
We may not be able to sustain or increase our revenue growth rate in the future.We may not be able to sustain our revenue growth rate in the future.
Our revenues increased from $476.5 million for fiscal 2024 to $540.7 million for fiscal 2025 and to $594.8 million for fiscal 2026 which represents a declining rate of growth year over year. We may not be able to sustain absolute revenue growth. Furthermore, to the extent we grow in future periods, maintaining consistent rates of revenue growth may be difficult. Our revenue growth may also slow or even reverse in future periods due to a number of factors, which may include slowing demand for our solutions, our ability to successfully sell and implement new solutions, such as our retail solutions, increasing competition, decreasing growth of our overall market, the adoption of our asset-based pricing model we began implementing in
13
fiscal 2025, our inability to attract and retain a sufficient number of FI customers, concerns over data security, our failure, for any reason, to capitalize on growth opportunities, or general economic conditions. If we are unable to maintain consistent revenue growth, our business could be adversely affected, the price of our common stock could decline or otherwise be volatile and it may be difficult for us to maintain profitability.
Our quarterly results may fluctuate significantly and may not fully reflect the underlying performance of our business.
Our quarterly results of operations, including the levels of our revenues, gross margin, profitability, cash flow, and deferred revenue, may vary significantly in the future and, accordingly, period-to-period comparisons of our results of operations may not be meaningful. Thus, the results of any one quarter should not be relied upon as an indication of future performance. Our quarterly financial results may fluctuate as a result of a variety of factors, many of which are outside of our control, and may not fully or accurately reflect the underlying performance of our business. Further, while subscriptions with our customers generally include multi-year non-cancelable terms, in a limited number of contracts, customers have an option to buy out of the contract for a specified termination fee. If such customers exercise this buy-out option, or if we negotiate an early termination of a contract at a customer’s request, any termination fee would be recognized in full at the time of termination, which would favorably affect subscription revenues in that period and unfavorably affect subscription revenues in subsequent periods. Fluctuation in quarterly results may negatively impact the value of our common stock. Factors that may cause fluctuations in our quarterly financial results include, without limitation, those listed below:
•our ability to retain current customers or attract new customers;
•the activation, delay in activation, or cancellation of large blocks of users by customers;
•the timing of recognition of professional services revenues;
•the amount and timing of operating expenses related to the maintenance and expansion of our business, operations, and infrastructure;
•acquisitions of our customers, to the extent the acquirer elects not to continue using our solutions or reduces subscriptions to our solutions;
•significant disruptions or distress in the FI industry;
•customer renewal rates;
•increases or decreases in usage of our solutions or pricing changes upon renewals of customer contracts (including as a result of our asset-based pricing model we began implementing in fiscal 2025);
•network outages or security breaches;
•general economic, industry, and market conditions;
•changes in our pricing policies or those of our competitors;
•seasonal variations in sales of our solutions, which have historically been highest in the fourth quarter of our fiscal year;
•the timing and amount of litigation and litigation-related expenses;
•the timing and success of new product introductions by us or our competitors or any other change in the competitive dynamics of our industry, including consolidation among competitors, customers, or strategic partners; and
•the timing of expenses related to the development or acquisition of technologies or businesses and potential future charges for impairment of goodwill or intangible assets from acquired companies.
14
The failure to attract and retain additional qualified personnel could prevent us from executing our business strategy.
We must attract and retain highly qualified personnel. In particular, we are dependent upon the services of our senior leadership team, and the loss of any member of this team could adversely affect our business. Competition for executive officers, software developers, sales personnel, and other key employees in our industry is intense, particularly with AI/ML expertise. Competition for executive officers, software developers, sales personnel, and other key employees in our industry is intense. In particular, we compete with many other companies for software developers with high levels of experience in designing, developing, and managing cloud-based software, as well as for skilled sales and operations professionals. As we continue to incorporate AI/ML capabilities into our platform, we face heightened competition for personnel with specialized expertise in AI and competition for such talent is intense not only within the financial technology industry but also across large technology companies, financial institutions, and emerging AI-focused companies, many of which have substantially greater financial resources and brand recognition than we do.
Our principal operations are in Wilmington, North Carolina, where the pool of potential employees with the skills we need is more limited than it may be in larger markets, and we are sometimes required to induce prospective employees to relocate. Many of the companies with which we compete for experienced personnel have greater resources than we do. Compensation levels for AI/ML professionals have increased significantly in recent years, and we may be required to offer higher levels of cash compensation, equity awards, or other incentives to attract and retain such personnel, which could increase our operating expenses and adversely affect our margins. If we fail to attract new personnel or fail to retain and motivate our current personnel, our growth prospects could be severely harmed. In addition, job candidates and existing employees often consider the actual and potential value of the equity awards they receive as part of their overall compensation. Thus, if the perceived value or future value of our stock declines, our ability to attract and retain highly skilled employees may be adversely affected.
We may not accurately predict the long-term rate of customer subscription renewals or adoption of our solutions, or any resulting impact on our revenues or operating results.
We have, and may in the future, be required to change our pricing model. For example, in fiscal 2025, we introduced a new pricing model, which sets the pricing for our solutions primarily on the asset size of the FI customer. While we believe this new model responds to how we have observed customers using our solutions and evolving market conditions, there is no assurance that our existing customers will react favorably to it, or that potential new customers will adopt it. It is also possible that the larger FIs that result from 10Table of Contentsbusiness combinations could have greater leverage in negotiating price or other terms with us or could decide to replace some or all of the elements of our solutions. It is also possible that the pricing model we began implementing in fiscal 2025 will not generate the revenues we expect from it for other reasons. Any of these factors could lead to an adverse effect on our results of operations or financial conditions and have a negative impact on the price of our common stock.
Our customers have no obligation to renew their subscriptions for our solutions after the expiration of the initial or current subscription term, and our customers, if they choose to renew at all, may renew for fewer users or on less favorable pricing terms, particularly if they seek to negotiate alternatives to our asset-based pricing model. The historic average initial term of our customer agreements has been generally three to five years in length, billed annually in advance, and our fees and services have generally been non-cancelable and have not contained refund-type provisions. U.S. mortgage contracts are generally billed monthly. Subscription arrangements that are cancelable generally have penalty clauses. Although we have observed some trends at our current scale with respect to customer subscription renewals, we cannot be certain of how actual renewal rates will compare to what we anticipate. We have a limited operating history at the current scale of our business with respect to rates of customer subscription renewals and cannot be certain of how actual renewal rates will compare to what we anticipate. Our renewal rates may decline or fluctuate as a result of a number of factors, including our customers’ satisfaction with our pricing or our solutions or their ability to continue their operations or spending levels.
In addition, large or influential FI customers may demand more favorable pricing or other contract terms from us. As a result, we may in the future be required to implement further changes to our pricing model, reduce our prices, or accept other unfavorable contract terms, any of which could adversely affect our revenues, gross margin, profitability, financial position, and/or cash flow. As a result, we may in the future be required to change our pricing model, reduce our prices, or accept other unfavorable contract terms, any of which could adversely affect our revenues, gross margin, profitability, financial position, and/or cash flow.
Because we recognize subscription revenues over the term of the contract, downturns or upturns in our business may not be reflected in our results of operations until future periods.
We generally recognize subscription revenues ratably over the terms of our customer contracts. Most of the subscription revenues we report each quarter are derived from the recognition of deferred revenue relating to subscriptions activated in previous quarters. Consequently, a reduction in activated subscriptions in any single quarter may only have a small impact on our subscription revenues for that quarter. However, such a decline will negatively affect our subscription revenues
15
in future quarters. Accordingly, the effect of significant downturns in sales or market acceptance of our solutions may not be apparent in our current-quarter revenues or reflected in our results of operations until future periods.
Our business faces significant risks from diverse and evolving cybersecurity threats, including increased threats from the use of AI/ML.Our business faces significant risks from diverse security threats. A breach of our security or privacy measures or those we rely on could result in unauthorized access to, or disclosure of, customer or their clients’ data, which may materially and adversely impact our reputation, business, and results of operations. A breach of our security measures or those we rely on could result in unauthorized access to customer or their clients’ data, which may materially and adversely impact our reputation, business, and results of operations. A breach of our security measures or those we rely on could result in unauthorized access to customer or their clients’ data, which may materially and adversely impact our reputation, business, and results of operations.
Certain elements of our solutions, particularly our analytics and mortgage solutions, process and store personally identifiable information (“PII”), such as banking and personal information of our customers’ clients, and we may also have access to PII during various stages of the implementation process or during the course of providing customer support.Certain elements of our solutions, particularly our analytics applications, process and store personally identifiable information (“PII”) such as banking and personal information of our customers’ clients, and we may also have access to PII during various stages of the implementation process or during the course of providing customer support. Furthermore, as we develop or acquire additional functionality, we may gain greater access to PII. Furthermore, as we develop or acquire additional functionality, such as nCino Mortgage, we may gain greater access to PII. We maintain policies, procedures, and technological safeguards designed to protect the confidentiality, integrity, and availability of this information and our information technology systems. However, we and our third-party service providers, frequently defend against and respond to data security incidents. However, we and our third party service providers, frequently defend against and respond to data security incidents. We cannot entirely eliminate the risk of improper or unauthorized access to or disclosure of PII or other security or privacy events that impact the integrity or availability of PII or our systems and operations, or the related costs we may incur to mitigate the consequences from such events. We cannot entirely eliminate the risk of improper or unauthorized access to or disclosure of PII or other security events that impact the integrity or availability of PII or our systems and operations, or the related costs we may incur to mitigate the consequences from such events. Further, our products are flexible and complex software solutions and there is a risk that configurations of, or defects in, our solutions or errors in implementation could create vulnerabilities to security breaches. There may be continued unlawful attempts to disrupt or gain access to our information technology systems or those of our third-party service providers or the PII or other data of our customers or their clients that may disrupt our or our customers’ operations. There may be continued unlawful attempts to disrupt or gain access to our information technology systems or the PII or other data of our customers or their clients that may disrupt our or our customers’ operations.
In addition, because we leverage third-party providers, including cloud, software, data center, and other critical technology vendors to deliver our solutions to our customers and their clients, we rely heavily on the data security technology practices and policies adopted by these third-party providers. A vulnerability in a third-party provider’s software or systems, a failure of our third-party providers’ safeguards, policies or procedures, or a breach of a third-party provider’s software or systems could result in the compromise of the confidentiality, integrity, or availability of our systems or the data housed in our solutions. A vulnerability in a third-party provider’s software or systems, a failure of our third-party 13Table of Contentsproviders’ safeguards, policies or procedures, or a breach of a third-party provider’s software or systems could result in the compromise of the confidentiality, integrity, or availability of our systems or the data housed in our solutions.
Cyberattacks and other malicious internet-based activity, including increased threats from the use of AI, continue to increase and evolve, and cloud-based providers of products and services have been and are expected to continue to be targeted.Cyberattacks and other malicious internet-based activity, including increased threats from the use of artificial intelligence, continue to increase and evolve, and cloud-based providers of products and services have been and are expected to continue to be targeted. In addition to traditional computer “hackers,” malicious code (such as viruses and worms), phishing, employee theft or misuse, and denial-of-service attacks, sophisticated criminal networks as well as nation-state and nation-state supported actors now engage in attacks, including advanced persistent threat intrusions. Current or future criminal capabilities, discovery of existing or new vulnerabilities, and attempts to exploit those vulnerabilities or other developments, may compromise or breach our systems or solutions. In the event our or our third-party providers’ protection efforts are unsuccessful and our systems or solutions are compromised, we could suffer substantial harm. A security breach could result in operational disruptions, loss, compromise or corruption of customer or client data or data we rely on to provide our solutions, including our analytics initiatives and offerings that impair our ability to provide our solutions and meet our customers’ requirements resulting in decreased revenues and otherwise materially negatively impacting our financial results. Also, our reputation could suffer irreparable harm, causing our current and prospective customers to decline to use our solutions in the future. Further, we could be forced to expend significant financial and operational resources in response to a security breach, including repairing system damage, increasing security protection costs by deploying additional personnel and protection technologies, and defending against and resolving legal and regulatory claims, all of which could be costly and divert resources and the attention of our management and key personnel away from our business operations.
Federal and state regulations may require us or our customers to notify individuals of data security or privacy incidents involving certain types of personal data or information technology systems, and those laws and regulations continue to evolve to add more reporting requirements on faster timelines.Federal and state regulations may require us or our customers to notify individuals of data security incidents involving certain types of personal data or information technology systems, and those laws and regulations continue to evolve to add more reporting requirements on faster timelines. Security compromises experienced by others in our industry, our customers, or us may lead to public disclosures and widespread negative publicity. Any security compromise in our industry, whether actual or perceived, could erode customer confidence in the effectiveness of our security measures, negatively impact our ability to attract new customers, cause existing customers to elect not to renew or expand their use of our solutions, or subject us to third-party lawsuits, regulatory fines, or other actions or liabilities, which could materially and adversely affect our business and results of operations.
In addition, some of our customers contractually require notification of data security compromises and include representations and warranties in their contracts with us that our solutions comply with certain legal and technical standards related to data security and privacy and meet certain service levels. In certain of our contracts, a data security compromise or
16
operational disruption impacting us or one of our critical vendors, or system unavailability or damage due to other circumstances, may constitute a material breach and give rise to a customer’s right to terminate their contract with us. In these circumstances, it may be difficult or impossible to cure such a breach in order to prevent customers from potentially terminating their contracts with us. Furthermore, although our customer contracts typically include limitations on our potential liability, there can be no assurance that such limitations of liability would be adequate. We also cannot be sure that our existing general liability insurance coverage and coverage for errors or omissions will be available on acceptable terms or will be available in sufficient amounts to cover one or more claims, or that our insurers will not deny or attempt to deny coverage as to any future claim. The successful assertion of one or more claims against us, the inadequacy or denial of coverage under our insurance policies, litigation to pursue claims under our policies, or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or coinsurance requirements, could materially and adversely affect our business and results of operations.
As cyber threats have evolved and continue to evolve, vulnerabilities in our solutions and information technology systems have been and will in the future be identified, and we expect to expend additional resources to remediate such vulnerabilities and continue to modify or enhance our layers of defense.As cyber threats have evolved and continue to evolve, vulnerabilities in our solutions and information technology systems have been and will in the future be detected, and we expect to expend additional resources to continue to modify or enhance our layers of defense to remediate such vulnerabilities. System enhancements and updates create risks associated with implementing new systems and integrating them with existing ones, including risks associated with the effectiveness of our, our customers’ and our third-party providers’ software development lifecycles. Due to the complexity and interconnectedness of our systems and solutions, the process of enhancing our layers of defense, including addressing hardware-based vulnerabilities, can itself create a risk of systems disruptions and security issues. Customer utilization of older versions of our solutions can increase the risk and complexity of security vulnerabilities and the resources and time required to address them.
For more information on our current cybersecurity risk management practices, see Part I, Item 1C of this Annual Report on Form 10-K, “Cybersecurity.”
Privacy and data security concerns, data collection and transfer restrictions and related domestic or foreign regulations may limit the use and adoption of our solutions and adversely affect our business and results of operations.
Personal privacy, information security, and data protection, including with respect to the use of AI technologies, are significant issues in the U.S., the European Union (“EU”), the United Kingdom (“UK”) and a number of other jurisdictions where we offer our solutions. The regulatory framework governing the collection, processing, storage, and use of certain information, particularly financial and other PII, is rapidly evolving. Any failure or perceived failure by us to comply with applicable privacy, security, or data protection laws, regulations, or industry standards may materially and adversely affect our business and results of operations.
We expect that there will continue to be new proposed and adopted laws, regulations, and industry standards concerning privacy, data protection, and information security in the U.S., the EU, and other jurisdictions in which we operate. For instance, the California Consumer Privacy Act (the “CCPA”) became effective on January 1, 2020. The CCPA gives California residents expanded rights to access and delete their personal information, receive detailed information about how their personal information is used and shared by requiring covered companies to provide new disclosures to California consumers (as that term is broadly defined), and provide such consumers rights to opt-out of certain sales of personal information. The CCPA provides for potential civil penalties for violations, as well as a limited private right of action for data breaches caused as a result of unreasonable information security practices that can heighten post-incident litigation risk. The CCPA provides for potential civil penalties for violations, as well as a private right of action for data breaches that is expected to increase data breach litigation. The California Privacy Rights Act (the “CPRA”), which expands the CCPA, passed in November 2020 and went into effect on January 1, 2023, expands privacy rights further and expands compliance requirements. The California Privacy Rights Act (the "CPRA"), which expands the CCPA, passed in November 2020 and went into effect on January 1, 2023, potentially requiring still to be determined additional compliance investment and potential business process changes. Among other things, the CPRA imposes additional data protection obligations on companies doing business in California, including additional consumer rights processes, limitations on data uses, new audit requirements for higher risk data, and opt outs for certain uses of sensitive data. It has also created a new California data protection agency authorized to issue substantive regulations which could result in increased privacy and information security enforcement. In 2025, new CCPA regulations were approved, going into effect starting in 2026. These regulations impose new requirements including with respect to automated decision-making technologies (“ADMT”). The CCPA includes a number of limited exceptions, including an exception for data that is collected, processed, sold or disclosed pursuant to the Gramm-Leach-Bliley-Act (“GLBA”) and an exemption that includes some types of data covered by the Fair Credit Reporting Act (“FCRA”). These exceptions, however, do not apply to the limited private cause of action afforded to individuals for incidents caused by a company’s failure to implement and maintain reasonable security measures to protect consumers’ personal information. Additionally, the CCPA applies to the personal information of California residents collected in the employment, job applicant and business-to-business settings.
17
Twenty U.S. states have enacted comprehensive privacy laws and several others are proposing and enacting laws and regulations that impose obligations similar to the CCPA or that otherwise involve significant obligations and restrictions. These laws and regulations are constantly evolving and add layers of complexity to compliance in the U.S. market. The CCPA and similar new state laws and regulations will require additional resources to ensure compliance, and may have potentially conflicting requirements that would make compliance challenging.
The GLBA and FCRA impose privacy and information security requirements on FIs, including obligations to protect and safeguard consumers’ nonpublic personal information and creditworthiness information, respectively, and limitations on the use and disclosure of such information. The GLBA requires appropriate administrative, technical, and physical safeguards to ensure the security, confidentiality, integrity, availability, and the proper disposal of nonpublic personal information, and the FCRA imposes similar information security requirements regarding the protection of creditworthiness information.
The Federal Trade Commission (“FTC”) and many state attorneys general are interpreting existing federal and state consumer protection laws to impose evolving standards for the collection, use, dissemination and security of personal information. Courts may also adopt the standards for fair information practices promulgated by the FTC, which concern consumer notice, choice, security and access. Consumer protection laws require us to publish statements that describe how we handle personal information and choices individuals may have about the way we handle their personal information. If such information that we publish is considered untrue, we may be subject to government claims of unfair or deceptive trade practices, which could lead to significant liabilities and consequences. Furthermore, according to the FTC, violating consumers’ privacy rights or failing to take appropriate steps to keep consumers’ personal information secure may constitute unfair acts or practices in or affecting commerce in violation of Section 5 of the FTC Act.
Privacy and cybersecurity laws continue to evolve to impose ever stricter standards for the collection, use, dissemination, security, transfer and localization of personally identifiable information, including financial information. Privacy and cybersecurity laws continue to evolve to impose ever stricter standards for the collection, use, dissemination and security of personally identifiable information, including financial information. Actual, potential, or perceived violations of such laws could result in regulatory investigations, fines, orders to cease/change our use of such technologies and processing of personal data, as well as civil claims including class actions, reputational damage and ongoing compliance costs, any of which could harm our business, results of operations and financial condition. Actual, potential, or perceived violations of such laws could result in regulatory investigations, fines, orders to cease/change our use of such technologies and processing of personal data, as well as civil claims including class actions, reputational damage and ongoing compliance costs, any of which could harm our business, results of operations and financial condition. Moreover, several states have enacted or are considering AI-specific regulations, which could increase compliance burdens and heighten the risks associated with the training, development, deployment, and use of AI technologies.
Similarly, the European Economic Area (the “EEA”) (comprised of the EU Member States and Iceland, Liechtenstein and Norway) adopted the General Data Protection Regulation (2016/679) (the “EU GDPR”) in May 2018 and the UK implemented the EU GDPR by virtue of section 3 of the European Union (Withdrawal) Act 2018 which sits alongside the UK Data Protection Act 2018 (as amended by the U.K. Data (Use and Access) Act 2025) (known as the “UK GDPR,” and together with the “EU GDPR,” the “GDPR”). The GDPR has a direct effect where an entity is established in the EEA or the UK and has extra-territorial effect where an entity established outside of the EEA or UK processes personal data in relation to the offering of goods or services to individuals in the EEA and/or the UK or the monitoring of their behavior. The GDPR imposes a number of obligations on controllers, including, among others: (i) accountability and transparency requirements which require controllers to demonstrate and record compliance with the GDPR and to provide detailed information to data subjects regarding processing; (ii) requirements for obtaining valid consent where consent is the lawful basis for processing; (iii) obligations to consider data protection as any new products or services are developed and to limit the amount of personal data processed in relation to the purpose for which they are processed; (iv) obligations to comply with data protection rights of data subjects including a right of access to and rectification of personal data, a right to obtain restriction of processing or to object to processing of personal data and a right to ask for a copy of personal data to be provided to a third party in a usable format and erasing personal data in certain circumstances and the right not to be subject to solely automated decision-making; (v) obligations to implement appropriate technical and organizational security measures to safeguard personal data; and (vi) obligations to report certain personal data breaches to the relevant supervisory authority without undue delay (and no later than 72 hours where feasible) and to affected individuals, where the personal data breach is likely to result in a high risk to their rights and freedoms, without undue delay. The GDPR imposes a number of obligations on controllers, including, among others: (i) accountability and transparency requirements which require controllers to demonstrate and record compliance with the GDPR and to provide more detailed information to data subjects regarding processing; (ii) enhanced requirements for obtaining valid consent where consent is the lawful basis for processing; (iii) obligations to consider data protection as any new products or services are developed and to limit the amount of personal data processed; (iv) obligations to comply with data protection rights of data subjects including a right of access to and rectification of personal data, a right to obtain restriction of processing or to object to processing of personal data and a right to ask for a copy of personal data to be provided to a third party in a useable format and erasing personal data in certain circumstances and the right not to be subject to solely automated decision-making; (v) obligations to implement appropriate technical and organizational security measures to safeguard personal data; and (vi) obligations to report certain personal data breaches to the relevant supervisory authority without undue delay (and no later than 72 hours where feasible) and affected individuals, where the personal data breach is likely to result in a high risk to their rights and freedoms. Processors are required to notify the controller without undue delay after becoming aware of a personal data breach.
In addition, the EU GDPR prohibits the international transfer of personal data from the EEA to countries outside of the EEA unless made to a country deemed to have adequate data privacy laws by the European Commission or a data transfer mechanism in accordance with the EU GDPR has been put in place (e.g., Standard Contractual Clauses or “SCCs”) or a derogation under the EU GDPR can be relied on. In certain cases (e.g. where transfers are made in reliance on SCCs) it is also necessary to carry out a transfer impact assessment (“TIA”) which, among other things, assesses laws governing access to personal data in the recipient country and considers whether supplementary measures that provide privacy protections
18
additional to those provided under SCCs will need to be implemented to ensure an ‘essentially equivalent’ level of data protection to that afforded in the EEA. On July 10, 2023, the European Commission adopted its Final Implementing Decision granting the U.S. adequacy (“Adequacy Decision”) for EU-US transfers of personal data for entities self-certified to the EU-US Data Privacy Framework (“DPF”). Entities relying on EU SCCs for transfers to the U.S. are also able to rely on the analysis in the Adequacy Decision as support for their TIA regarding the equivalence of U.S. national security safeguards and redress.
The UK GDPR also imposes similar restrictions on transfers of personal data from the UK to jurisdictions that the UK government does not consider adequate. The UK GDPR imposes similar restrictions on transfers of personal data from the UK to jurisdictions that the UK does not consider adequate. The UK Government has published its own form of the EU SCCs, known as the International Data Transfer Agreement and an International Data Transfer Addendum to the new SCCs. The UK Information Commissioner’s Office (“ICO”) has also published its own version of the TIA, although entities may choose to adopt either the EU or UK-style TIA. The UK Information Commissioner's Office ("ICO") has also published its own version of the TIA and guidance on international transfers, although entities may choose to adopt either the EU or UK-style TIA. Further, on September 21, 2023, the UK Secretary of State for Science, Innovation and Technology established a UK-U.S. data bridge (i.e., a UK equivalent of the Adequacy Decision) and adopted UK regulations to implement the UK-U.S. data bridge. Personal data may be transferred from the UK under the UK-U.S. data bridge through the UK extension to the DPF to organizations self-certified under the UK extension to DPF. This may have implications for our cross-border data flows and may result in additional compliance costs.
Data protection supervisory authorities have the power under the GDPR to (amongst other things) impose fines of up to €20 million (under the EU GDPR) or £17.5 million (under the UK GDPR) or up to 4% of the annual global revenue of the noncompliant company, whichever is greater, for serious violations of certain of the GDPR’s requirements. Data subjects also have a right to compensation, as a result of an organization’s breach of the GDPR which has affected them for financial or non-financial losses (e.g., distress). Complying with the GDPR may cause us to incur substantial operational and compliance costs or require us to change our business practices. Despite our efforts to bring practices into compliance with the GDPR, we may not be successful either due to internal or external factors such as resource allocation limitations or a lack of vendor cooperation. Despite our efforts to bring practices into compliance with the GDPR, we 16Table of Contentsmay not be successful either due to internal or external factors such as resource allocation limitations or a lack of vendor cooperation. Non-compliance could result in proceedings against us by governmental entities, regulators, customers, data subjects, suppliers, vendors or other parties. Further, there is a risk that the measures will not be implemented correctly or that individuals within the business will not be fully compliant with the new procedures. If there are breaches of these measures, we could face significant administrative and monetary sanctions as well as reputational damage which may have a material adverse effect on our operations, financial condition and prospects.
From a cybersecurity perspective, the GDPR does not provide for a specific set of cybersecurity requirements or measures to be implemented but rather requires a controller or processor to implement appropriate cyber and data security measures in accordance with the then-current risk, the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing. From a cybersecurity perspective, the GDPR does not provide for a specific set of cybersecurity requirements or measures to be implemented, but rather requires a controller or processor to implement appropriate cyber and data security measures in accordance with the then-current risk, the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing. The GDPR however does explicitly require that controllers notify personal data breaches as described above.
On January 17, 2023, the EU Network and Information Systems Security 2 Directive (“NISD2”) entered into force.On January 17, 2023, the EU Network and Information Systems Security 2 Directive (“NISD2”) entered into force and will take full effect following implementation into EU Member State law (i. Member States had until October 17, 2024 to transpose NISD2 into EU Member State law. As of February 2026, most Member States have now implemented NISD2. The European Commission initiated infringement procedures, in November 2024, by sending letters of formal notice to 23 Member States for failing to fully transpose NISD2 by this deadline. Under NISD2, stringent cybersecurity and incident reporting requirements are imposed on ‘essential’ and ‘important’ entities, which include information and communication technology (“ICT”) managed service providers. Under the NISD2, more stringent cybersecurity and incident reporting requirements are imposed on ‘essential’ and ‘important’ entities, which include information and communication technology (“ICT”) managed service providers.
NISD2 states that any maximum fine which national implementing law provides for should at least be set at €10 million or 2% of total worldwide turnover, whichever is higher, where essential entities are concerned. Other sanctions may include (i) a temporary suspension to provide services in the EU (by suspending relevant authorizations/certifications); (ii) an order to make public certain elements of the infringement and/or inform customers; and (iii) injunctions to immediately cease infringing conduct. Importantly, NISD2 also provides that senior members of staff can be held personally liable, and face administrative fines or be temporarily suspended from exercising managerial functions at the legal representative or chief executive officer level.
The EU Digital Operational Resilience Act (“DORA”), which took effect on January 17, 2025, imposes regulatory obligations to reinforce the digital operational resilience of regulated entities operating in the financial services industry, and to adequately manage and remediate risks related to the engagement of ICT third-party service providers.On January 16, 2023, the EU Digital Operational Resilience Act (“DORA”) entered into force and will apply from January 17, 2025. DORA imposes regulatory obligations to reinforce the digital operational resilience of entities operating in the financial services industry, and to adequately manage and remediate risks related to the engagement of ICT third-party service providers. DORA only imposes direct regulatory obligations on ICT third-party service providers that are considered ‘critical’ within the meaning of DORA. Non-critical ICT third-party service providers are only indirectly impacted by DORA, by virtue of the mandatory contractual terms that DORA requires financial entities to implement with ICT third-party service providers.
19
DORA does not provide for minimum or maximum monetary sanctions but empowers EU Member State competent authorities to enforce DORA and determine the appropriate sanction on the basis of the factors set out in DORA, including the gravity and duration of the infringement. Sanctions may be administrative or criminal in nature, and DORA also provides that individual members of the management body can be held personally liable for any non-compliance.
We cannot yet fully determine the impact these or future laws, rules, and regulations may have on our business or operations. Any such laws, rules, and regulations may be inconsistent among different jurisdictions, subject to differing interpretations or may conflict with our current or future practices. Additionally, we may be bound by contractual requirements applicable to our collection, use, processing, and disclosure of various types of information including financial and PII, and may be bound by, or voluntarily comply with, self-regulatory or other industry standards relating to these matters that may further change as laws, rules, and regulations evolve.
Any failure or perceived failure by us, or any third parties with which we do business, to comply with these laws, rules, and regulations, or with other obligations to which we or such third parties are or may become subject, may result in actions or other claims against us by governmental entities or private actors, the expenditure of substantial costs, time, and other resources, or the incurrence of fines, penalties, or other liabilities. There is also a risk that we could be impacted by a cybersecurity incident that results in loss or unauthorized disclosure of personal data, potentially resulting in us facing harms similar to those described above. In addition, any such action, particularly to the extent we were found to be guilty of violations or otherwise liable for damages, would damage our reputation and adversely affect our business and results of operations.
Fundamental elements of the nCino Platform are built on the Salesforce Platform and we rely on our agreement with Salesforce to provide this solution to our customers.Fundamental elements of the nCino Bank Operating System are built on the Salesforce Platform and we rely on our agreement with Salesforce to provide this solution to our customers.
Fundamental elements of the nCino Platform are built on the Salesforce Platform and we rely on our agreement with Salesforce to use the Salesforce Platform in conjunction with these solutions, including for hosting infrastructure and data center operations. Any termination of our relationship with Salesforce would result in a materially adverse impact on our business model.
Our agreement with Salesforce expires on January 31, 2031, unless earlier terminated by either party in the event of the other party’s material breach, bankruptcy, change in control in favor of a direct competitor, or intellectual property infringement, and thereafter automatically renews for additional one-year periods unless notice of non-renewal is provided by either party. If we are unable to renew our agreement with Salesforce, there would be, absent a termination for cause, a wind-down period during which existing customers would be able to continue using the nCino Platform in conjunction with the Salesforce Platform, but we would be unable to provide this solution to new customers and could be limited in our ability to allow current customers to add additional users. If we are unable to renew our agreement with Salesforce, there would be, absent a termination for cause, a wind-down period during which existing customers would be able to continue using the nCino Bank Operating System in conjunction with the Salesforce Platform, but we would be unable to provide this solution to new customers and could be limited in our ability to allow current customers to add additional users. In addition, if we are unable to renew our agreement with Salesforce upon its expiration, our customers would need to obtain a separate subscription from Salesforce in order to access the nCino Platform. In addition, if we are unable to renew our agreement with Salesforce, our customers would need to obtain a separate subscription from Salesforce in order to access the nCino Bank Operating System. This could cause a significant delay in the time required to enter into agreements with customers, place us and our customers at a disadvantage in negotiating with Salesforce, and lead customers not to renew or enter into agreements with us. We also cannot assure you that the pricing or other terms in any renewal with Salesforce would be favorable to us, and if they are not, our business and operating results may be materially and adversely affected.
In addition, Salesforce has the right to terminate their agreement with us in certain circumstances, including in the event of a material breach by us. If Salesforce terminates our agreement for cause, it would not be required to provide the wind-down period described above. We are also required to indemnify Salesforce for claims made against Salesforce by a third party alleging that the nCino Platform infringes the intellectual property rights of such third party. We are also required to indemnify Salesforce for claims made against Salesforce by a third party alleging that the nCino Bank Operating System infringes the intellectual property rights of such third party.
An expiration or termination of our agreement with Salesforce would cause us to incur significant time and expense to acquire rights to, or develop, a replacement solution and we may not be successful in these efforts, which could cause the nCino Platform to become obsolete. Even if we were to successfully acquire or develop a replacement solution, some customers may decide not to adopt such solution and may, as a result, decide to use a different solution. If we were unsuccessful in acquiring or developing a replacement solution or acquire or develop a replacement solution that our customers do not adopt, our business, results of operations, and brand would be materially and adversely affected.
Furthermore, there are no exclusivity arrangements in place with Salesforce that would prevent them from developing their own offerings that compete directly with ours, acquiring a company with offerings similar to ours, or investing greater resources in our competitors. While we believe our relationship with Salesforce is strong, Salesforce competing with us could materially and adversely affect our business and results of operations.
20
We depend on data centers operated by or on behalf of Salesforce, AWS, and other third parties, and any disruption in the operation of these facilities could adversely affect our business and subject us to liability.
Our solutions are primarily hosted in data centers operated by or on behalf of Salesforce, AWS, and other third parties, and we do not control the operation of these data centers. Problems associated with these data centers could adversely affect the experience of our customers. Any disruptions or other operational performance problems with these data centers could result in material interruptions in our services, adversely affect our reputation and results of operations, and subject us to liability.
In addition to serving as a data center provider, AWS provides cloud infrastructure and platform services that are integral to the operation of certain of our products. AWS also serves as the primary infrastructure layer for certain of our products including our U.S. mortgage business and our artificial intelligence and machine learning capabilities, including the cloud platform services that power our AI-driven features and our agentic AI platform. Any disruption to these services, including a prolonged outage or termination of our agreement with AWS, could impair our ability to deliver those products and AI capabilities to customers and could adversely affect our business and results of operations. Any disruptions or other operational performance problems with these data centers could result in material interruptions in our services, adversely affect our reputation and results of operations, and subject us to liability.
Our customers are highly regulated.Our customers are highly regulated and subject to a number of challenges and risks. Our failure to comply with laws and regulations applicable to us as a technology provider to FIs could adversely affect our business and results of operations, increase costs, and impose constraints on the way we conduct our business.
Our customers and prospective customers are highly regulated and are generally required to comply with stringent regulations in connection with performing business functions that our solutions address. As a provider of technology to FIs, we have been, and expect to continue to be, examined on a periodic basis by various regulatory agencies and may be required to review certain of our suppliers and partners. In addition, while much of our operations are not directly subject to the same regulations applicable to FIs, we are generally obligated to our customers to provide software solutions and maintain internal systems and processes that comply with certain federal and state regulations applicable to them. For example, as a result of obligations under some of our customer contracts, we are required to comply with certain provisions of the GLBA related to the privacy of consumer information and may be subject to other privacy and data security laws because of the solutions we provide to FIs. For example, as a result of obligations under some of our customer contracts, we are required to comply with certain provisions of the Gramm-Leach-Bliley Act ("GLBA") related to the privacy of consumer information and may be subject to other privacy and data security laws because of the solutions we provide to FIs. The GLBA includes limitations on FI’s disclosure of nonpublic personal information about a consumer to nonaffiliated third parties, in certain circumstances requiring FIs to limit the use and further disclosure of nonpublic personal information to nonaffiliated third parties and requiring FIs to safeguard nonpublic personal information. Banking regulations for information security and breach notification also impose obligations on us due to our relationships with customers that increase our information security obligations and customers may impose additional information security standards upon us, such as those relating to the New York Department of Financial Services Cybersecurity Regulation (“Cybersecurity Regulation”) or the National Association of Insurance Commissioner’s Insurance Data Security Model Law, which are both intended to establish standards for data security and standards for the investigation and notification of data breaches applicable to insurance licensees. Banking regulations for information security and breach notification also impose obligations on us due to our relationships with customers that increase our information security obligations and customers may impose additional information security standards upon us, such as those relating to the New York Department of Financial Services Cybersecurity Regulation. As of February 1, 2026, a version of the Insurance Data Security Model law has been adopted in more than 25 jurisdictions. Both the Cybersecurity Regulation and Insurance Data Security Model Law require oversight of third-party service providers with respect to information security, among other things. Matters subject to review and examination by federal and state FI regulatory agencies and external auditors include our internal information technology controls in connection with our performance of data processing services, the agreements giving rise to those processing activities, and the design of our solutions. Any inability to satisfy these examinations and maintain compliance with applicable regulations could adversely affect our ability to conduct our business, including attracting and maintaining customers. If we have to make changes to our internal processes and solutions as result of these regulations, we could be required to invest substantial additional time and funds and divert time and resources from other corporate purposes to remedy any identified deficiency.
The evolving, complex, and often unpredictable regulatory environment in which our customers operate could result in our failure to provide compliant solutions, which could result in customers not purchasing our solutions or terminating their contracts with us or the imposition of fines or other liabilities for which we may be responsible. In addition, federal, state, and/or foreign agencies may attempt to further regulate our activities in the future which could adversely affect our business and results of operations.
We have and may continue to acquire or invest in companies, pursue business partnerships or divest products or assets, which may divert our management’s attention or result in dilution to our stockholders, and we may be unable to integrate
21
acquired businesses and technologies successfully or achieve the expected benefits of such acquisitions, investments, partnerships, or divestitures.
From time to time, we consider potential strategic transactions, including acquisitions or divestitures of, or investments in, businesses, technologies, services, solutions, and other assets.From time to time, we consider potential strategic transactions, including acquisitions of, or investments in, businesses, technologies, services, solutions, and other assets. For example, we completed three acquisitions in fiscal 2025 and one acquisition in fiscal 2026. We also may enter into relationships with other businesses to expand our solutions, which could involve preferred or exclusive licenses, additional channels of distribution, discount pricing, or investments in other companies. Negotiating these transactions can be time-consuming, difficult, and expensive, and our ability to close these transactions may be subject to approvals that are beyond our control. For instance, we incurred significant costs in connection with our prior acquisitions. For instance, we incurred significant costs in connection with the SimpleNexus acquisition. If an acquired business fails to meet our expectations, our operating results, business, and financial position may suffer. We may not be able to find and identify desirable acquisition targets, we may incorrectly estimate the value of an acquisition target, and we may not be successful in entering into an agreement with any particular target or identified purchaser for divestiture opportunities. If we are successful in acquiring additional businesses, we may not achieve the anticipated benefits from the acquired business due to a number of factors, including:
•our inability to integrate or benefit from acquired technologies or services;
•unanticipated costs or liabilities associated with the acquisition;
•incurrence of transaction-related costs;
•difficulty integrating the technology, accounting systems, operations, control environments, and personnel of the acquired business and integrating the acquired business or its employees into our culture;
•difficulties and additional expenses associated with supporting legacy solutions and infrastructure of the acquired business;
•difficulty converting the customers of the acquired business to our solutions and contract terms, including disparities in terms;
•additional costs for the support or professional services model of the acquired company;
•diversion of management’s attention and other resources;
•adverse effects to our existing business relationships with business partners and customers as a result of the acquisition or divestiture;
•the issuance of additional equity securities that could dilute the ownership interests of our stockholders;
•incurrence of debt on terms unfavorable to us or that we are unable to repay;
•incurrence of substantial liabilities;
•difficulties retaining key employees of the acquired business; and
•adverse tax consequences, substantial depreciation, or deferred compensation charges.
In addition, a significant portion of the purchase price of companies we acquire may be allocated to acquired goodwill and other intangible assets, which must be assessed for impairment at least annually.19Table of ContentsIn addition, a significant portion of the purchase price of companies we acquire may be allocated to acquired goodwill and other intangible assets, which must be assessed for impairment at least annually. In the future, if our acquisitions do not yield expected returns, we may be required to take charges to our operating results based on this impairment assessment process, which could adversely affect our results of operations.
Any legal proceedings against us could adversely affect our operations and prospects, damage our reputation, and be costly and time-consuming to defend.
In the future, we may become subject, from time to time, to legal proceedings and claims that arise in the ordinary course of business, such as claims brought by our customers in connection with commercial disputes or employment claims made by current or former employees. We may, in the future, become subject, from time to time, to other legal proceedings and claims that arise in the ordinary course of business, such as claims brought by our customers in connection with commercial disputes or employment claims made by current or former employees. Legal proceedings might result in damages and harm to our operations and prospects,
22
reputational damage, substantial costs, and may divert management’s attention and resources, which might adversely impact our business, overall financial condition, and results of operations. Insurance might not cover such claims, might not provide sufficient payments to cover all the costs to resolve one or more such claims, and might not continue to be available on terms acceptable to us. Moreover, any negative impact to our reputation will not be adequately covered by any insurance recovery. A claim brought against us that is uninsured or underinsured could result in unanticipated costs, thereby reducing our results of operations and leading analysts or potential investors to reduce their expectations of our performance, which could reduce the value of our common stock.
Our corporate culture has contributed to our success, and if we cannot maintain it as we grow, we could lose the innovation, creativity and teamwork fostered by our culture, and our business may be adversely affected.
We believe our corporate culture is one of our fundamental strengths, as we believe it enables us to attract and retain top talent and deliver superior results for our customers. As we grow, we may find it difficult to preserve our corporate culture, which could reduce our ability to innovate and operate effectively. As we grow, we may find it difficult to preserve our corporate 20Table of Contentsculture, which could reduce our ability to innovate and operate effectively. In turn, the failure to preserve our culture could negatively affect our ability to attract, recruit, integrate and retain employees, continue to perform at current levels and effectively execute our business strategy.
We may encounter implementation challenges, including in situations in which we rely on SIs, which would materially and adversely affect our business and results of operations.
We may face unexpected challenges related to the complexity of our customers’ implementation and configuration requirements. Implementation of our solutions may be delayed or expenses may increase when customers have unexpected data, software, or technology challenges, or unanticipated business requirements, which could adversely affect our relationship with customers and our operating results. In general, the revenues related to implementation and other professional services we provide are recognized on a proportional performance basis, and delays and difficulties in these engagements could result in losses on these contracts. In addition, our customers often require complex acceptance testing related to the implementation of our solutions. We also leverage the services of SIs, including Accenture, Deloitte, PwC, and West Monroe Partners, among others, to implement and configure the nCino Platform for our larger FI customers, while we have historically performed professional services for smaller FIs ourselves. We also leverage the services of SIs, including Accenture, Deloitte, PwC, and West Monroe Partners, among others, to implement and configure the nCino Bank Operating System for our larger FI customers, while we have historically performed professional services for smaller FIs ourselves. While SI partners generally contract directly with our customers, any failure or delay by the SI partners we work with in providing adequate service and support would likely adversely affect our brand and reputation. For implementations we conduct ourselves, project delays may result in recognizing revenues later than expected. Further, because we do not fully control our customers’ implementation schedules, if our customers do not allocate the internal resources necessary to meet implementation timelines or if there are unanticipated implementation delays or difficulties, our ability to take customers live and the overall customer experience could be adversely affected. We rely on existing customers to act as references for prospective customers, and difficulties in implementation and configuration could therefore adversely affect our ability to attract new customers. Any difficulties or delays in implementation processes could cause customers to delay or forego future purchases of our solutions.
We have experienced rapid growth, and if we fail to manage our growth effectively, we may be unable to execute our business plan, maintain high levels of service and customer satisfaction, or adequately address competitive challenges, any of which may materially and adversely affect our business and results of operations.
Since our inception, our business has grown rapidly, which has resulted in a large increase in our employee headcount, expansion of our infrastructure, enhancement of our internal systems, and other significant changes and additional complexities. Our revenues increased from $476.5 million for fiscal 2024 to $540.7 million for fiscal 2025 and to $594.8 million for fiscal 2026. Our total number of employees increased from 436 as of January 31, 2018 to 1,684 as of January 31, 2026. Managing and sustaining a growing workforce and customer base geographically dispersed in the U.S. and internationally requires substantial management effort, infrastructure, and operational capabilities. To support our growth, we must continue to improve our management resources and our operational and financial controls and systems, and these improvements may increase our expenses more than anticipated and result in a more complex business. We also have to expand and enhance the capabilities of our sales, relationship management, implementation, customer service, research and development, and other personnel to support our growth and continue to achieve high levels of customer service and satisfaction. Our success depends on our ability to plan for and manage this growth effectively. If we fail to anticipate and manage our growth or are unable to continue to provide high levels of customer service, our reputation, as well as our business and results of operations, could be materially and adversely affected.
23
Defects, errors, or other performance problems in our solutions could harm our reputation, result in significant costs to us, impair our ability to sell our solutions, and subject us to substantial liability.
Our solutions are complex and may contain defects or errors when implemented or when new functionality is released. Despite extensive testing, from time to time we have discovered, and may in the future discover, defects or errors in our solutions. As we rapidly develop and deploy AI-powered features, the risk of unexpected behaviors, inaccuracies, or performance issues increases. Any performance problems or defects in our solutions may materially and adversely affect our business and results of operations. Defects, errors, or other performance problems or disruptions in service to provide bug fixes or upgrades, whether in connection with day-to-day operations or otherwise, could be costly for us, damage our customers’ businesses, and harm our reputation. In addition, if we have any such errors, defects, or other performance problems, our customers could seek to terminate their contracts, elect not to renew their subscriptions, delay or withhold payment, or make claims against us. Any of these actions could result in liability, lost business, increased insurance costs, difficulty in collecting accounts receivable, costly litigation, or adverse publicity. Errors, defects, or other problems could also result in reduced sales or a loss of, or delay in, the market acceptance of our solutions.
We leverage third-party software, content, and services for use with our solutions. Performance issues, errors and defects, or failure to successfully integrate or license necessary third-party software, content, or services, could cause delays, errors, or failures of our solutions, increases in our expenses, and reductions in our sales, which could materially and adversely affect our business and results of operations.
We use software and content licensed from, and services provided by, a variety of third parties in connection with the operation of our solutions. Any performance issues, errors, bugs, or defects in third-party software, content, or services could result in errors or a failure of our solutions, which could adversely affect our business and results of operations. In the future, we might need to license other software, content, or services to enhance our solutions and meet evolving customer demands and requirements. Any limitations in our ability to use third-party software, content, or services could significantly increase our expenses and otherwise result in delays, a reduction in functionality, or errors or failures of our solutions until equivalent technology or content is either developed by us or, if available, identified, obtained through purchase or license, and integrated into our solutions. In addition, third-party licenses may expose us to increased risks, including risks associated with the integration of new technology, the diversion of resources from the development of our own proprietary technology, and our inability to generate revenues from new technology sufficient to offset associated acquisition and maintenance costs, all of which may increase our expenses and materially and adversely affect our business and results of operations.
We may fail to successfully expand internationally. In addition, sales to customers outside the U.S. or with international operations expose us to risks inherent in international sales, which may include a marked increase in expenses.
For the fiscal years ended January 31, 2024, 2025, and 2026, sales to customers outside the U.S. accounted for 18.7%, 21.5% and 22.1%, respectively, of our total revenues. A key element of our growth strategy is to further expand our international operations and worldwide customer base. We have expended significant resources to build out our sales and professional services organizations outside of the U.S. and we may not realize a suitable return on this investment in the near future, if at all. We have limited operating experience in international markets, and we cannot assure you that our international expansion efforts will be successful. Our experience in the U.S. may not be relevant to our ability to expand in any international market.
Operating in international markets requires significant resources and management attention and subjects us to regulatory, economic, and political risks that are different from those in the U.S. Export control regulations in the U.S. may increasingly be implicated in our operations as we expand internationally. These regulations may limit the export of our solutions and provision of our solutions outside of the U.S., or may require export authorizations, including by license, a license exception, or other appropriate government authorizations, including annual or semi-annual reporting and the filing of an encryption registration. Changes in export or import laws, or corresponding sanctions, may delay the introduction and sale of our solutions in international markets, or, in some cases, prevent the export or import of our solutions to certain countries, regions, governments, persons, or entities altogether, which could adversely affect our business, financial condition, and results of operations.
We are also subject to various domestic and international anti-corruption laws, such as the U.S. Foreign Corrupt Practices Act and the U.K. Bribery Act, as well as other similar anti-bribery and anti-kickback laws and regulations. These laws and regulations generally prohibit companies and their employees and intermediaries from authorizing, offering, or providing improper payments or benefits to officials and other recipients for improper purposes. These laws and regulations generally prohibit companies and their employees and intermediaries from authorizing, offering, or providing 22Table of Contentsimproper payments or benefits to officials and other recipients for improper purposes. Our precautions to prevent violations of
24
these laws may prove ineffective, and our potential exposure for violating these laws increases as our international presence and sales expand.
In addition, we face risks in doing business internationally that could adversely affect our business, including:
•unanticipated costs;
•the need to localize and adapt our solutions for specific countries;
•complying with varying and sometimes conflicting data privacy laws and regulations;
•difficulties in staffing and managing foreign operations, including employment laws and regulations;
•unstable regional, economic, or political conditions;
•different pricing environments, longer sales cycles, and collections issues;
•new and different sources of competition;
•weaker protection for intellectual property and other legal rights than in the U.S. and practical difficulties in enforcing intellectual property and other rights outside of the U.S.;
•laws and business practices favoring local competitors;
•compliance challenges related to the complexity of multiple, conflicting, and changing governmental laws and regulations, including employment, tax, and anti-bribery laws and regulations;
•increased financial accounting and reporting burdens and complexities;
•restrictions on the transfer of funds; and
•adverse tax consequences.
Our international contracts often provide for payment denominated in local currencies, and the majority of our local costs are denominated in local currencies. Therefore, fluctuations in the value of the U.S. dollar and foreign currencies may impact our results of operations when translated into U.S. dollars. We do not currently engage in currency hedging activities to limit the risk of exchange rate fluctuations.
Failure to effectively expand our sales capabilities could harm our ability to increase our customer base.
Increasing our customer base and expanding customer adoption within and across business lines will depend, to a significant extent, on our ability to effectively expand our sales and marketing operations and activities. We plan to continue to expand our direct sales force both domestically and internationally for the foreseeable future. We plan to continue to 23Table of Contentsexpand our direct sales force both domestically and internationally for the foreseeable future. We believe that there is significant competition for experienced sales professionals with the sales skills and technical knowledge that we require. Newly hired employees require significant training and time before they achieve full productivity and they may not become as productive as quickly as we expect, if at all. Further, we may be unable to hire or retain sufficient numbers of qualified individuals in the future in the markets where we do business. Our business will be adversely affected if our sales expansion efforts do not generate a significant increase in revenues.
If we fail to provide effective customer training on our solutions and high-quality customer support, our business and reputation would suffer.
Effective customer training and high-quality, ongoing customer support are critical to the successful marketing, sale, and adoption of our solutions and for the renewal of existing customer contracts. As we grow our customer base, we will need to further invest in and expand our customer support and training organization, which could strain our team and infrastructure and reduce profit margins. If we do not help our customers adopt our solutions, quickly resolve any post-implementation matters, and provide effective ongoing customer support and training, our ability to expand sales to existing and future customers and our reputation would be adversely affected.
25
If we are unable to effectively integrate our solutions with other systems used by our customers, or if there are performance issues with such third-party systems, our solutions will not operate effectively and our business and reputation will be adversely affected.
Our solutions integrate with other third-party systems used by our customers, including core processing systems. We do not have formal arrangements with many of these third-party providers regarding our access to their application program interfaces to enable these customer integrations. If we are unable to effectively integrate with third-party systems, our customers’ operations may be disrupted, which may result in disputes with customers, negatively impact customer satisfaction and harm our business. If the software of such third-party providers has performance or other problems, such issues may reflect poorly on us and the adoption and renewal of our solutions, and our business and reputation may be harmed.
Our sales cycle can be unpredictable, time-consuming and costly.
Our sales process involves educating prospective customers and existing customers about the benefits and technical capabilities of our solutions. Prospective customers often undertake a prolonged evaluation process, which typically involves not only our solutions, but also those of our competitors. Our sales cycles are typically lengthy, generally ranging from six to nine months for smaller FIs and 12 to 18 months or more for larger FIs. We may spend substantial time, effort and money on our sales and marketing efforts without any assurance that our efforts will produce any sales. Events affecting our customers’ businesses may occur during the sales cycle that could affect the size or timing of a purchase, contributing to more unpredictability in our business and results of operations. As a result of these factors, we may face greater costs, longer sales cycles and less predictability in the future.
Failure to protect our proprietary technology and intellectual property rights could adversely affect our business and results of operations.
Our future success and competitive position depend in part on our ability to protect our intellectual property and proprietary technologies. To safeguard these rights, we rely on a combination of patent, trademark, copyright, and trade secret laws and contractual protections in the U.S. and other jurisdictions, all of which provide only limited protection and may not now or in the future provide us with a competitive advantage.
As of January 31, 2026, we had 12 issued patents relating to the nCino Platform in the U.S. Any patents that may issue in the future from our pending or future patent applications may not provide sufficiently broad protection and may not be enforceable in actions against alleged infringers. We have registered the “nCino” name and logo in the U.S. and certain other countries and we have registrations and/or pending applications for additional marks in the U.S. and certain other countries. However, we cannot assure you that any future trademark registrations will be issued for pending or future applications or that any registered trademarks will be enforceable or provide adequate protection of our proprietary rights. We also license software from third parties for integration into our solutions, including open source software and other software available on commercially reasonable terms. We cannot assure you that such third parties will maintain such software or continue to make it available. We also rely on confidentiality agreements, consulting agreements, work-for-hire agreements, and invention assignment agreements with our employees, consultants, and others. We also rely on confidentiality 24Table of Contentsagreements, consulting agreements, work-for-hire agreements, and invention assignment agreements with our employees, consultants, and others.
Despite our efforts to protect our proprietary technology and trade secrets, unauthorized parties may attempt to misappropriate, reverse engineer, or otherwise obtain and use them. In addition, others may independently discover our trade secrets, in which case we would not be able to assert trade secret rights, or develop similar technologies and processes. Further, the contractual provisions that we enter into may not prevent unauthorized use or disclosure of our proprietary technology or intellectual property rights and may not provide an adequate remedy in the event of unauthorized use or disclosure of our proprietary technology or intellectual property rights. Moreover, policing unauthorized use of our technologies, trade secrets, and intellectual property is difficult, expensive, and time-consuming, particularly in foreign countries where the laws may not be as protective of intellectual property rights as those in the U.S. and where mechanisms for enforcement of intellectual property rights may be weak. We may be unable to determine the extent of any unauthorized use or infringement of our solutions, technologies, or intellectual property rights.
We use “open source” software in our solutions, which may restrict how we use or distribute our solutions, require that we release the source code of certain software subject to open source licenses, or subject us to litigation or other actions that could adversely affect our business.
We currently use in our solutions, and may use in the future, software that is licensed under “open source,” “free,” or other similar license, where the licensed software is made available to the general public on an “as-is” basis under the terms
26
of a specific non-negotiable license. Some open source software licenses require that software subject to the license be made available to the public and that any modifications or derivative works based on the open source code be licensed in source code form under the same open source licenses. Our monitoring of our use of open source software may fail to prevent the risk of licensing such software. We cannot assure you that all open source software is reviewed prior to use in our solutions, that our programmers have not incorporated open source software into our solutions, or that they will not do so in the future. We have incorporated and may continue to incorporate AI/ML solutions and features into our solutions, and otherwise within our business, and these solutions and features may become more important to our operations or to our future growth over time.
In addition, our solutions may incorporate third-party software under commercial licenses. We cannot be certain whether such third-party software incorporates open source software without our knowledge. In the past, companies that incorporate open source software into their products have faced claims alleging noncompliance with open source license terms or infringement or misappropriation of proprietary software. Therefore, we could be subject to suits by parties claiming noncompliance with open source licensing terms or infringement or misappropriation of proprietary software. Because few courts have interpreted open source licenses, the manner in which these licenses may be interpreted and enforced is subject to some uncertainty. There is a risk that open source software licenses could be construed in a manner that imposes unanticipated conditions or restrictions on our ability to market or provide our solutions. As a result of using open source software subject to such licenses, we could be required to release proprietary source code, pay damages, re-engineer our solutions, limit or discontinue sales, or take other remedial action, any of which could adversely affect our business.
Assertions by third parties of infringement or other violations by us of their intellectual property rights, whether or not correct, could result in significant costs and adversely affect our business and results of operations.
Intellectual property disputes are common in our industry. We may be subject to claims in the future alleging that we have misappropriated, misused, or infringed other parties’ intellectual property rights. Some companies, including certain of our competitors, own a larger number of patents, copyrights, and trademarks than we do, which they may use to assert claims against us. This disparity may also increase the risk that third parties may sue us for patent infringement and may limit our ability to counterclaim for patent infringement or settle through patent cross-licenses. In addition, future assertions of patent rights by third parties, and any resulting litigation, may involve patent holding companies, non-practicing entities, or other adverse patent owners who have no relevant product revenues and against whom our own patents may provide little or no deterrence or protection. Our solutions utilize third-party licensed software, and any failure to comply with the terms of one or more of these licenses could adversely affect our business. Third parties may also assert claims of intellectual property rights infringement against our customers, whom we are typically required to indemnify. As competition increases, claims of infringement, misappropriation, and other violations of intellectual property rights may increase. Any claim of infringement, misappropriation, or other violation of intellectual property rights by a third party, even those without merit, could cause us to incur substantial costs defending against the claim, could distract our management from our business, and could deter customers or potential customers from purchasing our solutions.
There can be no assurance that we will successfully defend third-party intellectual property claims.25Table of ContentsThere can be no assurance that we will successfully defend third-party intellectual property claims. An adverse outcome of a dispute may require us to:
•pay substantial damages, including treble or statutory damages, if we are found to have willfully infringed a third party’s patents or copyrights, respectively;
•cease developing or selling any elements of our solutions that rely on technology that is alleged to infringe or misappropriate the intellectual property of others;
•enter into potentially unfavorable royalty or license agreements in order to obtain the right to use necessary technologies or intellectual property rights;
•expend additional development resources to attempt to redesign our solutions or otherwise develop non-infringing technology, which may not be successful; and
•indemnify our customers and other third parties.
Any license we may enter into as a result of litigation may be non-exclusive, and therefore our competitors may have access to the same technology licensed to us. Any of the foregoing events could adversely affect our business and results of operations.
27
Our ability to raise capital in a timely manner if needed in the future may be limited, or such capital may be unavailable on acceptable terms, if at all. Our failure to raise capital if needed could adversely affect our business and results of operations, and any debt or equity issued to raise additional capital may reduce the value of our common stock.
We have funded our operations since inception primarily through equity financings, receipts generated from customers, and a revolving credit facility of up to $250.0 million (the “2024 Credit Facility”).We have funded our operations since inception primarily through equity financings and receipts generated from customers. As of January 31, 2026, we had $213.5 million outstanding under our 2024 Credit Facility. As of January 31, 2024, we had no amounts outstanding under our Credit Facility. As of January 31, 2024, we had no amounts outstanding under our Credit Facility. In March 2024, we amended our then-existing revolving credit facility (the “2022 Credit Facility”) and increased our borrowing availability from $50.0 million to $100.0 million and, in October 2024, we terminated our 2022 Credit Facility and obtained the 2024 Credit Facility. We cannot be certain when or if our operations will generate sufficient cash to fund our ongoing operations or the growth of our business. We intend to continue to make investments to support our business and may require additional funds. Additional financing may not be available on favorable terms, if at all. If adequate funds are not available on acceptable terms, we may be unable to invest in future growth opportunities, which could adversely affect our business and results of operations. If we incur debt, including under the 2024 Credit Facility, the lenders would have rights senior to holders of common stock to make claims on our assets, and the terms of any future debt could restrict our operations, and we may be unable to service or repay the debt. If we incur debt, including under the revolving line of credit, the lenders would have rights senior to holders of common stock to make claims on our assets, and the terms of any future debt could restrict our operations, and we may be unable to service or repay the debt. Furthermore, if we issue additional equity securities, stockholders may experience dilution, and the new equity securities could have rights senior to those of our common stock. Because our decision to issue securities in a future offering will depend on numerous considerations, including factors beyond our control, we cannot predict or estimate the impact any future incurrence of debt or issuance of equity securities will have on us. Any future incurrence of debt or issuance of equity securities could adversely affect the value of our common stock.
Our ability to use our net operating loss carryforwards and certain other tax attributes may be limited.
We have incurred substantial net operating losses (“NOLs”) during our history. U.S. federal and certain state NOLs generated in taxable years beginning after December 31, 2017 are not subject to expiration. Federal NOLs generally may not be carried back to prior taxable years. Additionally, for taxable years beginning after December 31, 2017, the deductibility of federal NOLs is limited to 80% of our taxable income in such taxable year. NOLs generated in tax years before 2018 may still be used to offset future taxable income without regard to the 80% limitation, although they have the potential to expire without being utilized if we do not sustain profitability in the future.
In addition, under the rules of Sections 382 and 383 of the Internal Revenue Code of 1986, as amended (the “Code”), if a corporation undergoes an “ownership change,” generally defined as a greater than 50% change (by value) in its equity ownership over a three-year period, the corporation’s ability to use its NOLs and other pre-change tax attributes to offset its post-change taxable income or taxes may be limited. The applicable rules generally operate by focusing on changes in ownership among stockholders considered by the rules as owning, directly or indirectly, 5% or more of the stock of a company, as well as changes in ownership arising from new issuances of stock by the company. The rules of Section 382 are regularly being evaluated to determine any potential limitations. If we experience one or more ownership changes as a result of future transactions in our stock, then we may be limited in our ability to use our NOL carryforwards or pre-change tax attributes to offset our future taxable income, if any. If we experience one or more ownership changes as a result of future transactions in our stock, then we may be 26Table of Contentslimited in our ability to use our NOL carryforwards, pre-change tax attributes or deductions to offset our future taxable income, if any.
Amendments to existing tax laws, rules, or regulations, or enactment of new unfavorable tax laws, rules, or regulations could have an adverse effect on our business and operating results.
The rules dealing with U.S. federal, state, and local income taxation are constantly under review by persons involved in the legislative process and by the Internal Revenue Service and the U.S. Treasury Department. Changes to tax laws (which changes may have retroactive application) and new regulations or interpretations could adversely affect us or holders of our common stock. Changes to tax laws (which changes may have retroactive application) could adversely affect us or holders of our common stock. In recent years, many such changes have been made and changes are likely to continue to occur in the future. For example, the United States Inflation Reduction Act, among other changes, introduced a 15% corporate minimum tax on certain United States corporations and a 1% excise tax on certain stock redemptions by certain publicly traded corporations. More recently, in July 2025, the U.S. enacted the One Big Beautiful Bill Act (“OBBBA”), which made significant changes to the Code. Among other provisions, the OBBBA restored the immediate deductibility of domestic research and experimental (“R&E”) expenditures for tax years beginning after December 31, 2024, while retaining the requirement to capitalize and amortize foreign R&E expenditures. The OBBBA also introduced other complex tax provisions, including changes to provisions relating to income from non-U.S. subsidiaries. Although the full impact of the OBBBA will depend on future regulatory guidance and implementation, these changes may materially affect our effective tax rate, deferred tax balances, and cash taxes.
28
We continue to evaluate the impacts of these and other recent tax law changes on our business. Changes in or interpretations under the OBBBA or other existing or future tax legislation may increase our tax liabilities or compliance costs. Furthermore, future guidance from the IRS and other tax authorities, or judicial decisions interpreting these laws, could materially impact our provision for income taxes. Additionally, if the U.S. or other foreign tax authorities change applicable tax laws or practices, our overall tax liability could increase, and our business, financial condition and results of operations may be adversely impacted.
Risks Relating to Ownership of Our Common Stock
The market price of our common stock may be volatile or may decline steeply or suddenly regardless of our operating performance and we may not be able to meet investor or analyst expectations and you may lose all or part of your investment.
The market price of our common stock may fluctuate or decline significantly in response to numerous factors, many of which are beyond our control, including:
•variations between our actual operating results and the expectations of securities analysts, investors, and the financial community;
•any forward-looking financial or operating information we may provide to the public or securities analysts, any changes in this information, or our failure to meet expectations based on this information;
•actions of securities analysts who initiate or maintain coverage of us, changes in financial estimates by any securities analysts who follow us, or our failure to meet these estimates or the expectations of investors;
•additional shares of our common stock being sold into the market by us or our existing stockholders, or the anticipation of such sales;
•hedging activities by market participants;
•announcements by us or our competitors of significant products or features, technical innovations, acquisitions, strategic partnerships, joint ventures, or capital commitments;
•repurchases of our common stock under our stock repurchase programs or the decision to terminate or suspend any repurchases;
•changes in operating performance and stock market valuations of companies in our industry, including our competitors;
•price and volume fluctuations in the overall stock market, including as a result of trends in the economy as a whole, including inflation and rising interest rates;
•lawsuits threatened or filed against us;
•developments in new legislation and pending lawsuits or regulatory actions, including interim or final rulings by judicial or regulatory bodies;
•volatility in the trading prices and trading volumes of financial technology and other technology stocks; and
•other events or factors, political conditions, election cycles, war or incidents of terrorism, or responses to these events.
In addition, extreme price and volume fluctuations in the stock markets have affected and continue to affect many technology companies’ stock prices. Stock prices often fluctuate in ways unrelated or disproportionate to a company’s operating performance. In the past, stockholders have filed securities class action litigation following periods of market volatility. If we were to become involved in securities litigation, it could subject us to substantial costs, divert resources and the attention of management from our business, and seriously harm our business.
29
Moreover, because of these fluctuations, comparing our operating results on a period-to-period basis may not be meaningful. You should not rely on our past results as an indication of our future performance. This variability and unpredictability could also result in our failing to meet the expectations of industry or financial analysts or investors for any period. If our revenues or operating results fall below the expectations of analysts or investors or below any forecasts we may provide to the market, or if the forecasts we provide to the market are below the expectations of analysts or investors, the price of our common stock could decline substantially. Such a stock price decline could occur even when we have met any previously publicly stated revenue or earnings forecasts that we may provide.
We do not intend to pay dividends for the foreseeable future and, as a result, your ability to achieve a return on your investment will depend on appreciation in the price of our common stock.
We have never declared or paid any cash dividends on our common stock and do not intend to pay any cash dividends in the foreseeable future. We anticipate that we will retain all of our future earnings for use in the development of our business and for general corporate purposes. Any determination to pay dividends in the future will be at the discretion of our board of directors. Accordingly, investors must rely on sales of their common stock after price appreciation, which may never occur, as the only way to realize any future gains on their investments.
Future securities issuances could result in significant dilution to our existing stockholders and impair the market price of our common stock.
Future issuances of shares of our common stock, or the perception that these sales may occur, could depress the market price of our common stock and result in dilution to existing holders of our common stock. Also, to the extent outstanding options to purchase shares of our common stock are exercised or options, restricted stock units, or other stock-based awards are issued or become vested, there will be further dilution. The amount of dilution could be substantial depending upon the size of the issuances or exercises. Furthermore, we may issue additional equity securities that could have rights senior to those of our common stock. As a result, purchasers of our common stock bear the risk that future issuances of debt or equity securities may reduce the value of our common stock and further dilute their ownership interest.
We cannot guarantee that any stock repurchase program will be fully consummated or that it will enhance stockholder value, and stock repurchases could affect the price of our common stock.
In March 2025, our Board of Directors authorized a program under which we were authorized to repurchase up to $100.0 million of our outstanding common stock which we completed in the third quarter of fiscal 2026. In December 2025, our Board of Directors authorized another stock repurchase program of up to $100.0 million of our outstanding common stock (the “December 2025 Stock Repurchase Program”). The Company may make repurchases, from time to time, through open market purchases, block trades, in privately negotiated transactions, accelerated stock repurchase transactions, or by other means. Open market repurchases will be structured to occur in accordance with applicable federal securities laws. The Company may also, from time to time, enter into Rule 10b5-1 plans to facilitate repurchases under this authorization. The volume, price, timing, and manner of any repurchases will be determined at the Company’s discretion, subject to general market conditions, as well as the Company’s management of capital, general business conditions, other investment opportunities, regulatory requirements and other factors. The December 2025 Stock Repurchase Program does not obligate the Company to repurchase any specific amount of common stock, has no time limit, and may be modified, suspended, or discontinued at any time without notice at the discretion of our Board of Directors. The timing, pricing, and size of these repurchases will depend on a number of factors, including the market price of our common stock and general market and economic conditions. The stock repurchase program does not obligate us to repurchase any dollar amount or number of shares, and the program may be suspended or discontinued at any time, which may result in a decrease in the price of our common stock. The stock repurchase program could affect the price of our common stock, increase volatility, and diminish our cash reserves.
Delaware law and provisions in our amended and restated certificate of incorporation and bylaws could make a merger, tender offer, or proxy contest difficult, thereby depressing the trading price of our common stock.
Our amended and restated certificate of incorporation and bylaws contain provisions that could depress the trading price of our common stock by acting to discourage, delay, or prevent a change of control of our company or changes in our management that the stockholders of our company may deem advantageous. These provisions include the following:
•permit the board of directors to establish the number of directors and fill any vacancies and newly created directorships;
30
•require super-majority voting to amend some provisions in our amended and restated certificate of incorporation and bylaws;
•authorize the issuance of “blank check” preferred stock that our board of directors could use to implement a stockholder rights plan;
•prohibit stockholders from calling special meetings of stockholders;
•prohibit stockholder action by written consent, which requires all stockholder actions to be taken at a meeting of our stockholders;
•provide that the board of directors is expressly authorized to make, alter, or repeal our bylaws;
•restrict the forum for certain litigation against us to Delaware; and
•establish advance notice requirements for nominations for election to our board of directors or for proposing matters that can be acted upon by stockholders at annual stockholder meetings.
Any provision of our amended and restated certificate of incorporation or bylaws or Delaware law that has the effect of delaying or deterring a change in control could limit the opportunity for our stockholders to receive a premium for their shares of our common stock, and could also affect the price that some investors are willing to pay for our common stock.
Our amended and restated certificate of incorporation designates a state or federal court located within the State of Delaware as the exclusive forum for substantially all disputes between us and our stockholders, which could limit our stockholders’ ability to choose the judicial forum for disputes with us or our directors, officers, or employees.
Our amended and restated certificate of incorporation provides that, unless we consent in writing to the selection of an alternative forum, to the fullest extent permitted by law, the sole and exclusive forum for (1) any derivative action or proceeding brought on our behalf under Delaware law, (2) any action asserting a claim of breach of a fiduciary duty owed by any of our directors, officers or other employees to us or our stockholders, (3) any action arising pursuant to any provision of the Delaware General Corporation Law (“DGCL”), our amended and restated certificate of incorporation or bylaws, (4) any other action asserting a claim that is governed by the internal affairs doctrine, or (5) any other action asserting an “internal corporate claim,” as defined in Section 115 of the DGCL, shall be the Court of Chancery of the State of Delaware (or, if the Court of Chancery does not have jurisdiction, the federal district court for the District of Delaware) in all cases subject to the court having jurisdiction over indispensable parties named as defendants. These exclusive-forum provisions do not apply to claims under the Securities Act or the Exchange Act.
To the extent that any such claims may be based upon federal law claims, Section 27 of the Exchange Act creates exclusive federal jurisdiction over all suits brought to enforce any duty or liability created by the Exchange Act or the rules and regulations thereunder.
Section 22 of the Securities Act creates concurrent jurisdiction for federal and state courts over all suits brought to enforce any duty or liability created by the Securities Act or the rules and regulations thereunder. However, our amended and restated certificate of incorporation contains a federal forum provision which provides that unless the Company consents in writing to the selection of an alternative forum, the federal district courts of the United States of America will be the exclusive forum for the resolution of any complaint asserting a cause of action arising under the Securities Act.
Any person or entity purchasing or otherwise acquiring any interest in any of our securities shall be deemed to have notice of and consented to this provision. This exclusive-forum provision may limit a stockholder’s ability to bring a claim in a judicial forum of its choosing for disputes with us or our directors, officers, or other employees, which may discourage lawsuits against us and our directors, officers, and other employees. If a court were to find the exclusive-forum provision in our amended and restated certificate of incorporation to be inapplicable or unenforceable in an action, we may incur additional costs associated with resolving the dispute in other jurisdictions, which could harm our results of operations.
31
General Risks
Uncertain, volatile, or weakened economic conditions, including inflation and rising interest rates, tariffs and trade issues, and geopolitical uncertainties, may adversely affect our industry, business, and results of operations.
Our overall performance depends on economic conditions, which may be challenging at various times in the future. Financial developments, monetary and other developments seemingly unrelated to us or our industry may adversely affect us. For example, the higher interest rate environment in the U.S., undertaken as a means to manage inflation, has had an impact on the real estate market in the U.S. and specifically, the demand for mortgage and mortgage-related products and services, which has had a negative impact on our U.S. mortgage business and may continue to adversely impact that business to the extent the higher interest rate environment persists.
Moreover, domestic and international economies have from time to time been impacted by falling demand for a variety of goods and services, tariffs and other trade issues, threatened sovereign defaults and ratings downgrades, restricted credit, threats to major multinational companies, poor liquidity, reduced corporate profitability, volatility in credit, equity and foreign exchange markets, bankruptcies, and overall uncertainty, including uncertainty as a result of geopolitical events such as the conflicts in and around Ukraine, the Middle East and other parts of the world.Moreover, domestic and international economies have from time-to-time been impacted by falling demand for a variety of goods and services, tariffs and other trade issues, threatened sovereign defaults and ratings downgrades, restricted credit, threats to major multinational companies, poor liquidity, reduced corporate profitability, volatility in credit, equity and foreign exchange markets, bankruptcies, and overall uncertainty, including uncertainty as a result of geopolitical events such as the conflicts in and around Ukraine, the Middle East and other parts of the world. In particular, recent tariffs and reciprocal trade measures enacted or threatened to be enacted by the U.S. and other countries have led to increased volatility and uncertainty in certain parts of the global economy. We cannot predict the timing, strength, or duration of the current or any future potential economic volatility or slowdown in the U.S. or globally. These conditions affect the rate of technology spending generally and could adversely affect our customers’ ability or willingness to purchase our solutions, delay prospective customers’ purchasing decisions, reduce the value or duration of their subscriptions, or affect renewal rates, any of which could adversely affect our results of operations.
Natural or man-made disasters and other similar events may significantly disrupt our business, and negatively impact our business, financial condition, and results of operations.
A significant portion of our employee base, operating facilities, and infrastructure are centralized in Wilmington, North Carolina. Any of our facilities may be harmed or rendered inoperable by natural or man-made disasters, including hurricanes, tornadoes, wildfires, floods, earthquakes, nuclear disasters, acts of terrorism or other criminal activities, infectious disease outbreaks or pandemic events, power outages, and other infrastructure failures, which may render it difficult or impossible for us to operate our business for some period of time. Our facilities would likely be costly to repair or replace, and any such efforts would likely require substantial time. Any disruptions in our operations could adversely affect our business and results of operations and harm our reputation. Moreover, our disaster recovery plans may prove inadequate. We may not carry sufficient business insurance to compensate for losses that may occur. Any such losses or damages could have a material adverse effect on our business and results of operations. In addition, the facilities of our third-party providers, including Salesforce and AWS, may be harmed or rendered inoperable by such natural or man-made disasters, which may cause disruptions, difficulties, or otherwise materially and adversely affect our business.
If securities or industry analysts either do not publish research about us or publish inaccurate or unfavorable research about us, our business, or our market, or if they change their recommendations regarding our common stock adversely, the trading price or trading volume of our common stock could decline.
The trading market for our common stock is influenced in part by the research and reports that securities or industry analysts may publish about us, our business, our market, or our competitors. If one or more analysts initiate research with an unfavorable rating or downgrade our common stock, provide a more favorable recommendation about our competitors, or publish inaccurate or unfavorable research about our business, our common stock price would likely decline. If any analyst who covers us or may cover us were to cease coverage of us or fail to regularly publish reports on us, we could lose visibility in the financial markets, which in turn could cause the trading price or trading volume of our common stock to decline.
Failure to maintain the adequacy of internal controls over financial reporting may adversely affect investor confidence in our company and, as a result, the value of our common stock.
We are required, pursuant to Section 404 of the Sarbanes-Oxley Act, to furnish a report by management on, among other things, the effectiveness of our internal control over financial reporting. On an annual basis, this assessment includes disclosure of any material weaknesses identified by our management in our internal controls over financial reporting. Our independent registered public accounting firm is required to annually attest to the effectiveness of our internal controls over financial reporting. We are required to disclose significant changes made in our internal controls procedure on a quarterly basis.
32
Our compliance with Section 404 has required, and will continue to require, that we incur substantial accounting expense and expend significant management efforts.
During the evaluation and testing process of our internal controls, if we identify one or more material weaknesses in our internal controls over financial reporting, we will be unable to assert that our internal controls over financial reporting are effective. We cannot assure you that there will not be material weaknesses or significant deficiencies in our internal controls over financial reporting in the future. Any failure to maintain internal controls over financial reporting could severely inhibit our ability to accurately report our financial condition and operating results. If we are unable to conclude that our internal controls over financial reporting are effective, or if our independent registered public accounting firm determines we have a material weakness or significant deficiency in our internal controls over financial reporting, we could lose investor confidence in the accuracy and completeness of our financial reports, the market price of our common stock could decline, and we could be subject to sanctions or investigations by the SEC or other regulatory authorities. Failure to remedy any material weakness in our internal controls over financial reporting, or to implement or maintain other effective control systems required of public companies, could also restrict our future access to the capital markets.
The terms of our Credit Facility contain restrictive covenants that may limit our operating flexibility. The terms of our Credit Facility contain restrictive covenants that may limit our operating flexibility.
On October 28, 2024, we entered into a Credit Agreement by and among the Company, nCino OpCo, Inc.On February 11, 2022, we entered into Credit Agreement by and among the Company, nCino OpCo, Inc. , certain subsidiaries of the Company as guarantors, the lenders party thereto, and Bank of America, N., certain subsidiaries of the Company as guarantors, and Bank of America, N. A. as administrative agent, pursuant to which we received access to a revolving Credit Facility of up to $250.0 million. As of January 31, 2026, we had $213.5 million outstanding under our 2024 Credit Facility. As of January 31, 2024, we had no amounts outstanding under our Credit Facility. As of January 31, 2024, we had no amounts outstanding under our Credit Facility. The 2024 Credit Facility contains affirmative and restrictive covenants that limit our operating ability including to, among other things, dispose of assets, merge with other companies, incur additional indebtedness and liens, engage in new businesses, acquire certain other companies and modify organizational documents. The Credit Facility contains affirmative and restrictive covenants that limit our operating ability including to, among other things, dispose of assets, merge with other companies, incur additional indebtedness and liens, engage in new businesses, acquire certain other companies and modify organizational documents. In addition, the 2024 Credit Facility is secured by substantially all of our personal property, and the 2024 Credit Facility requires us to satisfy certain covenants, including maintaining certain total leverage and interest coverage ratios under the 2024 Credit Facility. In addition, the Credit Facility is secured by substantially all of our personal property, and the Credit Facility requires us to satisfy certain covenants, including maintaining certain senior secured leverage and interest coverage ratios under the Credit Facility. As a result of these restrictions, we will be limited as to how we conduct our business and we may be unable to raise additional debt or equity financing to compete effectively or to take advantage of new business opportunities. There is no guarantee that we will be able to meet our covenants or pay the principal and interest on any such debt. Furthermore, there is no guarantee that future working capital, borrowings or equity financing will be available to repay or refinance any such debt. Any inability to make scheduled payments or meet the financial or other covenants in our 2024 Credit Facility would adversely affect our business. Any inability to make scheduled payments, meet the financial or other covenants in our Credit Facility would adversely affect our business. Further, at any time, if we violate the terms of the 2024 Credit Facility or otherwise fail to meet our covenants, we may not be able to obtain a waiver from the lenders under satisfactory terms, if at all, which would limit our operating flexibility and/or liquidity and which would have an adverse effect on our business and prospects. Further, at any time, if we violate the terms of the Credit Facility or otherwise fail to meet our covenants, we may not be able to obtain a waiver from the lenders under satisfactory terms, if at all, which would limit our operating flexibility and/or liquidity and which would have an adverse effect on our business and prospects.
Item 1B. Unresolved Staff Comments
None.
Item 1C. Cybersecurity
Risk Management and Strategy
33
are identified and assessed as part of our annual and routine risk assessments and regularly evaluated through internal audits. We supplement internal efforts with independent third-party assessments and annual compliance audits, including SOC 1, SOC 2, and ISO 27001 certifications. The results of these audits are reviewed by management and our Audit Committee, with any identified gaps or recommendations incorporated into our remediation tracking and monitoring process. Additional information on the cybersecurity risks we face is discussed in Part I, Item 1A of this Annual Report on Form 10-K, “Risk Factors.”
Governance
nCino’s Chief Information Security Officer (“CISO”) is responsible for identifying, assessing, and managing material cybersecurity risks. nCino’s CISO brings over 25 years of experience in security and risk management to the Company, reporting to our Information Security Committee, comprised of executive leadership, cybersecurity-focused committees, and to nCino’s Board of Directors. nCino’s CISO brings over 25 years of experience in security and risk management to the company and takes the lead on reporting risk to senior management and nCino’s Board of Directors. The CISO provides quarterly reports to the Audit Committee and annual briefings to the full Board of Directors.
Recently Filed
Click on a ticker to see risk factors
| Ticker * | File Date |
|---|---|
| SAFX | an hour ago |
| RVRC | an hour ago |
| AIRS | an hour ago |
| CYCU | an hour ago |
| CBDY | an hour ago |
| GEMI | an hour ago |
| SOLC | an hour ago |
| ZVSA | an hour ago |
| LCGMF | an hour ago |
| TRNR | an hour ago |
| SLSN | an hour ago |
| LTUM | 2 hours ago |
| SVAQ | 2 hours ago |
| INKT | 2 hours ago |
| GNLN | 2 hours ago |
| NCNO | 2 hours ago |
| CEPS | 2 hours ago |
| STSS | 2 hours ago |
| BDCO | 2 hours ago |
| SKAS | 2 hours ago |
| TE | 2 hours ago |
| JWSMF | 2 hours ago |
| AQMS | 2 hours ago |
| FCCI | 2 hours ago |
| INIS | 2 hours ago |
| DUOT | 2 hours ago |
| GOCO | 2 hours ago |
| PED | 2 hours ago |
| BLNK | 2 hours ago |
| HTCR | 2 hours ago |
| SRG | 2 hours ago |
| ADTX | 2 hours ago |
| ALTI | 2 hours ago |
| SVIX | 2 hours ago |
| PLAY | 2 hours ago |
| TCRT | 2 hours ago |
| ACRG | 2 hours ago |
| BNZI | 2 hours ago |
| TOGI | 2 hours ago |
| RPMT | 2 hours ago |
| SKVI | 2 hours ago |
| ISRLF | 2 hours ago |
| SCWO | 2 hours ago |
| CRAQ | 2 hours ago |
| BITF | 2 hours ago |
| UAVS | 2 hours ago |
| CNTA | 2 hours ago |
| DSS | 2 hours ago |
| FCAP | 2 hours ago |
| AMOD | 2 hours ago |
