Risk Factors - NOW

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

$NOW Risk Factor changes from 00/01/30/23/2023 to 00/01/25/24/2024

ITEM 1A.RISK FACTORSInvesting in our securities involves risks.

You should carefully consider the risks and uncertainties described below, together with the other information in this Annual Report on Form 10-K, before making an investment decision. The occurrence of any of the following risks, or additional risks and uncertainties not presently known to us or that we currently believe to be immaterial, could materially and adversely affect our business, financial condition or results of operations or cause our stock price to decline. The occurrence of any of the following risks or additional risks and uncertainties not presently known to us or that we currently believe to be immaterial could materially and adversely affect our business, financial condition or results of operations. The following risks have been grouped by categories and are not in order of significance or probability of occurrence.Risk Factors SummaryThis summary provides an overview of the risks we face and should not be considered a substitute for the more fulsome risk factors discussed immediately following this summary.Risk Factors SummaryThis summary of risks below is intended to provide an overview of the risks we face and should not be considered a substitute for the more fulsome risk factors discussed immediately following this summary. •Risks Related to Our Ability to Grow Our Business•Laws, regulations and customer expectations regarding the use, storage and movement of data may restrict our ability to continue to optimize our platform and adversely affect our business.•We participate in intensely competitive markets, and if we do not compete effectively, our business and operating results will be harmed.•If we fail to innovate in response to rapidly evolving technological and market developments and customer needs, our competitive position and business prospects may be harmed.•If we are unsuccessful in increasing our penetration of international markets or managing the risks associated with foreign markets, our business and operating results will be adversely affected.•We rely on our network of partners for an increasing portion of our revenues, and if these partners fail to perform, our ability to sell and distribute our products may be impacted, and our operating results and growth rate may be harmed.•Doing business with the public sector and heavily-regulated entities subjects us to risks related to government procurement processes, regulations and contracting requirements.•Doing business with the public sector and heavily-regulated organizations subjects us to risks related to government procurement processes, regulations, and contracting requirements. •If we fail to comply with applicable anti-corruption and anti-bribery laws, export control laws, economic and trade sanctions laws, or other global trade laws, we could be subject to penalties and civil and/or criminal sanctions and our business could be materially adversely affected.•Targeting larger enterprise customers may result in longer and more expensive sales cycles, increased pricing pressure and implementation and configuration challenges.•As we acquire or invest in companies and technologies, we may not realize the expected business or financial benefits and the acquisitions and investments may divert our management’s attention and result in additional shareholder dilution.•Risks Related to the Operation of Our Business•Actual or perceived cybersecurity events experienced by us or our third-party service providers may create the perception that our platform is not secure, and we may lose customers or incur significant liabilities, which would harm our business, financial condition and operating results.•Risks Related to the Operation of Our Business•If we or our third-party service providers experience an actual or perceived cybersecurity event, our platform may be perceived as not being secure, and we may lose customers or incur significant liabilities, which would harm our business and operating results. •If we lose key members of our management team or qualified employees or are unable to attract and retain the employees we need, our costs may increase and our business and operating results may be adversely affected.•If we lose key members of our management team or qualified employees or are unable to attract and retain the employees we need, our costs will increase and our business and operating results will be adversely affected. •Delays in the release of, or actual or perceived defects in, our products may slow the adoption of our latest technologies, reduce our ability to efficiently provide services, decrease customer satisfaction, and adversely impact future product sales.•Disruptions or defects in our services could damage our customers’ businesses, subject us to substantial liability and harm our reputation and financial results.•Delays in improving our information systems and processes could interfere with our ability to support our existing and growing customer and employee base and could adversely impact our business.•Lawsuits by third parties that allege we infringe their intellectual property rights could harm our business and operating results.•Lawsuits against us by third parties that allege we infringe their intellectual property rights could harm our business and operating results. •Our intellectual property protections may not provide us with a competitive advantage, and defending our intellectual property may result in substantial expenses that harm our operating results.•Our use of open-source software could harm our ability to sell our products and services and subject us to possible litigation.•Our use of open source software could harm our ability to sell our products and services and subject us to possible litigation. •Various factors, including our customers’ business, integration, migration, compliance and security requirements, or errors by us, our partners, or our customers, may cause implementations of our products to be delayed, inefficient or otherwise unsuccessful.13Table of Contents•Our failure or perceived failure to achieve our ESG goals or maintain ESG practices that meet evolving stakeholder expectations could adversely affect us.•Natural disasters, including climate change, and other events beyond our control could harm our business.•Risks Related to the Financial Performance or Financial Position of Our Business•Because we generally recognize revenues from our subscription service over the subscription term, a decrease in new subscriptions or renewals may not be immediately reflected in our operating results.•Risks Related to the Operation of Our Business•If we or our third-party service providers experience an actual or perceived cybersecurity event, our platform may be perceived as not being secure, and we may lose customers or incur significant liabilities, which would harm our business and operating results. •As our business grows, we expect our revenue growth rate to decline over the long term.•Changes in our effective tax rate or disallowance of our tax positions may adversely affect our financial position and results.•Our debt service obligations may adversely affect our financial condition.•Our debt service obligations may adversely affect our financial condition and cash flows from operations. •Risks Related to General Economic Conditions•Global economic conditions may harm our industry, business and results of operations.•Foreign currency exchange rate fluctuations could harm our financial results.•Risks Related to Ownership of Our Common Stock•Our stock price is likely to continue to be volatile and could subject us to litigation.•Provisions in our governing documents, Delaware law or 2030 Notes might discourage, delay or prevent a change of control or changes in our management and, therefore, depress our stock price.Risks Related to Our Ability to Grow Our BusinessLaws, regulations and customer expectations regarding the use, storage and movement of data may restrict our ability to continue to optimize our platform and adversely affect our business.Governments have adopted, and likely will continue to adopt, laws and regulations affecting the use, storage and movement of data, including laws related to data privacy and security, the use of machine learning and artificial intelligence (“AI”), and data sovereignty or residency requirements.Governments have adopted, and may likely continue to adopt, laws and regulations affecting the use, storage and movement of data, including laws related to data privacy, the use of machine learning and artificial intelligence (“AI”), and data sovereignty or residency requirements. Changing laws, regulations and standards applying to the collection, storage, use, sharing, portability, transfer or other control or processing of data, including personal data, could affect our ability to efficiently and cost-effectively offer our services and to develop our products and services for maximum utility, as well as our customers’ ability to use data or share data. Changing laws, regulations and standards applying to the collection, storage, use, sharing, transfer or other control or processing of data, including personal data such as employee or marketing data, could affect our ability to efficiently and cost-effectively offer our services, to develop our products and services to maximize their utility, as well as our customers’ ability to use data or share data with service providers. Such changes may restrict our ability to use, store or otherwise process customer data in connection with providing services and could alter or increase our compliance requirements. Such changes may restrict our ability to use, store or otherwise process data of our customers in connection with providing and supporting our services. In some cases, this could impact our ability to offer our services in certain locations or our customers’ ability to deploy our services globally. For example, the EU Data Act is a proposed law with potential significant requirements regarding data portability, interoperability and accessibility and unclear data transfer restrictions, any of which could impact our operations. In addition, although the new Trans-Atlantic Data Privacy Framework (which replaced the prior Privacy Shield) has been approved, which could facilitate the transfer of data between the United States (“U.S.”) and European Union (“EU”), there remains a possibility that this framework could be challenged in court. As we continue to innovate and improve the offerings on our platform by leveraging machine learning and AI, our business model may be affected by global trends and laws that regulate the use of AI and machine learning. As we continue to innovate and improve the offerings on our platform, we leverage machine learning and AI to create more efficient and effective workflows for our customers. Such laws or regulations not only may cause us to modify our data handling practices, which could be costly or burdensome, it also may impact our ability to use certain data for developing our products or impede customers regulated by such laws and regulations to adopt our products. In addition, we may become subject to new or heightened legal, ethical or other challenges arising out of the perceived or actual impact of AI on human rights, intellectual property, privacy, and employment, among other issues, and we may experience brand or reputational harm, legal liability or increased costs associated with those issues.We offer region-specific services, by which customer data is hosted locally and customers may elect to receive support from locally based ServiceNow teams. Setting up and maintaining these region-specific services require significant investment, including to comply with applicable laws and regulations. Actual or perceived non-compliance with those laws and regulations could result in proceedings or investigations against us by regulatory authorities or others, lead to significant fines, damages, orders, litigation or reputational harm and may otherwise adversely impact our business, financial condition and operating results. In addition, actual or perceived non-compliance with those laws and regulations could result in proceedings or investigations against us by regulatory authorities or others, lead to significant fines, damages, orders or reputational harm and may otherwise adversely impact our business, financial condition and operating results. We will also need to continually adapt to customer privacy and security requirements as they change over time. For example, as customers increasingly adopt a hybrid (on-premises and off-premises/hyperscale cloud) approach for their IT workloads, our cloud services may fail to address evolving customer requirements, including data localization. Further, due to heightened concerns relating to privacy and security regulatory matters, our customers may request certain certifications and failure to obtain, or consistently maintain, those certifications may adversely impact our reputation and business.14Table of ContentsWe participate in intensely competitive markets, and if we do not compete effectively, our business and operating results will be harmed.The markets for our enterprise cloud solutions are rapidly evolving and highly competitive, with relatively low barriers to entry. As the market for digital workflow products and offerings matures and new technologies, in-house solutions and competitors enter the market, we increasingly compete with alternative solutions and approaches to solve customer needs or experience customer reluctance or unwillingness to migrate away from their current solutions. As the market for digital workflow products and offerings matures and new technologies, in-house solutions and competitors enter the market, we find ourselves increasingly competing with solutions and alternative approaches to solving customer needs or experiencing reluctance or unwillingness from customers to migrate away from their current solutions. Further, we expect additional competition as we shift our products and services to compete with providers in adjacent markets. Some of our existing competitors and potential competitors are larger and have greater name recognition, the ability to more efficiently scale their business, more established operations and customer relationships, and greater financial and technical resources than we do.Some of our existing competitors and potential competitors are larger and have greater name recognition and scale, longer operating histories, more established customer relationships, larger marketing budgets and greater financial and technical resources than we do. Competitors, regardless of their size, may be able to respond more quickly and effectively to new or changing opportunities, technologies, standards, customer requirements and buying practices. Competitors and new entrants may be able to respond more quickly and effectively to new or changing opportunities, technologies, standards, customer requirements and buying practices. They may introduce new technology, solve similar problems in different ways or more effectively utilize existing technology that reduces demand for our services. They may utilize acquisitions, integrations or consolidations to offer integrated or bundled products, enhanced functionality or other advantages. “Systems of record” operators may attempt to create technology solutions or other mechanisms that would prevent our systems from integrating with theirs. “Systems of record” operators may attempt to create technology solutions that would prevent our systems from integrating with theirs. They may create pricing pressures by reducing the price of competing products, services or subscriptions or bundling their offerings causing our offerings to appear relatively more expensive. In addition, competition from cloud-based vendors may increase as they partner with on-premises hardware providers to deliver their cloud platform as an on-premises or data localized solution. Competition from cloud-based vendors may increase as they partner with on-premises hardware providers to deliver their cloud platform as an on-premises or data localized solution. If we are not able to compete successfully, we could experience reduced sales and margins, losses or failure of our products to achieve or maintain market acceptance, any of which could harm our business.If we fail to innovate in response to rapidly evolving technological and market developments and customer needs, our competitive position and business prospects may be harmed.We compete in markets that continue to evolve rapidly. The pace of innovation will continue to accelerate as customers recognize the advantages of acquiring leading digital technologies and adopting modern cloud-based infrastructure. The pace of innovation will continue to accelerate as customers increasingly evaluate their purchases based on the advantages of digital technologies and their need to shift to modern cloud-based infrastructure. As digital transformation accelerates across a customer’s enterprise, cutting-edge capabilities such as AI, machine learning, hyper automation, low-code/no-code application development, system observability and predictive insights become increasingly relevant to the customer’s evolving needs. Accordingly, to compete effectively, we must: •identify and innovate in the right technologies;•keep pace with rapidly changing technological developments, such as AI, which may disrupt talent needs and the enterprise software marketplace;•accurately predict our customers’ changing digital transformation needs, priorities and adoption practices, including their technology infrastructures and buying and budgetary practices; •invest in and continually optimize our own technology platform so that we continue to meet the very high-performance expectations of our customers; •successfully deliver new, scalable technologies and products to meet customer needs and priorities; •efficiently integrate with technologies within our customers’ digital environments; •expand our offerings into industries and to buyers who are not familiar with our offerings;•profitably and efficiently market and sell products in markets where our sales and marketing teams have less experience; •successfully adapt new pricing models; •effectively secure our platform, data and customers’ data; and •effectively deliver, directly or through our partner ecosystem, the digital transformation process planning, IT systems architecture planning, and product implementation services that our customers require to be successful. Accordingly, to compete effectively, we must: •identify and innovate in the right emerging technologies;•keep pace with rapidly changing technological developments, such as AI, that may disrupt the enterprise software marketplace;•accurately predict our customers’ changing digital transformation needs, priorities and adoption practices, including their technology infrastructures and buying and budgetary practices; •invest in and continually optimize our own technology platform so that we continue to meet the very high-performance expectations of our customers; •successfully deliver new, scalable platform and database technologies and products to meet customer needs and priorities; •efficiently integrate with other technologies within our customers’ digital environments; •expand our offerings into industries and to buyers who are not familiar with our offerings;•profitably market and sell products to companies in markets where our sales and marketing teams have less experience; •successfully adapt new pricing models; 14Table of Contents•effectively secure our platform, data and customers’ data, and •effectively deliver, directly or through our partner ecosystem, the digital transformation process planning, IT systems architecture planning, and product implementation services that our customers require to be successful. Further, in response to evolving customer needs, we may make significant investments in changing how we offer our products or services, such as bundling offerings or shifting to a subscription-based model for support services or how our services are delivered or priced. Further, we may make significant investments in changing the way we offer our products or services, such as bundling offerings and shifting to a subscription-based model for support services, in response to evolving customer needs. If customers are dissatisfied with these changes, our business could be materially adversely impacted.If we are unsuccessful in increasing our penetration of international markets or managing the risks associated with foreign markets, our business and operating results will be adversely affected.Sales outside of North America represented 36% and 35% of our total revenues for the years ended December 31, 2023 and 2022, respectively. The growth of our business and future prospects depend on our ability to increase our sales outside of the U.S. as a percentage of our total revenues. Additionally, operating in international markets requires significant investment and management attention and subjects us to varying regulatory, political and economic risks. Additionally, operating in international markets requires significant investment and management attention and subjects us to different regulatory, political and economic risks from those in the U. We 15Table of Contentshave made, and will continue to make, substantial investments in data centers, geographic-specific service delivery models, advisory councils, cloud computing infrastructure, sales, marketing, partnership arrangements, personnel and facilities in new geographic markets. We have made, and will continue to make, substantial investments in data centers, geographic specific service delivery models, advisory councils, cloud computing infrastructure, sales, marketing, partnership arrangements, personnel and facilities as we enter and expand in new geographic markets. When we make these investments, it is typically unclear when we will see a return on our investment, and we may significantly underestimate the level of investment and time required to be successful. When we make these investments, it is typically unclear whether, and when, sales in the new market will justify our investments. Our rate of acquisition of new large enterprise customers, a factor affecting our growth, has been generally lower in territories where we are less established and where there may be heightened or evolving regulations and operational and IP risks. Our rate of acquisition of new large enterprise customers, a factor affecting our growth, has been generally lower in territories where we are less established and where there may be increased or changing regulations and operational and IP risks, as compared to our more established locations. We have experienced, and may continue to experience, difficulties in new geographic markets, including hiring qualified sales management personnel, penetrating the target market, and managing local operations. We have experienced, and may continue to experience, difficulties in some of our investments in geographic expansion, including hiring qualified sales management personnel, penetrating the target market, and managing foreign operations in such locales. Risks associated with making our products and services available in international markets include, for example:•compliance with multiple, conflicting and changing governmental laws and regulations;•requirements to have local partner(s), local entity ownership limitations or technology transfer or sharing requirements, or to comply with data residency and transfer laws and regulations, privacy and data protection laws and regulations, which may increase operational costs and restrictions;•the possibility that illegal or unethical activities of our local employees or business partners will be attributed to us or cause us harm;•longer and potentially more complex sales and accounts receivable payment cycles and other collection difficulties;•different pricing and distribution environments;•potential changes in international trade policies, tariffs, agreements and practices, including the adoption and expansion of formal or informal trade restrictions or regulatory frameworks that may favor local competitors;•governmental direction, business practices and/or cultural norms that may favor local competitors; •more prevalent cybersecurity and intellectual property risks; and•localization of our services, including translation into foreign languages and associated expenses. Risks inherent with making our products and services available in international markets include, for example:•compliance with multiple, conflicting and changing governmental laws and regulations, including with respect to employment, tax, competition, COVID-19 and ESG matters;•requirements to have local partner(s), local entity ownership limitations or technology transfer or sharing requirements, or to comply with data residency and transfer laws and regulations, privacy and data protection laws and regulations, which may increase operational costs and restrictions;•the risk that illegal or unethical activities of our local employees or business partners will be attributed to or result in liability to us or damage our reputation;•longer and potentially more complex sales and accounts receivable payment cycles and other collection difficulties;•different pricing and distribution environments;•potential changes in international trade policies, tariffs, agreements and practices, including the adoption and expansion of formal or informal trade restrictions or regulatory frameworks favoring local competitors;•local governmental direction, business practices and/or cultural norms that may favor local competitors; •cybersecurity and intellectual property risks that are more prevalent in jurisdictions in which we have historically chosen not to operate; and•localization of our services, including translation into foreign languages and associated expenses. If we are unable to manage these risks, our revenue growth rate, business and operating results will be adversely affected.We rely on our network of partners for an increasing portion of our revenues, and if these partners fail to perform, our ability to sell and distribute our products may be impacted, and our operating results and growth rate may be harmed.An increasing portion of our revenues is generated by sales through our network of partners, including managed service providers and resellers. Increasingly, we and our customers rely on our partners to provide professional services, including custom implementations, and there may be insufficient qualified implementation partners available to meet customer demand. Increasingly, we and our customers also rely on our partners to provide professional services, including custom implementations, and there may not be enough qualified implementation partners available to meet customer demand. While we provide our partners with training and programs, including accreditations and certifications, these programs may not be effective or utilized consistently by partners. In addition, new partners may require extensive training and/or significant time and resources to become productive. In addition, new partners may require extensive training and/or may require significant time and resources to achieve productivity. Changes to our direct go-to-market models may cause friction with our partners. Changes to our direct go-to-market models may cause friction with our partners and may increase the risk in our partner ecosystem. The actions of our partners may subject us to potential liability and reputational harm if, for example, any of our partners misrepresent to our customers the functionality of our platform or products, fail to perform services to our customers’ expectations, or violate laws or our corporate policies. The actions of our partners may subject us to lawsuits, potential liability, and reputational harm if, for example, any of our partners misrepresent the functionality of our platform or products to customers, fail to perform services to our customers’ expectations, or violate laws or our corporate policies. In addition, our partners may use our platform to develop products and services that compete with our products and services, which could raise IP ownership concerns and strain these partnerships. In addition, our partners may utilize our platform to develop products and services that could potentially compete with products and services that we offer currently or in the future. If we fail to effectively manage and grow our network of partners, our ability to sell our products and efficiently provide our services may be impacted, and our operating results and growth rate may be harmed.Doing business with the public sector and heavily-regulated entities subjects us to risks related to government procurement processes, regulations and contracting requirements.Doing business with the public sector and heavily-regulated organizations subjects us to risks related to government procurement processes, regulations, and contracting requirements. We provide products and services to governmental and heavily-regulated entities directly and through our partners.We provide products and services to governments and heavily-regulated organizations directly and through our partners. We have made, and may continue to make, significant investments to support our efforts to sell to those entities. We have made, and may continue to make, significant investments to support future sales opportunities in various government sectors, including to obtain security authorizations and certifications. Processes to obtain authorizations and certifications required for us to provide our products and services to those entities often are lengthy and encounter delays, and we may not be able to satisfy, or maintain compliance with, the associated requirements.A substantial majority of our sales to government entities in the U. A substantial majority of our sales to date to government entities in the U. S. have been made indirectly through our distributors, resellers or service provider partners. Doing business with government entities presents a variety of risks. The procurement process for governments and their agencies is highly competitive and time-consuming, may be subject to political influence and may involve different rules and conditions on the offering or pricing of products and services. We incur significant up-front time and expense without any assurance that we (or a third-party distributor, reseller or service provider) will win a contract. We incur significant up-front time and expense, which subjects us to additional compliance risks and costs, without any assurance that we (or a third-party distributor, reseller or service provider) will win a contract. Beyond this, demand for our products and services may be adversely impacted by public sector budgetary cycles and funding availability that in any given fiscal cycle may be reduced or delayed, including in connection with an extended federal government shutdown, partisan gridlock or changes to government policy. Beyond this, demand for our products and services may be adversely impacted by public sector budgetary cycles and funding availability that in any given fiscal cycle may be reduced or delayed, including in connection with an extended federal government shutdown, partisan gridlock that results in the inability of Congress to take action or changes to government policy. Further, if we or our partners are successful in receiving a contract award, that award could be challenged during a bid protest process. 16Table of ContentsBid protests may result in an increase in expenses related to obtaining contract awards or an unfavorable modification or loss of an award. Bid protests may result in an increase in expenses related to obtaining contract awards or an unfavorable modification or loss of an award. Even if a bid protest were unsuccessful, the delay in the startup and funding of the work under these contracts may cause our actual results to differ materially and adversely from those anticipated. Our customers also include non-U.S. governments, to which government procurement risks similar to those present in U.S. government contracting and regulatory compliance also apply, particularly in certain emerging markets where our customer base is less established. We have seen challenges to successful awards through bid protest procedures in jurisdictions outside the U.S. As our non-U.S. government business grows, we may see an increase in bid protests as part of the standard government procurement legal procedures that exist in many jurisdictions. In addition, compliance with complex regulations and contracting provisions in a variety of jurisdictions can be expensive and consume significant management resources. In certain jurisdictions, our ability to win business may be constrained by political and other factors unrelated to our competitive position in the market. Each of these difficulties could have a material adverse effect on our business and results of operations. Each of these difficulties could materially adversely affect our business and results of operations. In addition, public sector customers may have contractual, statutory or regulatory rights to terminate current contracts with us or our third-party distributors or resellers for convenience or due to a default, though such risk may be assumed by such third-party distributor or reseller. If a contract is terminated for convenience, we may only be able to collect fees for products or services delivered prior to termination and settlement expenses. If a contract is terminated due to a default, we may be liable for excess costs incurred by the customer for procuring alternative products or services or be precluded from doing further business with governmental entities. Further, we are required to comply with a variety of complex laws, regulations, and contractual provisions relating to the formation, administration, or performance of government contracts that give public sector customers substantial rights and remedies, many of which are not typically found in commercial contracts. These may also include rights with respect to price protection, refund and setoff, performance of services in languages other than English, the accuracy of information provided to the government, contractor compliance with supplier diversity policies, constraints on sales practices and other obligations that are particular to government contracts. These may also include rights with respect to price protection, refund and setoff, the accuracy of information provided to the government, contractor compliance with supplier diversity policies, constraints on sales practices and other obligations that are particular to government contracts. These obligations may apply to us and/or our third-party resellers or distributors whose practices we may not control. Such parties’ non-compliance could create contractual and customer satisfaction issues. Such parties’ non-compliance could impose repercussions with respect to contractual and customer satisfaction issues. In addition, governments routinely investigate and audit contractors for compliance with contractual and regulatory requirements. In addition, governments routinely investigate and audit contractors for compliance with these requirements. If it is determined that we have failed to comply with these requirements, we may be subject to civil and criminal penalties and administrative sanctions, including termination of contracts, forfeiture of profits, cost associated with the triggering of price reduction clauses, fines, and suspensions or debarment from future government business, all of which may cause us to suffer reputational harm and adversely affect our business and operating results. If, from an audit, it is determined that we have failed to comply with these requirements, we may be subject to civil and criminal penalties and administrative sanctions, including termination of contracts, forfeiture of profits, cost associated with the triggering of price reduction clauses, fines, and suspensions or debarment from future government business, all of which may cause us to suffer reputational harm. Further, we are increasingly doing business in heavily regulated industries, such as financial services, telecommunication, media and television, and health care. Current and prospective customers in those industries may be required to comply with more stringent regulations to subscribe to and/or implement our services. In addition, regulatory agencies may impose requirements on third-party vendors that we may not meet. In addition, regulatory agencies may impose requirements toward third-party vendors that we may not be able to, or may not choose to, meet. Further, customers in these heavily-regulated industries often have a right to conduct audits of our systems, products and practices. In addition, customers in these heavily-regulated industries often have a right to conduct audits of our systems, products and practices. If one or more customers determine that some aspect of our business does not meet regulatory requirements, our ability to continue or expand our business with those customers may be restricted. If one or more customers determine that some aspect of our business does not meet regulatory requirements, we may be limited in our ability to continue or expand our business. If we fail to comply with applicable anti-corruption and anti-bribery laws, export control laws, economic and trade sanctions laws, or other global trade laws, we could be subject to penalties and civil and/or criminal sanctions and our business could be materially adversely affected.As we continue to expand our business internationally, we will inevitably do more business with large private enterprises and the public sector in countries outside of the U.As we continue to expand our business internationally, we will inevitably do more business with large enterprises and the public sector in countries that are perceived to have heightened levels of public sector corruption. S. Increased business in countries with heightened levels of corruption subjects us and our officers and directors to increased scrutiny and potential liability from our business operations. Increased business in countries perceived to have heightened levels of corruption subjects us and our officers and directors to increased scrutiny and liability from our business operations. We have an established compliance program, but there is a risk that our employees, partners, customers and agents, as well as those companies to which we outsource certain of our business operations, could violate our policies and applicable law, exposing us to additional scrutiny and potential liability. We have implemented and continue to update our compliance program, but there is a risk that our employees, partners and agents, as well as those companies to which we outsource certain of our business operations, could take actions in violation of our policies and applicable law, thereby exposing us to additional scrutiny and liability. We have experienced this in the past and may experience it again in the future. In addition, we are subject to global trade laws that apply to our worldwide operations, including prohibitions or restrictions on conducting business in certain geographies or involving certain counterparties or end-users. In addition, we are subject to global trade laws that apply to our worldwide operations, including prohibitions or restrictions on conducting business in certain countries and territories, with certain entities or individuals, and involving certain end-users. As a result of the Russia-Ukraine conflict, for example, the U. For example, as a result of the Russia-Ukraine conflict, the U. S. and other countries have imposed economic and trade sanctions and export control restrictions against Russia and Belarus. If this conflict continues or if conflict arises in other jurisdictions, the U.S. and other jurisdictions could impose wider economic and trade sanctions as well as export restrictions, which could impact our business opportunities and operations. Any violation of the U.S. Foreign Corrupt Practices Act of 1977, as amended, the UK Bribery Act, other applicable anti-corruption and anti-bribery laws, or applicable export control or economic and trade sanctions laws by our employees or third-party intermediaries could 17Table of Contentssubject us to significant risks such as adverse media coverage and/or severe criminal or civil sanctions, which could materially adversely affect our reputation, business, operating results, and prospects. Foreign Corrupt Practices Act of 1977, as amended (the “FCPA”), the UK Bribery Act, other applicable anti-corruption and anti-bribery laws, or applicable export control or economic and trade sanctions laws by our employees or third-party intermediaries could result in regulatory investigations and whistleblower complaints, which could subject us to significant risks such as adverse media coverage and/or severe criminal or civil sanctions, which could materially adversely affect our reputation, business, operating results, and prospects. Targeting larger enterprise customers may result in longer and more expensive sales cycles, increased pricing pressure and implementation and configuration challenges. As we target more of our sales efforts at larger enterprise customers, we may face heightened costs, longer sales cycles, greater competition and less predictability in our ability to close sales. Larger enterprise customers tend to require considerable time evaluating and testing our platform prior to making a purchasing decision, require multiple levels of review and approval, and demand more configuration, integration services and features, particularly when switching from legacy on-premises solutions. As a result, these sales opportunities may require us to devote significant sales support and professional services to a smaller number of larger transactions, diverting those resources from other sales opportunities. If we fail to effectively manage these risks, our business, financial condition, and results of operations may be negatively affected. As we acquire or invest in companies and technologies, we may not realize the expected business or financial benefits and the acquisitions and investments may divert our management’s attention and result in additional shareholder dilution or costs.•As we acquire or invest in companies and technologies, we may not realize the expected business or financial benefits and the acquisitions and investments may divert our management’s attention and result in additional shareholder dilution. We have acquired and invested in companies and technologies as part of our business strategy and will continue to evaluate and enter into potential strategic transactions, including acquisitions of or investments in businesses, technologies, services, products and other assets, to expand or improve our service offerings and functionality, go-to-market and sales efforts, our operations or our ability to source necessary expertise and provide services in international locations. Although we conduct reasonably extensive due diligence regarding these businesses and assets, our efforts may not reveal every material issue. Although we conduct reasonably extensive due diligence of these businesses, our efforts may not reveal every material issue. Strategic transactions involve numerous risks, including:•difficulties assimilating or integrating the businesses, technologies, products, personnel or operations of the acquired companies; •failing to achieve the expected benefits of the acquisition or investment;•potential loss of employees of the acquired company;•inability to maintain relationships with customers, suppliers and partners of the acquired business;•potential adverse tax consequences;•disruption to our business and diversion of management attention and other resources;•potential financial, credit or regulatory risks associated with acquired customers, suppliers and partners of the acquired business;•dependence on acquired technologies or licenses for which alternatives may not be available to us or which may involve significant cost or complexity; •in the case of foreign acquisitions, the challenges associated with integrating operations across different cultures, languages, and legal regimes and any currency and regulatory risks associated with specific countries; •introducing increased complexity and burden to maintain the technology platform; •introducing vulnerabilities or threats by integrating acquired technologies or businesses;•data security or privacy risks, compliance requirements, or integration costs from the acquired technology or company;•impairment of our investments or the possibility our investees will be unable to obtain future funding on favorable terms or at all; and •potential unknown liabilities or disputes associated with the acquired businesses. Strategic transactions involve numerous risks, including:•difficulties assimilating or integrating the businesses, technologies, products, personnel or operations of the acquired companies; •failing to achieve the expected benefits of the acquisition or investment;•potential loss of key employees of the acquired company;•inability to maintain relationships with customers and partners of the acquired business;•potential adverse tax consequences;•disruption to our business and diversion of management attention and other resources;•potential financial and credit risks associated with acquired customers;•dependence on acquired technologies or licenses for which alternatives may not be available to us without significant cost or complexity; •in the case of foreign acquisitions, the challenges associated with integrating operations across different cultures and languages and any currency and regulatory risks associated with specific countries; •introducing increased complexity and burden to maintain the technology platform or introducing vulnerabilities or threats by integrating acquired technologies;•increased data security or privacy compliance requirements from integrating the acquired technology or company;•impairment to our investments if our investees are unable to obtain future funding on favorable terms or at all; and •potential unknown liabilities associated with the acquired businesses. In addition, the amount or form of consideration we pay for acquisitions could adversely affect our financial condition or stock price. For example, if we finance an acquisition by issuing equity or convertible debt securities or loans, our existing shareholders may be diluted, or we could face constraints related to the terms of those securities or indebtedness. The occurrence of any of these risks could harm our business, operating results and financial condition.Risks Related to the Operation of Our BusinessActual or perceived cybersecurity events experienced by us or our third-party service providers may create the perception that our platform is not secure, and we may lose customers or incur significant liabilities, which would harm our business, financial condition and operating results.•Risks Related to the Operation of Our Business•If we or our third-party service providers experience an actual or perceived cybersecurity event, our platform may be perceived as not being secure, and we may lose customers or incur significant liabilities, which would harm our business and operating results. In the ordinary course of our business, we store, transmit, generate, and process our and our customers’ confidential, proprietary and sensitive data. As our business expands across the globe, the number of employees, contractors, vendors and other third parties remotely accessing our systems continues to grow. Our growing business operations increase our exposure to cyberattacks by a range of actors, who have used and will continue to use assorted tactics, techniques, and 18Table of Contentsprocedures, including malicious code, ransomware, social engineering, business email compromises, supply chain attacks, denial of service attacks and similar internet-enabled, fraudulent activity. Further, during times of war and other major conflicts, we and our third-party providers may be vulnerable to a heightened risk of geopolitically motivated attacks, including cyberattacks, that could materially disrupt our systems and operations, supply chain and ability to provide our services. The cybersecurity threats are not limited to actors operating in the systems we control directly. Our increasing reliance on third-party providers and public cloud infrastructure introduces new cybersecurity risks to our business operations. We rely on third-party service providers and technologies to operate business systems in a variety of contexts, and supply chain attacks have increased in frequency and severity. While we have a vendor security review process, we cannot guarantee that our third-party service providers or our supply chain infrastructure have not been compromised or that they do not contain exploitable defects or bugs that could result in a breach of or disruption to our platform, systems and network or the systems and networks of third parties that support us and our business. Our ability to monitor the data security measures of our third-party providers is limited, and we necessarily depend in part on our providers to have in place and maintain adequate security measures to protect against unauthorized access, cyberattacks and the mishandling of data. Further, employee error or malfeasance in configuring, maintaining and using these services could impact our ability to monitor and secure them effectively. While we have identified vulnerabilities in our products and services in the past and will continue to do so in the future, we cannot be certain that we will be able to identify all vulnerabilities or address the vulnerabilities of which we become aware. Further, there have been delays and may continue to be delays in developing patches that can be effectively deployed to address vulnerabilities. Third parties have, in the past, actively searched for and exploited actual and potential vulnerabilities in our software and will do so in the future. Moreover, the incorporation of third-party or open-source software code into our or our customers’ systems increases the risk of exploitation of vulnerabilities, such as the vulnerability in the Java logging library known as “log4j” that affected our industry. We also have inherited and may in the future inherit additional security risks from acquiring or partnering with other companies.In most instances, our customers are responsible for administering access to the data held in their particular instance for their employees and service providers.Further, in most instances, our customers administer access to the data held in their particular instance for their employees and service providers. While our software is delivered with certain preset configurations, we understand that our customers require flexibility to configure the Now Platform to their specific business needs. We work closely with our customers to help them evaluate their security configurations, including providing guidance to align configuration settings with their business needs. Yet, in configuring our platform, both our employees and customers have made errors in the past and may do so again in the future. We are aware that, on occasion, our customers and ServiceNow have configured certain settings on our platform, or retained preset configurations, in a manner not aligned with their preferred security levels, which can result in, and has resulted in, information being made more widely accessible than intended. Such misconfigurations can be, and have been, identified publicly, increasing the risk of data being exposed unintentionally. While we have security measures and a data governance framework in place designed to protect our and our customers’ information and prevent data loss, these measures may not be effective at preventing material breaches caused by intentional or unintentional actions or inactions by employees, contractors or third parties. Third parties have attempted to fraudulently induce employees, contractors, or users to disclose information or to gain access to our or our customers’ data, and we have been the target of increasingly sophisticated email and text message scams that attempt to acquire personal information or company assets. Techniques used to sabotage or to obtain unauthorized access to systems are constantly evolving and may go undetected until a successful attack occurs. Moreover, we have experienced security incidents, which may reoccur in the future, that resulted in unauthorized access to, loss, or inadvertent disclosure of confidential, proprietary and sensitive information. We have observed attempts by third parties to induce or deceive our employees, contractors or users to fraudulently obtain access to our or our customers’ data or assets. Further, our employees have fallen victim to phishing attacks in the past and may again in the future. Our employees have fallen victim to phishing attacks in the past and may again in the future. An actual or perceived security breach can have a material effect on ServiceNow’s operations, finances and reputation. The adverse consequences can include accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to data; disruptions to our services; diversion of funds; litigation; indemnification and other contractual obligations; regulatory investigations; government fines and penalties; reputational damage; negative publicity; loss of sales, customers, and partners; mitigation and remediation expenses; and other material costs and liabilities. A security breach suffered by us or our third-party service providers, an attack against our service availability or unauthorized access or loss of data could result in a disruption to our service, litigation, service level agreement claims, indemnification and other contractual obligations, regulatory investigations, government fines and penalties, reputational damage, loss of sales and customers, mitigation and remediation expenses and other significant costs and liabilities. In addition, the assessment and response to security incidents, as well as implementation of appropriate safeguards to protect against future incidents, can lead to material economic and operational consequences. In addition, we may incur significant economic and operational consequences in order to appropriately assess and respond to security incidents and to implement appropriate safeguards to protect against future incidents. These consequences can result regardless of whether the incident is suffered by us, affects our third-party service providers or stems from customers action or inaction. Moreover, even if a breach is unrelated to our security programs or practices, it could still cause us reputational harm and require us to undertake significant efforts to assess and respond to the breach, including further protecting our customers from their own vulnerabilities. There can be no assurance that any limitations of liability provisions in our subscription agreements, terms of use or other agreements would be enforceable or adequate or would otherwise protect us from any such liabilities or damages with respect to any particular claim. In addition, while we maintain insurance coverage, we cannot be certain that such coverage will continue to be available on acceptable terms or 19Table of Contentsin sufficient amounts to cover potential losses from a security incident or that an insurer will not deny coverage as to any future claim. We also cannot be certain that insurance coverage will continue to be available on acceptable terms or in sufficient amounts to cover the potentially significant losses that may result from a security incident or an insurer will not deny coverage as to any future claim. If we lose key members of our management team or qualified employees or are unable to attract and retain the employees we need, our costs may increase and our business and operating results may be adversely affected.If we lose key members of our management team or qualified employees or are unable to attract and retain the employees we need, our costs will increase and our business and operating results will be adversely affected. There is increasingly intense competition for talent in the technology industry.Competition for talent in the technology industry has become increasingly intense. Our success depends substantially upon the continued services of our management team, particularly our chief executive officer, chief operating officer and the other members of our executive staff. Our success depends substantially upon the continued services of our management team, particularly of our chief executive officer, chief operating officer and the other members of our executive staff. From time to time in the ordinary course of business, there have been and may continue to be changes in our management team. While we seek to manage these transitions carefully, such changes may result in a loss of institutional knowledge and negatively affect our business. While we seek to manage these transitions carefully, such changes may result in a loss of institutional knowledge, cause disruptions to our business and negatively affect our business. In the highly competitive technology industry, we face ongoing challenges in attracting and retaining top talent across various roles, such as product development and engineering (particularly with AI and machine learning backgrounds), sales, operations and cybersecurity. These key individual contributors are critical to our success and can command very significant compensation in the market. Our ability to achieve significant revenue growth may depend on our success in recruiting, training and retaining sufficient qualified personnel to support our growth. We have faced and may continue to face difficulties attracting, hiring and retaining highly-skilled, qualified personnel and may not be able to fill positions in desired geographic areas or at all. Further, as we continue to grow and expand our workforce globally, we may face operational and workplace culture challenges that could negatively impact our ability to maintain the effectiveness of our business execution and the beneficial aspects of our corporate culture. While our work model, where a substantial portion of our employees work partially or fully remote, increased our access to talent, we may not be able to take advantage of a broader talent pool if our competitors offer the same work model or if we continue to lean heavily on our primary operating locations for talent. While our hybrid work model, where some employees work remote for part of the week and some employees are fully remote, increased our access to talent, we may not be able to take advantage of a broader talent pool if our competitors offer the same work model or if we continue to lean heavily on our primary operating locations for talent. We are continually evaluating and, as appropriate, enhancing the attractiveness of our compensation packages. As a result, we have experienced and may continue to experience increased costs that may not be offset by either improved productivity or higher sales, potentially resulting in a reduction in our profitability. In addition, we grant equity awards to our employees and sustained declines in our stock price or lower stock price performance relative to our competitors reduces the retention value of such awards, which can impact the competitiveness of our compensation. Many of our employees, including all of our executive officers, are employed “at-will” and may terminate their employment with us at any time. If we fail to attract qualified, new personnel or fail to retain and motivate our current personnel, our business and future growth prospects could be adversely affected.Delays in the release of, or actual or perceived defects in, our products may slow the adoption of our latest technologies, reduce our ability to efficiently provide services, decrease customer satisfaction, and adversely impact future product sales.We must successfully continue to release new products and updates to existing products. The success of any release depends on a number of factors, including our ability to manage the risks associated with actual or perceived quality or other defects or deficiencies, delays in the timing of releases or the adoption of releases by customers, and other complications that may arise during the early stages of introducing our products. If releases are delayed or if customers perceive that our releases contain bugs or other defects or are difficult to implement, customer adoption of our new products or updates may be adversely impacted, customer satisfaction may decrease, our ability to efficiently provide our services may be reduced, and our growth prospects may be harmed.Disruptions or defects in our services could damage our customers’ businesses, subject us to substantial liability and harm our reputation and financial results.Our business depends on our platform to be available without disruption. From time to time, we experience defects, disruptions, outages and other performance and quality problems with our platform. New defects may be detected in the future and may arise from our increasing use of the public cloud. For example, we provide regular updates to our services, which can contain undetected defects. For example, we provide regular updates to our services, which can contain undetected defects when first released. Defects may also be introduced by our use of third-party software, including open-source software. Disruptions may result from errors we make in developing, delivering, configuring or hosting our services, or designing, installing, expanding or maintaining our cloud infrastructure. Disruptions in service can also result from incidents that are outside of our control, including denial of service or ransomware attacks. We currently serve our customers primarily using equipment managed by us and co-located in third-party data centers operated by several different providers located around the world, and we serve certain of our customers that are primarily in highly regulated markets, using data center facilities operated by public cloud service providers. These data centers are vulnerable to damage or interruption from earthquakes, hurricanes, floods, fires, energy grid constraints resulting in power loss and similar events. They may also be subject to break-ins, sabotage, intentional acts of vandalism and similar misconduct, equipment failure and adverse events caused by operator error or negligence. In addition, an increased use of the public cloud increases our vulnerability to cyberattacks. Despite precautions taken at these centers, problems at these centers have occurred, resulting 20Table of Contentsin interruptions in our services. Despite precautions taken at these centers, problems at these centers have occurred, resulting in interruptions in our services. Such problems could occur again and result in similar or lengthier service interruptions and the loss of customer data. In addition, our customers may use our services in ways that cause disruptions in service for other customers. In addition to data center providers, we also have a large ecosystem of vendors and service providers that we use for our products. In addition to data center providers, we also have a large ecosystem of service providers that we use to deliver our products. If there is a compromise to data, supply chain issue or other incident with our critical service providers, it may impact our ability to provide our services and reduce our productivity. If there is a compromise to data or other incident with our critical service providers, it may impact our ability to provide our services and reduce our productivity. Our customers use our services to manage important aspects of their businesses, and our reputation and business will be adversely affected if our customers and potential customers believe our services are unreliable. Disruptions or defects in our services may reduce our revenues, cause us to issue credits or pay penalties, subject us to claims and litigation, cause our customers to delay payment or terminate or fail to renew their subscriptions, and adversely affect our ability to attract new customers. Similarly, customers may have unique requirements for system resiliency and performance depending on their business models and customers in highly regulated markets may have more demanding requirements that we may not be able to, or may not choose to, meet. The occurrence of payment delays, service credit, warranty or termination for material breach or other claims against us could result in an increase in our bad debt expense, an increase in collection cycles, an increase to our service level credit accruals, other increased expenses or risks of litigation. We may not have insurance sufficient to compensate us for potentially significant losses that may result from claims arising from disruptions to our services.Delays in improving our information systems and processes could interfere with our ability to support our existing and growing customer and employee base and could adversely impact our business.We rely on our information systems and those of third parties to operate and scale our business. We have made and continue to make investments to improve our information system infrastructure to support the needs of our growing customer and employee base, increase productivity, develop and enhance our services, expand into new geographic areas, and scale with our overall growth. Such improvements are often complex, costly, and time consuming. If implementation of such improvements are delayed, or if we encounter unforeseen problems with our new systems and processes or in migrating away from our existing systems and processes, our operations and our ability to manage our business could be negatively impacted as we may experience disruptions in our business operations, loss of customers, loss of revenue, or damage to our reputation, all of which could harm our business plan to successfully scale our operations and increase productivity.Lawsuits by third parties that allege we infringe their intellectual property rights could harm our business and operating results.Lawsuits against us by third parties that allege we infringe their intellectual property rights could harm our business and operating results. There is considerable patent and other IP development activity and claims and related litigation regarding patent and IP rights in our industry. Our competitors, other third parties, including practicing entities and non-practicing entities, own large numbers of patents, copyrights, trademarks and trade secrets, which they may use and have used to assert claims of infringement, misappropriation or other violations of IP rights against us. Moreover, the patent portfolios of many of our competitors and other third parties are larger than ours. This disparity may increase the risk that our competitors or other third parties may sue us for patent infringement and may limit our ability to counterclaim for patent infringement or settle through patent cross-licenses. We have recorded material charges for legal settlements of such claims in the past. In any IP litigation, regardless of the scope or merit, we may incur substantial costs and attorney’s fees and, if the claims are successfully asserted against us and we are found to be infringing upon, misappropriating or otherwise violating the IP rights of others, we could be required to pay substantial damages and/or make substantial ongoing royalty payments; comply with an injunction and cease offering or modify our products and services; comply with other unfavorable terms, including settlement terms; and indemnify our customers and business partners, obtain costly licenses on their behalf, and/or refund fees or other payments previously paid to us. Further, upon expiration of the term of any agreements that allow us to use third-party IP, we may be unable to renew such agreements on favorable terms, if at all, in which case we may face IP litigation. In addition, our subscription agreements generally require us to defend our customers against claims that our technology infringes the intellectual property rights of third parties. The mere existence of any lawsuit, or any interim or final outcomes, and the public statements related to it (or absence of such statements) by the press, analysts and litigants could be unsettling to our customers and prospective customers. This could adversely impact our customer satisfaction and related renewal rates, cause us to lose potential sales, and could also be unsettling to investors or prospective investors and cause a substantial decline in our stock price. Any claim or litigation against us could be costly, time-consuming and divert the attention of management and key personnel from our business operations and harm our financial condition and operating results.Our intellectual property protections may not provide us with a competitive advantage, and defending our intellectual property may result in substantial expenses that harm our operating results.Our success depends to a significant degree on our ability to protect our proprietary technology and our brand under patent, copyright, trademark, trade secret and other IP protections in the U.S. and other jurisdictions. The IP protection we have for our technology may not provide sufficient protection, and any IP acquired in the future may not provide 21Table of Contentscompetitive advantages or other value. In addition, our IP may be contested, circumvented, found unenforceable or invalidated, and we may not be able to prevent third parties from infringing upon them. Further, legal standards relating to the validity, enforceability and scope of protection of IP rights vary. Despite our efforts to protect our proprietary rights, unauthorized parties may attempt to copy or obtain and use, or may have copied or obtained and used, our technology to develop products and services that provide features and functionality similar to ours. Policing unauthorized use of our IP and technology is difficult. Our competitors could also independently develop services equivalent to ours, and our IP rights may not be broad enough for us to prevent competitors from utilizing their developments to compete with us. Reverse engineering, unauthorized copying or other misappropriation of our proprietary technology could enable third parties to benefit from our technology without paying us for it, which would significantly harm our business. Our IP rights may be challenged by others or invalidated through administrative proceedings or litigation. Effective patent, trademark, copyright and trade secret protection may not be available in every country in which we offer services. The laws of some foreign countries may not offer effective protection for, or be as protective of, IP rights as those in the U.S., and mechanisms for enforcement of IP rights or available remedies may be inadequate, ineffective or scarce. Additionally, the IP ownership and license rights of new technologies such as AI have not been fully addressed by U.S. courts interpreting current and new laws or regulations, and the use or adoption of such technologies in our products and services may expose us to potential intellectual property claims; breach of a data license, software license, or website terms of service allegations; claimed violations of privacy rights; and other tort claims. These conditions can arise suddenly and affect the rate of digital transformation spending and could adversely affect our customers’ or prospective customers’ ability or willingness to purchase our services, delay purchasing decisions, reduce the value or duration of their subscriptions, or affect renewal rates, all of which could harm our operating results. If such laws or regulations require increased transparency, it may impair protection of our trade secrets or other IP. We may be required to spend significant resources to monitor and protect our IP rights. We have initiated and, in the future, may initiate claims or litigation against third parties for infringement or misappropriation of our proprietary rights or to establish the validity of our proprietary rights. Any litigation, whether or not resolved in our favor, could result in significant expense to us, divert the efforts of our technical and management personnel and may result in counterclaims with respect to infringement or misappropriation of IP rights by us. If we are unable to prevent third parties from infringing upon or misappropriating our IP rights or are required to incur substantial expenses defending our IP rights, our business and operating results may be adversely affected. Our use of open-source software could harm our ability to sell our products and services and subject us to possible litigation.Our products incorporate software licensed to us by third-party authors under open-source licenses, and we expect to continue to incorporate open-source software into our products and services in the future.Our products incorporate software licensed to us by third-party authors under open source licenses, and we expect to continue to incorporate open source software into our products and services in the future. We monitor our use of open-source software in an effort to avoid subjecting our products and services to adverse licensing conditions. We monitor our use of open source software in an effort to avoid subjecting our products and services to adverse licensing conditions. However, there can be no assurance that our efforts have been or will be successful. There is little or no legal precedent governing the interpretation of the terms of open-source licenses, and therefore the potential impact of these terms on our business is uncertain and enforcement of these terms may result in unanticipated obligations regarding our products and services. There is little or no legal precedent governing the interpretation of the terms of open source licenses, and therefore the potential impact of these terms on our business is uncertain and enforcement of these terms may result in unanticipated obligations regarding our products and services. For example, depending on which open-source license governs certain open-source software included within our products and services, we may be subjected to conditions requiring us to offer our products and services to users at no cost; make available the source code for modifications and derivative works based upon, incorporating or using such open-source software; and license such modifications or derivative works under the terms of the particular open-source license. For example, depending on which open source license governs certain open source software included within our products and services, we may be subjected to conditions requiring us to offer our products and services to users at no cost; make available the source code for modifications and derivative works based upon, incorporating or using such open source software; and license such modifications or derivative works under the terms of the particular open source license. Moreover, if an author or other third party that distributes such open-source software were to allege that we had not complied with the conditions of one or more of these licenses, we could be required to incur significant legal costs defending ourselves against such allegations, be subject to significant damages or be enjoined from distributing our products and services. Moreover, if an author or other third party that distributes such open source software were to allege that we had not complied with the conditions of one or more of these licenses, we could be required to incur significant legal costs defending ourselves against such allegations, be subject to significant damages or be enjoined from distributing our products and services. Various factors, including our customers’ business, integration, migration, compliance and security requirements, or errors by us, our partners, or our customers, may cause implementations of our products to be delayed, inefficient or otherwise unsuccessful.Our business depends upon the successful implementation of our products by our customers either through us or our partners. Further, our customers’ business, integration, migration, compliance and security requirements, or errors by us, our partners, or our customers, or other factors may cause implementations to be delayed, inefficient or otherwise unsuccessful. As a result of these and other risks, we or our customers may incur significant implementation costs in connection with the purchase, implementation and enablement of our products. Some customer implementations may take longer than planned, delay our ability to sell additional products or fail to meet our customers’ expectations, resulting in customers canceling or failing to renew their subscriptions before our products have been fully implemented. Some customers may lack the internal resources to manage a digital transformation such as our offering and, as a consequence, may be unable to see the benefits of our products. Unsuccessful, lengthy, or costly implementations and integrations could 22Table of Contentsresult in claims from customers, reputational harm, and opportunities for competitors to displace our products, each of which could have an adverse effect on our business and operating results. Unsuccessful, lengthy, or costly implementations and integrations could result in claims from customers, reputational harm, and opportunities for competitors to displace our products, each of which could have an adverse effect on our business and operating results. Our failure or perceived failure to achieve our ESG goals or maintain ESG practices that meet evolving stakeholder expectations could adversely affect us.We have published environmental, social, and governance (“ESG”) initiatives, goals and commitments. Our ability to achieve our objectives is subject to numerous factors both within and outside of our control. Our failure or perceived failure to achieve some or all of our ESG goals or maintain ESG practices that meet evolving stakeholder expectations or regulatory requirements could harm our reputation, adversely impact our ability to attract and retain employees or customers and expose us to increased scrutiny from the investment community, regulatory authorities and others or subject us to liability. Our reputation also may be harmed by the perceptions that our customers, employees and other stakeholders have about our action or inaction on ESG issues. Damage to our reputation and loss of brand equity may reduce demand for our products and services and thus have an adverse effect on our future financial results or stock price.Natural disasters, including climate change, and other events beyond our control could harm our business.Natural disasters or other catastrophic events may damage or disrupt our operations, international commerce and the global economy, and thus could have a negative effect on our business.Natural disasters or other catastrophic events may cause damage or disruption to our operations, international commerce and the global economy, and thus could have a negative effect on us. Our business operations are subject to interruption by natural disasters, flooding, fire, extreme heat, power shortages, pandemics such as COVID-19, terrorism, political unrest, telecommunications failure, vandalism, cyberattacks, geopolitical instability, war, the effects of climate change and other events beyond our control. While we maintain crisis management and disaster response plans, such planning may not account for all possible events and the occurrence of such events could make it difficult or impossible for us to deliver our services to our customers, could decrease demand for our services, and could cause us to incur substantial expense. Our insurance may not be sufficient to cover losses or additional expenses we may sustain. Although we have backup systems in place, in the event of major natural disasters or catastrophic events, customer data could be lost, and resumption of operations could require significant time.We may be subject to increased costs, regulations, reporting requirements, standards or expectations regarding climate change-driven impacts on our business. We may be subject to increased costs, regulations, reporting requirements, standards or expectations regarding the environmental impacts of our business. While we seek to mitigate our business risks associated with climate change by establishing robust environmental programs as part of our ESG strategy and partnering with organizations that are focused on mitigating their own climate-related risks, certain of those risks are inherent wherever business is conducted. While we seek to mitigate our business risks associated with climate change by establishing robust environmental programs as part of our ESG strategy and partnering with organizations who are focused on mitigating their own climate-related risks, certain of those risks are inherent wherever business is conducted. Any of our primary locations may be vulnerable to the adverse effects of climate change. For example, our California headquarters have experienced, and may continue to experience, climate-related events at an increasing frequency and severity, including drought, water scarcity, heat waves, wildfires and air quality impacts and power shutoffs associated with wildfires. Changing market dynamics, global policy developments and increasing frequency and impact of extreme weather events on critical infrastructure in the U.S. and elsewhere have the potential to disrupt our business, the business of our customers and third-party suppliers and may cause us to experience higher attrition, losses and additional costs to maintain or resume operations.Risks Related to the Financial Performance or Financial Position of Our Business Because we generally recognize revenues from our subscription service over the subscription term, a decrease in new subscriptions or renewals may not be immediately reflected in our operating results.•Risks Related to the Operation of Our Business•If we or our third-party service providers experience an actual or perceived cybersecurity event, our platform may be perceived as not being secure, and we may lose customers or incur significant liabilities, which would harm our business and operating results. We generally recognize revenues from customers ratably over the terms of their subscriptions. Net new annual contract value from new subscriptions and expansion contracts entered into during a period can generally be expected to generate revenues for the duration of the subscription term. As a result, a significant portion of the revenues we report in each period are derived from the recognition of deferred revenues relating to subscriptions entered into during previous periods. As a result, a significant portion of the revenues we report in each period are 23Table of Contentsderived from the recognition of deferred revenues relating to subscriptions entered into during previous periods. Consequently, a decrease in new or renewed subscriptions, expansion contracts in any single reporting period will have a limited impact on our revenues for that period, but they will negatively affect our operating results in future periods.A decline in new subscriptions, expansion contracts, renewals or sales and market acceptance of our services, in a given period may not be fully reflected in our operating results for that period, but they will negatively affect our operating results in future periods. Our subscription model also makes it difficult for us to rapidly increase our revenues through additional sales in any period, as revenues from new customers are generally recognized over the applicable subscription term. Also, our ability to adjust our cost structure in the event of a decrease in new or renewed subscriptions may be limited.As our business grows, we expect our revenue growth rate to decline over the long term.You should not rely on our prior revenue growth as an indication of our future revenue growth. While we have experienced significant revenue growth in prior periods, we expect it to decline over the long term due to increasing competition, a decrease in the growth rate of our overall market or other reasons. While we have experienced significant revenue growth in prior periods, our revenue growth rate has declined more recently, and we expect it to decline over the long term due to increasing competition, a decrease in the growth rate of our overall market or other reasons. We also expect our costs to increase in 23Table of Contentsfuture periods as we continue to invest in our strategic priorities, which may not result in increased revenues or growth in our business. We also expect our costs to increase in future periods as we continue to invest in our strategic priorities, which may not result in increased revenues or growth in our business. Changes in our effective tax rate or disallowance of our tax positions may adversely affect our financial position and results.We are subject to income taxes in the U.S. and various foreign jurisdictions. We believe that our provision for income taxes is reasonable, but the ultimate tax outcome may differ from the amounts recorded in our consolidated financial statements and may materially affect our financial results in the period or periods in which such outcome is determined. Our effective tax rate could be adversely affected by changes in statutory tax rates, changes in the mix of earnings and losses in countries with differing statutory tax rates, certain non-deductible expenses, the valuation of deferred tax assets and liabilities and the effects of acquisitions. Our effective tax rate could be adversely affected by changes in the mix of earnings and losses in countries with differing statutory tax rates, certain non-deductible expenses, the valuation of deferred tax assets and liabilities and the effects of acquisitions. Increases in our effective tax rate would reduce our profitability or in some cases increase our losses.Additionally, our future effective tax rate could be impacted by changes in accounting principles or changes in federal, state or international tax laws or tax rulings. The U.S. Department of Treasury has broad authority to issue regulations and interpretative guidance that may significantly impact how we will comply with the law, which could affect our results of operations in the period issued. Many countries are actively considering or have proposed or enacted changes to their tax laws based on the model rules adopted by The Organization for Economic Cooperation and Development defining a 15% global minimum tax (commonly referred to as Pillar 2) that could increase our tax obligations in countries where we do business or cause us to change the way we operate our business. Global tax developments applicable to multinational businesses and increased scrutiny under tax examinations could have a material impact on our business and negatively affect our financial results. Recent global tax developments applicable to multinational businesses and increased scrutiny under tax examinations could have a material impact on our business and negatively affect our financial results. Any changes in federal, state or international tax laws or tax rulings may increase our worldwide effective tax rate and harm our financial position and results of operations.In addition, we may be subject to income tax audits by tax jurisdictions throughout the world, many of which have not established clear guidance on the tax treatment of cloud computing companies. Although we believe our income tax liabilities are reasonably estimated and accounted for in accordance with applicable laws and principles, an adverse resolution of one or more uncertain tax positions in any period could have a material impact on our results of operations for that period. Further, many of our most important intangible assets are held outside the U.S. and are subject to inter-company agreements regarding the development and distribution of those assets to other jurisdictions with potential challenge under permanent establishment or transfer pricing principles. While we believe that our position is appropriate and well founded, if our position were successfully challenged by taxing authorities in other jurisdictions, we may become subject to significant tax liabilities, which could harm our financial position and financial results.Our debt service obligations may adversely affect our financial condition.Our debt service obligations may adversely affect our financial condition and cash flows from operations. Our ability to make payments on, repay or refinance the 2030 Notes in the future will depend on our future performance which is subject to a variety of risks and uncertainties, many of which are beyond our control. Our ability to make payments on, repay or refinance the 2030 Notes in the future will depend on our future performance which is subject to a variety of risks and uncertainties, many of which are beyond our control. If we decide to refinance the 2030 Notes, we may be required to do so on different or less favorable terms or we may be unable to refinance the 2030 Notes at all, both of which may adversely affect our financial condition. Maintenance of our indebtedness, contractual restrictions, and additional issuances of indebtedness could:•cause us to dedicate a substantial portion of our cash flows towards debt service obligations and principal repayments;•increase our vulnerability to adverse changes in general economic, industry and competitive conditions;•limit our flexibility in planning for, or reacting to, changes in our business and our industry;•impair our ability to obtain future financing for working capital, capital expenditures, acquisitions, general corporate or other purposes; and•due to limitations within the debt instruments, restrict our ability to grant liens on property, enter into certain mergers, dispose of all or substantially all of our or our subsidiaries’ assets, taken as a whole, materially change our business or incur subsidiary indebtedness, subject to customary exceptions. Maintenance of our indebtedness, contractual restrictions, and additional issuances of indebtedness could:•cause us to dedicate a substantial portion of our cash flows from operations towards debt service obligations and principal repayments;•increase our vulnerability to adverse changes in general economic, industry and competitive conditions;24Table of Contents•limit our flexibility in planning for, or reacting to, changes in our business and our industry;•impair our ability to obtain future financing for working capital, capital expenditures, acquisitions, general corporate or other purposes; and•due to limitations within the debt instruments, restrict our ability to grant liens on property, enter into certain mergers, dispose of all or substantially all of our or our subsidiaries’ assets, taken as a whole, materially change our business or incur subsidiary indebtedness, subject to customary exceptions. We are required to comply with the covenants set forth in the indentures governing the 2030 Notes. Our ability to comply with these covenants may be affected by events beyond our control. If we breach any of the covenants and do not obtain a waiver from the note holders or lenders, then, subject to applicable cure periods, any outstanding indebtedness may be declared immediately due and payable. In addition, changes by any rating agency to our credit rating may negatively impact the value and liquidity of our securities. Downgrades in our credit ratings could restrict our ability to obtain additional financing in the future and could affect the terms of any such financing.24Table of ContentsRisks Related to General Economic ConditionsGlobal economic conditions may harm our industry, business and results of operations. •Risks Related to General Economic Conditions•Global economic conditions may harm our industry, business and results of operations. We operate globally and as a result, our business, revenues and profitability are impacted by global macroeconomic conditions. The success of our activities is affected by general economic and market conditions, including, among others, inflation, interest rates, tax rates, foreign exchange rates, economic downturns, recession, economic uncertainty, political instability, warfare, changes in laws, trade barriers, supply chain disruptions and economic and trade sanctions. The U.S. capital markets experienced and continue to experience extreme volatility and disruption. Furthermore, inflation rates in the U.S. and other key markets have recently increased to levels not seen in decades resulting in federal action to increase interest rates, affecting capital markets. have recently increased to levels not seen in decades resulting in federal action to increase interest rates, affecting capital markets. Such economic volatility could adversely affect our business, financial condition, results of operations and cash flows, and future market disruptions could negatively impact us. These unfavorable economic conditions could increase our operating costs and, because our typical contracts with customers lock in our price for a few years, our profitability could be negatively affected. Geopolitical destabilization and warfare have impacted and may continue to impact global currency exchange rates, commodity prices, energy markets, trade and movement of resources, which may adversely affect the buying power of our customers, our access to and cost of resources from our suppliers, and ability to operate or grow our business. In addition, from time to time, the U.S. and other key international economies have been impacted and may continue to be impacted by geopolitical and economic instability, high levels of credit defaults, international trade disputes, changes in demand for various goods and services, high levels of persistent unemployment, wage and income stagnation, restricted credit, poor liquidity, reduced corporate profitability, volatility in credit, equity and foreign exchange markets, inflation, bankruptcies, international trade agreements, export controls, economic and trade sanctions, health crisis such as the COVID-19 pandemic and overall economic uncertainty. These conditions can arise suddenly and affect the rate of digital transformation spending and could adversely affect our customers’ or prospective customers’ ability or willingness to purchase our services, delay purchasing decisions, reduce the value or duration of their subscriptions, or affect renewal rates, all of which could harm our operating results. Foreign currency exchange rate fluctuations could harm our financial results.We conduct significant transactions, including revenue transactions and intercompany transactions, in currencies other than the U.S. Dollar or the functional operating currency of the transactional entities. In addition, our international subsidiaries maintain significant net assets that are denominated in the functional operating currencies of these entities. Accordingly, changes in the value of currencies relative to the U.S. Dollar have impacted and may continue to impact our consolidated revenues and operating results due to transactional and translational remeasurement that is reflected in our earnings. It is particularly difficult to forecast any impact from exchange rate movements, unanticipated currency fluctuations have adversely affected and could continue to adversely affect our financial results or cause our results to differ from investor expectations or our own guidance in any future periods. Volatility in exchange rates and global financial markets is expected to continue due to political and economic uncertainty globally.We use derivative instruments, such as foreign currency forwards, to hedge exposures that certain of our balance sheet items have to changes in foreign currency rates. These hedging contracts have reduced and may continue to reduce, but they have not and cannot entirely eliminate, the impact of adverse currency exchange rate movements. Further, unanticipated changes in currency exchange rates may result in poorer overall financial performance than if we had not engaged in any such hedging transactions as we may not be able to establish a perfect correlation between such hedging instruments and the exposures being hedged. Risks Related to Ownership of Our Common StockOur stock price is likely to continue to be volatile and could subject us to litigation.•Risks Related to Ownership of Our Common Stock•Our stock price is likely to continue to be volatile and could subject us to litigation. Our stock price is likely to continue to be volatile and subject to wide fluctuations. In addition, technology companies in general have highly volatile stock prices, and the volatility in stock price and trading volume of securities is often unrelated or disproportionate to the financial performance of the companies issuing the securities. Factors affecting our stock price, some of which are beyond our control, include, among other factors:•changes in the estimates of our operating results, revenue growth, or changes in recommendations by securities analysts; •changes in the average contract term of our customer agreements, timing of renewals and renewal rates; •our ability to meet our financial guidance or financial performance expectations of the securities analysts or investors;•announcements of new products, services or technologies, new applications or enhancements to services, strategic alliances, acquisitions, or other significant events by us or by our competitors;•fluctuations in company valuations, such as high-growth or cloud companies, perceived to be comparable to us; 25Table of Contents•changes to our management team;•trading activity by directors, executive officers and significant shareholders, or the market’s perception that large shareholders intend to sell their shares;•the inclusion, exclusion, or removal of our stock from any major trading indices;•the size of our market float;•the trading volume of our common stock, including sales following the exercise of outstanding options or vesting of equity awards;•changes in laws or regulations impacting the delivery of our services;•significant litigation or regulatory actions;•the amount and timing of customer payments, payment defaults, operating costs and capital expenditures•the amount and timing of equity awards and the related financial statement expenses; •the impact of new accounting pronouncements; •the inability to conclude that our internal controls over financial reporting are effective;•our ability to accurately estimate the total addressable market for our products and services; and•overall performance of the equity markets. Factors affecting our stock price, some of which are beyond our control, include:•changes in the estimates of our operating results, revenue growth, or changes in recommendations by securities analysts; •announcements of new products, services or technologies, new applications or enhancements to services, strategic alliances, acquisitions, or other significant events by us or by our competitors;•fluctuations in company valuations, such as high-growth or cloud companies, perceived to be comparable to us; •changes to our management team;•trading activity by directors, executive officers and significant shareholders, or the market’s perception that large shareholders intend to sell their shares;•the inclusion, exclusion, or removal of our stock from any major trading indices;•the size of our market float;•the trading volume of our common stock, including sales following the exercise of outstanding options or vesting of equity awards;•the economy as a whole, including, among others, macroeconomic uncertainty, economic and market downturns, geopolitical destabilization, inflation, increases in interest rates and fluctuations in foreign exchange rates;•market conditions in our industry and the industries of our customers;•changes to our credit ratings;•the inability to conclude that our internal controls over financial reporting are effective; •investor, customers, and potential customers perception of our ESG program and other issues impacting our reputation; and•overall performance of the equity markets. Following periods of volatility in the market price of a company’s securities, securities class action litigation has often been brought against that company. Securities litigation could result in substantial costs and divert management’s attention and resources from our business. This could materially adversely affect our business, operating results, and financial condition.Provisions in our governing documents, Delaware law or 2030 Notes might discourage, delay or prevent a change of control or changes in our management and, therefore, depress our stock price.Our certificate of incorporation and bylaws contain provisions that could depress our stock price by acting to discourage, delay or prevent a change in control or changes in our management that our shareholders may deem advantageous. These provisions, among other things:•permit our board to establish the number of directors;•provide that directors may only be removed “for cause” and only with the approval of 66 2/3% of our shareholders;•require super-majority voting to amend certain provisions in our certificate of incorporation and bylaws;•authorize issuance of “blank check” preferred stock that our board could use to implement a shareholder rights plan;•prohibit shareholder action by written consent, which requires all shareholder actions to be taken at a meeting;•permit our board to make, alter or repeal our bylaws; and•require advance notice for shareholders to submit director nominations or other business at annual shareholders meetings (although our bylaws permit shareholders proxy access). These provisions, among other things:•established a classified board (although our board will be fully declassified by our 2023 annual shareholders meeting);•permit our board to establish the number of directors;•provide that directors may only be removed “for cause” and only with the approval of 66 2/3% of our shareholders;•require super-majority voting to amend certain provisions in our certificate of incorporation and bylaws;•authorize issuance of “blank check” preferred stock that our board could use to implement a shareholder rights plan;•prohibit shareholder action by written consent, which requires all shareholder actions to be taken at a meeting;•permit our board to make, alter or repeal our bylaws; and•require advance notice for shareholders to submit director nominations or other business at annual shareholders meetings (although our bylaws permit shareholders proxy access). Further, Section 203 of the Delaware General Corporation Law may discourage, delay or prevent a change in control of our company. Section 203 imposes certain restrictions on merger, business combinations and other transactions between us and certain shareholders. In addition, the terms of our 2030 Notes may cause a delay or prevent a change in control of our company, as they allow noteholders to require us to repurchase their notes upon the occurrence of a change in control repurchase event.26Table of ContentsITEM 1B.UNRESOLVED STAFF COMMENTSNone. 27Table of ContentsITEM IC.CYBERSECURITYCyber criminals are becoming more sophisticated and effective every day, and they are increasingly targeting enterprise software companies. All companies utilizing technology are subject to threats of breaches of their cybersecurity programs. To mitigate the threat to our business, we take a comprehensive approach to cybersecurity risk management and make securing the data customers and other stakeholders entrust to us a top priority. Our board of directors (the “Board”) and our management are actively involved in the oversight of our risk management program, of which cybersecurity represents an important component. As described in more detail below, we have established policies, standards, processes and practices for assessing, identifying, and managing material risks from cybersecurity threats. We have devoted significant financial and personnel resources to implement and maintain security measures to meet regulatory requirements and customer expectations, and we intend to continue to make significant investments to maintain the security of our data and cybersecurity infrastructure. There can be no guarantee that our policies and procedures will be properly followed in every instance or that those policies and procedures will be effective. Although our Risk Factors include further detail about the material cybersecurity risks we face, we believe that risks from prior cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected our business to date. We can provide no assurance that there will not be incidents in the future or that they will not materially affect us, including our business strategy, results of operations, or financial condition.Risk Management and StrategyOur policies, standards, processes and practices for assessing, identifying, and managing material risks from cybersecurity threats are integrated into our overall risk management program and are based on frameworks established by the National Institute of Standards and Technology (“NIST”), the International Organization for Standardization and other applicable industry standards. Our cybersecurity program in particular focuses on the following key areas:Collaboration Our cybersecurity risks are identified and addressed through a comprehensive, cross-functional approach. Key security, risk, and compliance stakeholders meet regularly to develop strategies for preserving the confidentiality, integrity and availability of Company and customer information, identifying, preventing and mitigating cybersecurity threats, and effectively responding to cybersecurity incidents. We maintain controls and procedures that are designed to ensure prompt escalation of certain cybersecurity incidents so that decisions regarding public disclosure and reporting of such incidents can be made by management and the Board in a timely manner.Risk AssessmentAt least annually, we conduct a cybersecurity risk assessment that takes into account information from internal stakeholders, known information security vulnerabilities, and information from external sources (e.g., reported security incidents that have impacted other companies, industry trends, and evaluations by third parties and consultants). The results of the assessment are used to drive alignment on, and prioritization of, initiatives to enhance our security controls, make recommendations to improve processes, and inform a broader enterprise-level risk assessment that is presented to our Board, Audit Committee and members of management. Technical SafeguardsWe regularly assess and deploy technical safeguards designed to protect our information systems from cybersecurity threats. Such safeguards are regularly evaluated and improved based on vulnerability assessments, cybersecurity threat intelligence and incident response experience.Incident Response and Recovery PlanningWe have established comprehensive incident response and recovery plans and continue to regularly test and evaluate the effectiveness of those plans. Our incident response and recovery plans address — and guide our employees, management and the Board on — our response to a cybersecurity incident.28Table of ContentsThird-Party Risk ManagementWe have implemented controls designed to identify and mitigate cybersecurity threats associated with our use of third-party service providers. Such providers are subject to security risk assessments at the time of onboarding, contract renewal, and upon detection of an increase in risk profile. We use a variety of inputs in such risk assessments, including information supplied by providers and third parties. In addition, we require our providers to meet appropriate security requirements, controls and responsibilities and investigate security incidents that have impacted our third-party providers, as appropriate. Education and AwarenessOur policies require each of our employees to contribute to our data security efforts. We regularly remind employees of the importance of handling and protecting customer and employee data, including through annual privacy and security training to enhance employee awareness of how to detect and respond to cybersecurity threats.External AssessmentsOur cybersecurity policies, standards, processes and practices are regularly assessed by consultants and external auditors. These assessments include a variety of activities including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness. For example, in 2022 and 2023, we conducted independent cyber audits to assess our controls against the NIST Cybersecurity Framework. The results of significant assessments are reported to management, the Board and Audit Committee. Cybersecurity processes are adjusted based on the information provided from these assessments. We have also obtained industry certifications and attestations that demonstrate our dedication to protecting the data our customers entrust to us. GovernanceBoard OversightOur Board, in coordination with the Audit Committee, oversees our management of cybersecurity risk. They receive regular reports from management about the prevention, detection, mitigation, and remediation of cybersecurity incidents, including material security risks and information security vulnerabilities. Our Audit Committee directly oversees our cybersecurity program. The Audit Committee receives regular updates from management on cybersecurity risk resulting from risk assessments, progress of risk reduction initiatives, external auditor feedback, control maturity assessments, and relevant internal and industry cybersecurity incidents. Management’s RoleOur chief information officer (“CIO”), chief information security officer (“CISO”), chief technology officer (“CTO”), and General Counsel have primary responsibility for assessing and managing material cybersecurity risks and are members of management’s Security Steering Committee (the “Security Committee”), which is a governing body that drives alignment on security decisions across the Company. The Security Committee meets quarterly to review security performance metrics, identify security risks, and assess the status of approved security enhancements. The Security Committee also considers and makes recommendations on security policies and procedures, security service requirements, and risk mitigation strategies. Our CIO has served in various roles in information technology and information security for over 20 years, including serving as the Chief Information Officer or Chief Technology Officer of three other public companies. He holds an undergraduate degree in computer engineering. Our CISO has served in various roles in information technology and information security for almost 20 years, including serving as the Chief Information Security Officer or Chief Security Officer at two other large public companies. He holds an undergraduate and master’s degree in computer science. Our CTO has served in various roles in information technology for over 25 years and has been with us since 2011. Our General Counsel has over 20 years of experience managing risks, including risks arising from cybersecurity threats, at several large publicly-traded technology companies. 29Table of Contents.