Quiver Quantitative

Risk Factors Dashboard

Once a year, publicly traded companies issue a comprehensive report of their business, called a 10-K. A component mandated in the 10-K is the ‘Risk Factors’ section, where companies disclose any major potential risks that they may face. This dashboard highlights all major changes and additions in new 10K reports, allowing investors to quickly identify new potential risks and opportunities.

View risk factors by ticker

Search filings by term

Risk Factors - VRSN

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

ITEM 1A. RISK FACTORS

Please carefully consider the following discussion of significant factors, events and uncertainties that make an investment in our securities risky. In addition to other information in this Form 10-K, the following risk factors should be carefully considered in evaluating us and our business. When the factors, events and contingencies described below or elsewhere in this Form 10-K materialize, our business, operating results, financial condition, reputation, cash flows or prospects can be materially adversely affected. Additional risks and uncertainties not currently known to us or that we currently deem immaterial may also materially adversely affect our business, operating results, financial condition, reputation, cash flows and prospects. Actual results could differ materially from those projected in the forward-looking statements contained in this Form 10-K as a result of the risk factors discussed below and elsewhere in this Form 10-K and in other filings we make with the SEC.

Cybersecurity and Technology Risk Factors

Attempted security breaches, including from the exploitation of vulnerabilities, cyber-attacks and Distributed Denial of Service (“DDoS”) attacks against our systems and services increase our costs, expose us to potentially material liability, and could materially harm our business and reputation.

As an operator of critical internet infrastructure, we experience a high rate of cyber-attacks and attempted security breaches targeting our systems and services, including the most sophisticated forms of attacks, such as advanced persistent threat attacks, exploitation of zero-day vulnerabilities, ransomware attacks, and social engineering attacks. The forms of these attacks are constantly evolving and may involve methods, tools, and strategies that may not have been previously identified and may not have been observed until the moment of launch, or until sometime after, making these attacks virtually impossible to anticipate and difficult to defend against. For example, recent advances in AI-based tools have made, and will continue to make, cyber-attacks more sophisticated, harder to defend, and easier and faster to launch. These tools allow for rapid exploitation of vulnerabilities, which hinders our ability to defend against such exploitation. In addition to external threats, our systems and services are subject to insider threat risks, including physical or electronic break-ins, sabotage, and risks from suppliers, such as consultants and advisors, SaaS providers, hardware, software, and network systems manufacturers, regional internet registries, and other vendors, or from current or former contractors or employees. These threats and any resulting security breaches can arise from intentional or unintentional actions. Our continued exposure to these threats and the potential that they could lead to material liability claims against us requires us to expend significant financial and other resources. We have developed policies, standards, and procedures to identify, protect, detect, respond, and recover from threats posed by cybersecurity risks, and failure to comply with these policies, standards, and procedures by our employees or suppliers could limit our ability to effectively manage threats from these cybersecurity risks.

Security vulnerabilities in our systems and our vendors’ systems, including vulnerabilities in third party software and hardware, pose a material risk to our operations. We use externally-developed technology, systems, and services, including both hardware and software, for a variety of purposes, including compute, storage, encryption and authentication, back-office support, and other functions. We have developed policies, standards, and procedures to reduce the impact of security vulnerabilities in system components, as well as at any vendors where our data is stored or processed. However, such measures cannot provide absolute security. Vulnerabilities could be exploited before a vulnerability has been disclosed or before our remediation is effective and if so, could cause systems and service interruptions, data loss and other damages. Our failure to identify, remediate and mitigate security vulnerabilities, including any potential failure to timely replace and upgrade hardware, software, or other technology assets, could result in material harm to our business, including loss of or delay in revenues, failure to meet service level agreements, material liability claims, failure to maintain market acceptance, injury to our reputation, increased costs, and call into question our ability to preserve the security and stability of the internet.

Our networks have been, and likely will continue to be, subject to DDoS attacks. We have successfully mitigated DDoS attacks to date; however, there can be no assurance that we will be able to defend against every attack, especially as the attacks increase in size and sophistication. Any attack, even if only partially successful, could disrupt our networks, increase response time, negatively impact our ability to meet our service level agreements, and generally impede our ability to provide reliable service to our customers and the broader internet community. We have historically incurred, and will continue to incur, significant costs to enable our infrastructure to process levels of attack traffic that can be substantially larger than our normal transaction volume. We are employing new technologies and new and different services and capabilities to help mitigate DDoS attacks. If these new technologies, services

Table of Contents

and capabilities are not effective, our infrastructure could be disrupted, our response times could increase, our ability to meet our service level agreements could be negatively impacted, and our ability to provide reliable service to our customers and the broader internet community could be impeded.

The number of such attacks is increasing. Social engineering attacks have occurred in concert with ransomware attacks. We still may be subject to successful cyber-attacks despite our efforts. Our failure to prevent such attacks, including any successful social engineering attack, could result in our inability to meet our service level agreements and could otherwise materially harm our business, including from legal claims, governmental investigations and scrutiny, injury to our reputation, and increased costs.

We do not maintain specific reserves for security breaches, cyber-attacks and DDoS attacks against our systems and the amount of insurance coverage we maintain may be inadequate to cover claims or liabilities relating to such attacks.

We may introduce undetected or unknown defects into our systems or services, which could materially harm our business and harm our vendors or our customers.

Despite testing, services as complex as those we offer or develop could contain undetected defects or errors, which could result in service outages or disruptions, compromised customer data, including DNS data, diversion of development resources, injury to our reputation, legal claims, increased insurance costs or increased service costs. Performance of our services, whether or not defective, could have unforeseen or unknown adverse effects on the networks over which they are delivered, on internet users and consumers, and on third-party applications and services that use our services, any of which could result in legal claims against us. While we strive to prevent, detect and remediate defects or errors, they can and do occur and they could result in our inability to meet customer expectations in a timely manner, failure to meet our service level agreements, injury to our reputation, and increased costs.

Our infrastructure and services are subject to vulnerabilities in the global routing system for the internet, as well as risks arising from internet services providers’ increasing adoption of the Resource Public Key Infrastructure system.

Routing on the internet depends on the Border Gateway Protocol (“BGP”), which is a protocol that relies on networks within the internet infrastructure acting in a trustworthy manner when sharing information about destinations for connectivity and the routing of internet traffic. As a trust-based protocol, BGP has a number of vulnerabilities that may lead to outages or disrupt our services, including as a result of “route hijacks” that involve accidental or malicious rerouting of internet traffic, or “route leaks” that involve the malicious or unintentional propagation of routing information beyond the intended scope of the originator, receiver, and/or one of the networks along the route’s path. Both route hijacks and route leaks can result in partial or full rerouting of internet traffic for the impacted destinations. These types of events, which are generally beyond our control, could enable an array of attack conditions or service disruptions, and could result in adverse publicity and adversely affect the public’s perception of the security of commerce and communications over the internet, as well as of the security or reliability of our services.

The RIRs allocate internet number resources, such as internet protocol addresses, to enterprises and network operators. We and other registries as well as internet service providers have also adopted or have begun to adopt RPKI. We have limited visibility into the maturity of and investment in the RIRs’ operational and security controls, which are outside of our control. When the availability, integrity, or confidentiality of any of the information in the RPKI system, or systems used to maintain and administer RPKI data and systems, are impacted or otherwise compromised in any of the RIRs, or any network operator that is a relying party of the RPKI system, or the operations or ingestion of data from the RPKI system are otherwise impacted by a known or unknown vulnerability, our services may be negatively impacted. Such impacts may include degraded or full loss of reachability of service addresses in the global internet routing system, resulting in degradation or complete loss of availability of our registration and resolution services. A compromise of the RPKI system and related services, or unintentional or unauthorized manipulation of data therein, may also result in other denial of service attack conditions for our infrastructure and services. The systemic dependencies introduced by the RPKI system and by the relying parties of the RPKI system, including internet service providers, are outside of our control, and systems that depend upon the RPKI may be only as secure as the weakest elements of the RPKI system. Contracting with RIRs for the provision of and access to RPKI services carries material operational risks, as described above, as well as material contractual risks, which may expose us to service disruptions and material liability.

Table of Contents

We could encounter system interruptions or system failures resulting from activities beyond our direct control that could materially harm our business.

We depend on the uninterrupted operation of our various systems, secure data centers, points of presence around the world and other computer and communication networks. Our systems and operations also face risks inherent in, or arising from, the terms and conditions of our agreements with service providers to operate our networks and data centers. We are also subject to the risk of state suppression of internet operations.

Our data centers, our data center systems, including the Shared Registration Systems located at our data centers, and our resolution systems are vulnerable to damage or interruption, which could impede our ability to provide our services, expose us to material liability, and materially harm our reputation.

Most of the computing infrastructure for our Shared Registration System is located at, and most of our customer information is stored in, data centers we own or lease. If our data center facilities or the updated network architectures, hardware or software upgrades, or security controls do not operate as expected, including the ability to quickly manage services across sites, we could experience service interruptions or outages. A failure in the operation of our Shared Registration System could result in the inability of one or more registrars to register or manage domain names for a period of time. If such a registrar has not implemented robust services in a manner that preserves transactions until processed by the registry, then the failure in the operation of our Shared Registration System could result in permanent loss of transactions at the registrar during that period. We do not carry insurance or designated financial reserves for such interruptions.

In addition, our services depend on the secure and efficient operation of the internet connections to and from customers to our Shared Registration System residing in our secure data centers as well as our globally distributed resolution systems. These connections depend upon the secure and efficient operation of internet service providers, internet exchange point operators, and internet backbone service providers. Such providers have encountered periodic operational problems or experienced outages in the past beyond our scope of control and may continue to encounter problems and outages or may choose to discontinue their service. If the providers that our connections depend upon do not protect, maintain, improve, and reinvest in their networks or present inconsistent, incorrect, or invalid data regarding routing information or DNS responses through their networks, our business could be harmed.

A failure in the operation or update of the root zone servers that we operate, the root zone file, the Root Zone Management System, the TLD name servers, the TLD zone files that we operate, or other network functions, could result in, among other problems, (1) a DNS resolution or other service outage or degradation, (2) the deletion of one or more gTLDs or ccTLDs from the internet, (3) the deletion of one or more second-level domain names from the internet, or (4) a misdirection of one or more domain names to different servers. A failure in the operation or update of the supporting cryptographic and other operational infrastructure that we maintain could result in similar consequences. Any of these problems or outages could create potential material liability and exposure from litigation and investigations, could result in a failure to meet our service level agreements, and could decrease customer satisfaction, harming our business. These problems could also result in adverse publicity, decrease the public’s trust in the security of e-commerce and other forms of online presence, or call into question our ability to preserve the security and stability of the internet.

We retain certain customer and employee information in our data centers and various domain name registration systems. Any physical or electronic break-in or other security breach or compromise of the information stored at our data centers or domain name registration systems may jeopardize the security of information we retain or that is retained in the computer systems and networks of our customers. In such an event, we could face material liability and exposure from litigation and investigations, fail to meet service level agreements, or be at risk of losing various security and standards-based compliance certifications needed for operation of our businesses, and customers could be reluctant to use our services. Any such outcomes could also adversely affect our reputation and harm our business or cause financial losses that are either not insured against or not fully covered through any insurance.

Table of Contents

We face risks from the operation of the root server system and our performance of the Root Zone Maintainer functions under the RZMA.

com and .net authoritative servers and therefore negatively impact directory services necessary for the operation of the internet. We also have an important operational role in support of a key Internet Assigned Numbers Authority (“IANA”) function as the Root Zone Maintainer. In this role, we provision and publish the authoritative root zone data and make it available to all root server operators under the RZMA with ICANN. If we make errors in the publication of the root zone or experience operational issues that impact the timeliness of updates to the root zone data, we may be subject to material claims challenging the RZMA or our performance under it, including tort claims, and we may not have immunity from, or sufficient indemnification or insurance for, such claims.

Contractual, Regulatory, Legal and Compliance Risk Factors

Any loss or modification of our right to operate the .com and .net gTLDs could have a material adverse impact on our business and result in loss of revenues.

Substantially all of our revenues are derived from our operation of the .com gTLD under our Cooperative Agreement with the DOC and our .com Registry Agreement as well as our operation of the .net gTLD under our .net Registry Agreement. Any loss or modification of our right to operate the .com and .net gTLDs could materially and adversely impact our ability to conduct our business and result in loss of revenues. Our .com and .net Registry Agreements contain “presumptive” rights of renewal upon the expiration of their current terms on November 30, 2030 and June 30, 2029, respectively. ICANN could refuse to renew upon expiration or terminate our .com Registry Agreement or our .net Registry Agreement if, upon proper notice, (1) we fail to cure a fundamental and material breach of certain specified obligations, and (2) we fail to timely comply with a final decision of an arbitrator or court. Additionally, each of the .com and .net Registry Agreements provide that if certain terms of these agreements are not similar to such terms generally in effect in the registry agreements of the five largest gTLDs, then a renewal of these agreements would be upon terms reasonably necessary to render such terms to be similar to the registry agreements for those other gTLDs. Any such terms, if they apply, could be unfavorable to us and have a material adverse impact on our business.

Standard renewals of the .com Registry Agreement do not require further DOC approval, although the prior written approval of the DOC is required for the removal of, or any changes to the pricing section (other than as approved in Amendment 35 to the Cooperative Agreement), and for changes to certain other specified terms whether such removal or changes are made at a renewal or otherwise. We can provide no assurances that DOC approval would be provided upon our request for any of these changes.

In addition, under Amendment 35 to the Cooperative Agreement, we have agreed to continue to operate the .com gTLD in a content-neutral manner and to work within ICANN processes to promote the development of content-neutral policies for the operation of the DNS. Such policies and processes could expose us to compliance costs and substantial liability and result in costly and time-consuming investigations or litigation.

Changes or challenges to the pricing provisions in the .com Registry Agreement could have a material adverse impact on our business.

Under the terms of the .com Registry Agreement, we may increase the annual fee of each .com domain name registration or renewal by up to 7% over the previous year in each of the final four years of each six-year period. We can provide no assurances that we will exercise such right to increase the annual fee. In addition to this contractual right, we are entitled to increase the annual fee of each .com domain name registration or renewal by up to 7% due to the imposition of any new specifications or policies adopted by ICANN pursuant to the procedures set forth in its bylaws and due process (“Consensus Policies”) or to a documented extraordinary expense resulting from an attack or threat of attack on the security and stability of the DNS (an “Extraordinary Expense”). In addition, our ability to increase the price for .com domain name registrations and renewals due to a Consensus Policy or Extraordinary Expense may occur only in years in which we do not increase the price for .com domain name registrations and renewals as described above. It is uncertain whether circumstances would arise that would permit us to take a price increase due to a Consensus Policy or Extraordinary Expense, or if they do, whether we would seek to increase the price for .com domain name registrations for this reason. A failure to seek and obtain a price increase due to a Consensus Policy or Extraordinary Expense, when applicable, could negatively affect our operating results. We also have the right under the Cooperative Agreement to seek the removal of these pricing restrictions on the .com gTLD if we demonstrate to the DOC that market conditions no longer warrant these restrictions. However, we can provide no assurances whether we will seek the removal of these restrictions, or whether the DOC would approve the removal of these restrictions.

Our .com Registry Agreement, and the Cooperative Agreement, including their pricing provisions, have been challenged, and could face challenges in the future, through publicity campaigns, governmental scrutiny, media interest, legal challenges, or

Table of Contents

challenges under ICANN’s accountability mechanisms. Such challenges have arisen, and could in the future, arise from trade organizations, the media, registrars, registrants, and others, particularly when these agreements are being renewed. These challenges, if successful, and even when unmeritorious and/or unsuccessful, could have a material adverse effect on our business.

Government regulation and the application of new and existing laws in the U.S. and internationally may slow business growth, increase our costs of doing business, create potential material liability and could have a material adverse effect on our business.

Application of new and existing laws and regulations in the U.S. or internationally to the internet, the domain name industry, or us have imposed and may in the future impose new costs and new restrictions on our business. In the U.S., new or modified Executive Orders or legislation involving the internet, cybersecurity, or in other areas could result in new obligations that could negatively impact our business. For example, the government of China has indicated that it will issue, and has issued, new regulations, and it has begun to enforce existing regulations differently, including by directing certain implementation models for registry services, that impose additional costs on, and risks to, our provision of registry services in China. These regulations are impacting the demand for domain name registrations in China. These regulations require registries, including us, and China-based registrars, to obtain a government-issued license for each gTLD or ccTLD operating in China.

We are also subject to changing laws and regulations that impact whether, how, and under what circumstances we may transfer, process and/or receive certain data that is critical to our operations, including data shared between countries or regions in which we operate and data shared among our products and services. For example, the data transfer frameworks between the U.S. and E.U. have been subject to legal challenges, which has created uncertain legal obligations.

New laws, regulations, directives or ICANN policies that require us to obtain and maintain personal information of registrants of domain names in the .com and .net gTLDs could impose material compliance costs and could create new, material legal and other risks to our business.

If we are required to, or choose to, obtain and maintain personal information of registrants of domain names in the .com and .net gTLDs we could be required to incur significant compliance and legal costs as a result of GDPR and other similar regulations. For example, in 2023, the European Union adopted the Network and Information Security Directive (“NIS 2”) that addresses registrant data. Our current obligations do not require us to obtain and maintain personal information of registrants of domain names. Specific E.U. member state implementations of NIS 2 could create uncertainty about, or change, these obligations. In addition, new obligations to obtain and maintain personal information of registrants in the .com and .net gTLDs could conflict with certain laws and regulations that may require such personal information be maintained solely within the jurisdiction of the data subject.

Such laws, regulations, directives or ICANN policies, could give rise to significant claims, inquiries, investigations or other actions against us, which could result in significant costs, damages, fines or penalties and could delay the development of new products, change our current business practices, result in negative publicity, or require significant management time and attention, all or any of which could materially harm our business.

Our international operations expose us and our business to additional economic, legal, regulatory and political risks that could have a material adverse impact on our revenues and business.

A significant portion of our revenues is derived from customers outside the U.S. Our business operations in international locations have required, and will continue to require, significant management attention and resources. We may also need to tailor some of our services for a particular location and to enter into international distribution and operating relationships. We may fail to maintain our ability to conduct business, including potentially material business operations in some international locations, or we may not succeed in expanding our services into new international locations or expand our presence in existing locations. Failure to do so could materially harm our business. Moreover, local laws and customs in many countries differ significantly from those in the U.S. In many foreign countries, particularly in those with developing economies, it is common for others to engage in business practices that are prohibited by our internal policies and procedures or U.S. law or regulations

Table of Contents

applicable to us. Despite our internal controls, there can be no assurance that our employees, contractors and agents will not take actions in violation of such policies, procedures, laws and/or regulations. Violations of laws, regulations or internal policies and procedures by our employees, contractors or agents could result in financial reporting problems, investigations, fines, penalties, or prohibition on the importation or exportation of our products and services and could have a material adverse effect on our business. In addition, we face risks inherent in doing business internationally, including:

•competition with companies in international locations or other domestic companies entering international locations in which we operate, as well as local governments actively promoting ccTLDs that we do not operate;

•political and economic tensions between governments and changes in international trade policies and/or the economic and trade sanctions programs administered by the United States including OFAC of the U.S. Department of the Treasury;

•tariffs and other trade barriers and restrictions;

•difficulties in staffing and managing international operations;

•potential problems associated with adapting our services to technical conditions existing in different countries;

•additional vulnerability from terrorist groups targeting U.S. interests abroad;

•potentially conflicting or adverse tax consequences; and

•potential concerns of international governments or customers and prospects regarding doing business with U.S. technology companies due to U.S. government policies.

The U.S. government has imposed restrictions on certain Chinese companies and on trading in certain technologies. The Chinese government has announced actions that, if implemented, could impose additional restrictions on the operations of non-Chinese companies in China.

We are subject to income taxes in both the U.S. and numerous international jurisdictions. Significant judgment is required in determining our worldwide provision for income taxes. In the ordinary course of our business, there are many transactions and calculations where the ultimate tax determination is uncertain. Our effective tax rates may fluctuate significantly on a quarterly basis because of a variety of factors, including changes in the mix of earnings and losses in countries with differing statutory tax rates, changes in our business or structure, changes in tax laws that could adversely impact our income or non-income taxes or the expiration of or disputes about certain tax agreements in a particular country. We are subject to audit by various tax authorities. In accordance with U.S. GAAP, we recognize income tax benefits, net of required valuation allowances and accrual for uncertain tax positions. Although we believe our tax estimates are reasonable, the final determination of tax audits and any related litigation could be materially different than that which is reflected in historical income tax provisions and accruals. Should additional taxes be assessed as a result of an audit or litigation, an adverse effect on our results of operations, financial condition and cash flows in the period or periods for which that determination is made could result.

The Organization for Economic Cooperation and Development (“OECD”) continues to issue guidance that will provide a long-term, multilateral proposal on the taxation of the digital economy. Certain countries, including our major international tax jurisdictions, have enacted legislation based on the OECD’s guidance. To date the legislation has had a limited impact on us, but the impact of future legislation is uncertain. Similarly, some international tax jurisdictions, independent of the OECD, have enacted or may enact new tax regimes aimed at income resulting from digital services. Although we cannot predict the nature or outcome of such changes or the likelihood of such legislative proposals being adopted in the U.S. or throughout the world, any or all of these changes in tax laws, including but not limited to changes in scope of OECD’s Pillar One, as well as new guidance issued and enacted pertaining to OECD’s Pillar Two, could increase our taxes and adversely impact our financial condition and cash flow.

Our business faces risks arising from ICANN’s consensus and temporary policies, technical standards and other processes.

Our Registry Agreements with ICANN require us to implement Consensus Policies and changes mandated by ICANN through temporary specifications or policies (“Temporary Policies”). ICANN could adopt Consensus Policies or Temporary Policies that (1) are unfavorable to us as the registry operator of .com, .net and other gTLDs we operate, (2) are inconsistent with our current or future plans, (3) impose substantial costs on our business, (4) subject the Company to additional legal risks,

Table of Contents

or (5) affect our competitive position. These Consensus Policies or Temporary Policies could have a material adverse effect on our business.

Our Registry Agreements with ICANN require us to implement and comply with various technical standards and specifications published by the Internet Engineering Task Force (“IETF”). ICANN could impose requirements on us through changes to these IETF standards, or new standards, that are inconsistent with our current or future plans, that impose substantial costs on our business, that subject the Company to additional legal risks, or that affect our competitive position. Any such changes to the IETF standards, or new standards, could have a material adverse effect on our business.

Weakening of, or changes to, the multi-stakeholder form of internet governance could materially and adversely impact our business.

The internet is governed under a multi-stakeholder model comprising civil society, the private sector, including for-profit and not-for-profit organizations such as ICANN, governments, including the U.S. government, academia, non-governmental organizations, the technical community, and international organizations. Substantially weakening or replacing the multi-stakeholder form of internet governance could materially harm our business. For example, certain governments, governmental organizations, and private actors continue to express dissatisfaction with the multi-stakeholder form of internet governance and have proposed alternatives including oversight by the United Nations or by international treaties. Furthermore, national legislation has been proposed on topics such as information security and access to personal information that effectively supplants the multi-stakeholder process for policy development in the DNS.

In addition, in 2016 the U.S. government transferred key internet functions to ICANN, who adopted new and enhanced accountability mechanisms in its bylaws such as the creation of the Empowered Community. There can be no assurance that the removal of the U.S. government oversight of these key functions, or the changes to ICANN’s bylaws, will not negatively impact our business.

Claims, lawsuits, audits or investigations in which we are or could become involved may result in material adverse outcomes to our business.

We are, and may in the future become, involved in claims, lawsuits, audits, and investigations, including intellectual property litigation and infringement claims. Litigation is inherently unpredictable, and unexpected judgments or excessive verdicts do occur. In addition, proceedings that we initially view as immaterial could prove to be material. In addition, we receive reports of suspected threats and abuse and we notify registrars or others of domain names associated with suspected malicious or illegal activity. We may also disable one or more domain names in the gTLDs or ccTLD we operate including in response to reports of suspected threats and abuse, governmental directives and court orders in those jurisdictions in which we operate. Activities such as these have resulted in, and could in the future result in, significant litigation and could harm our reputation. Given the inherent uncertainties in litigation, even when we are able to reasonably estimate the amount of possible loss or range of loss and therefore record an aggregate litigation accrual for probable and reasonably estimable loss contingencies, the accrual may change in the future due to new developments or changes in approach. In addition, such claims, lawsuits, audits and investigations could involve significant expense and diversion of management’s attention and resources from other matters.

Economic and Competition Risk Factors

Challenging global economic conditions have in the past and may in the future negatively impact our business.

These factors may have varying impacts on different geographic regions. For example, demand for our services substantially declined in China during 2023 and 2024 as a result of various factors including Chinese regulatory mandates that made it more difficult to register a domain name or establish an online presence using a domain name. Additionally, the rapid increase in demand for compute and network hardware, including servers, chips, memory and other technology, caused by new demand from AI companies, is increasing our costs for some of these goods and could increase our capital and operating costs.

The business environment is highly competitive and, if we do not compete effectively, we may suffer material adverse impact to our business, including lower demand for our products, reduced gross margins, and loss of market share.

Table of Contents

We face competition from services that provide an online identity or presence, including other gTLDs and ccTLDs. Also to remain competitive, we have undertaken important initiatives such as our efforts to acquire the .web gTLD, and we may in the future undertake other initiatives. Any of these initiatives require significant resources, can subject us to regulatory scrutiny and/or negative publicity, and divert management attention from our existing business. Such undertakings, including our efforts to acquire the .web gTLD, may be unsuccessful and costly.

We are the registry operator for certain new gTLDs, including certain IDN gTLDs. Our new gTLDs may not be as or more successful than the new gTLDs obtained by our competitors. In addition, our new gTLDs may face additional universal acceptance and usability challenges and it is possible that resolution of domain names within some of these new gTLDs may be blocked within certain state or organizational environments, challenging universal resolvability of these domain names and their general acceptance and usability.

See the “Competition” section in Part I, Item 1 of this Form 10-K for further information.

Strategic, Business and Operating Risk Factors

The evolution of technologies or internet practices and behaviors, the adoption of substitute technologies, or wholesale price increases of domain names in the gTLDs we operate may materially and negatively impact the demand for the domain names for which we are the registry operator.

These ongoing changes can negatively impact the demand for our domain names. In addition, registrants purchase domain names for a variety of reasons, including personal, commercial, and investment reasons. Changes in the motivation of domain name registrants can negatively impact our business.

Technology changes to web browser or internet search technologies could reduce demand for domain names. Similarly, if internet users’ preferences or practices shift away from recognizing and relying on web addresses or if internet users were to significantly decrease the use of web browsers in favor of applications to locate and access content, demand for domain names in the gTLDs we operate could be negatively impacted. Demand for domain names in the gTLDs we operate could be negatively impacted by new technologies that significantly decrease the use of traditional domain names to present and protect an online identity. New technologies that encourage internet users to expand the use of third-level domains or alternative identifiers, such as identifiers from social networking, e-commerce platforms and microblogging sites, could also negatively impact the demand for domain names in the gTLDs we operate. In addition, the demand for domain names in the gTLDs we operate could be impacted by alternative namespaces with domain-name-like identifiers that are operated outside the single authoritative DNS root zone, including blockchain namespaces. To the extent that web browsers, applications, DNS registrars and DNS resolvers recognize and support such namespaces, and that internet users are able to perform online operations with identifiers from such namespaces, demand for domain names in gTLDs and ccTLDs in the single authoritative DNS root zone, including the gTLDs we operate, could be negatively impacted. To the extent that alternative namespaces introduce user confusion about the relationship between identical or similar-looking identifiers in these namespaces and domain names in the DNS, demand for domain names and user confidence in the value of domain names as unique identifiers could also be negatively impacted. In addition, applications using AI could be transformational in ways that cannot be anticipated fully at this time. To the extent such applications impact the demand for domain names, it could have a material impact on our business.

Some registrars and registrants purchase and resell domain names at an increased price in a secondary market. Adverse changes in the resale value of domain names, changes in the business models for such domain name registrars and registrants, or other factors, including regulations limiting the resale of domain names, could result in a decrease in the demand and/or renewal rates for domain names in the gTLDs we operate.

Some registrars and registrants seek to generate revenues by registering domain names specifically for website advertising. Changes in the way these registrars and registrants are compensated (including changes in methodologies and metrics) by advertisers and advertisement placement networks, such as Google, Baidu and Bing, have adversely affected, and may continue to adversely affect the market for domain names used for this purpose, which has resulted in, and may continue to

Table of Contents

result in, a decrease in demand and/or the renewal rate for such domain names. In addition, if spending on online advertising and marketing is reduced, this may result in a further decline in the demand for domain names used for this purpose.

Under the terms of the .com and .net Registry Agreements, as amended, we are permitted to increase the annual fee of each .com and .net domain name registration or renewal according to the provisions in these agreements. To the extent we increase our prices, there could be a decrease in the demand and/or renewal rates for .com or .net domain names.

We seek to serve new, developing, and emerging economies in international locations to grow our business. These economies are rapidly evolving and may not grow or even if they do grow, our services may not be widely used or accepted there. Accordingly, the demand for our services in these locations is uncertain. A variety of economic and non-economic factors may affect acceptance or adoption of our services in these locations, including regional internet infrastructure development and government regulations.

All of the domain name registrations and renewals for the registries we operate occur through registrars. Registrars and their resellers engage in substantial marketing efforts to increase the demand and/or renewal rates for domain names as well as their own associated offerings. Consolidation in the registrar or reseller industry or changes in ownership, management, or strategy among individual registrars or resellers, including vertical integration by registrar or reseller industry participants, could result in significant changes to their businesses, operating models, and cost structures. These changes could include reduced marketing efforts for the gTLDs we operate or other operational changes that could adversely impact the demand and/or the renewal rates for the domain names for which we are the registry operator.

Likewise, our registrars and resellers may be more motivated to market to registrants to whom they can also market their own services, which could disadvantage our gTLDs and could adversely impact our revenues.

We depend on highly skilled employees to maintain and provide innovative solutions for our business, and our business could be materially harmed if we are not able to attract and retain such qualified talent.

Our business is highly technical and requires individuals skilled and knowledgeable in unique technologies, configurations, operating systems, and software development tools. We depend on the knowledge, experience, and performance of these employees and leaders to effectively manage and provide innovative solutions for our business. For example, we require employees with expertise in DNS operations and with certain cybersecurity specialties. Because such employees are in high demand by our competitors and other companies, we must be able to attract, integrate, retain and motivate such highly skilled employees and leaders. Failure to attract and retain such employees and to effectively implement succession plans for these employees could harm our business.

Capital Structure Risk Factors

We may not pay any dividends on our common stock in the future.

During the second quarter of 2025, we began to declare quarterly dividends. Future dividends will be subject to declaration by the Board and, thus, may be subject to numerous factors in existence at the time of any such declaration including, but not limited to, prevailing market conditions, our results of operations, financial condition and liquidity, contractual prohibitions and other restrictions with respect to the payment of dividends. There is no assurance that the Board will declare and thus that we will pay, any dividends on our common stock in the future. The Board may, in its discretion, decrease the level of cash dividends. A reduction or elimination of cash dividends could negatively affect the market price of our common stock.

Intellectual Property Risk Factors

We rely on our intellectual property rights to protect our proprietary assets, and any failure by us to protect or enforce, or any misappropriation of, our intellectual property could materially harm our business.

Our success depends in part on our internally developed technologies and related intellectual property. Despite our precautions, it may be possible for an external party to copy or otherwise obtain and use our intellectual property without

Table of Contents

authorization. Furthermore, the laws of other countries may not protect our proprietary rights in those countries to the same extent U.S. law protects these rights in the U.S. In addition, it is possible that others may independently develop substantially equivalent intellectual property. If we do not effectively protect our intellectual property, our business could suffer. Additionally, we have filed patent applications with respect to some of our technology in the U.S. Patent and Trademark Office and patent offices outside the U.S. Patents may not be awarded with respect to these applications and even if such patents are awarded, third parties may seek to oppose or otherwise challenge our patents, and such patents’ scope may differ significantly from what was requested in the patent applications and may not provide us with sufficient protection of our intellectual property. In the future, we may have to resort to litigation to enforce and protect our intellectual property rights, to protect our trade secrets or to determine the validity and scope of the proprietary rights of others. This type of litigation is inherently unpredictable and, regardless of its outcome, could result in substantial costs and diversion of management attention and technical resources. Some of the software and protocols used in our business are based on standards set by standards setting organizations such as the IETF. To the extent any of our patents are considered “standards essential patents,” in some cases we may be required to license such patents to our competitors on reasonable and non-discriminatory terms or otherwise be limited in our ability to assert such patents.

We also license externally developed technology that is used in some of our products and services to perform key functions. These externally developed technology licenses may not continue to be available to us on commercially reasonable terms or at all. Some of the software and protocols used in our business are in the public domain or may otherwise become publicly available, which means that such software and protocols are or may become equally available to our competitors.

We rely on the strength of our Verisign brand to help differentiate our products. Dilution of the strength of our brand could harm our business.

General Risk Factors

The use of AI technology by third-parties, including our vendors, and our use of AI technology, tools, and services could expose us to cybersecurity, operational, intellectual property and regulatory risks that could adversely affect our business, reputation or financial results.

The use of AI technology by third parties may increase our exposure to cybersecurity and data protection risks. For example, recent advances in AI technology and tools have made, and will continue to make, cyber-attacks more sophisticated, harder to defend, and easier and faster to launch. These tools permit rapid exploitation of vulnerabilities, which hinders our ability to defend against such exploitation. In addition, the use and integration of AI technology into the products and services that we procure could create or exacerbate vulnerabilities, potentially resulting in unauthorized access to our systems including our sensitive or proprietary information.”

We may also experience challenges in the effective or timely adoption of AI technology. Our decision to adopt AI technologies in a low-risk manner could result in slower adoption of AI technology that could hinder or prevent us from realizing efficiencies or benefits, which could result in less efficient operations. Further, although we have established AI policies and procedures, our use of AI technology, if not effectively governed, could result in unintended consequences, including errors, biased, and otherwise unreliable outputs. The use of certain AI technology tools, including those provided by third parties, may also create intellectual property risks, such as uncertainty regarding ownership of AI-generated output, IP infringement, or the disclosure of confidential or proprietary information.

Finally, AI is subject to increasing regulatory scrutiny and evolving laws, rules and regulations, which may increase our compliance costs and affect our development, adoption, use, implementation and maintenance of AI technologies or tools, and subject us to increased legal liability, regulatory scrutiny, and reputational harm.

Short sellers have in the past, and may in the future, engage in efforts to lower the market price of our common stock through the dissemination of false or misleading information.

Short selling is the practice of selling securities that the seller does not own but rather has borrowed or intends to borrow from a third party with the intention of subsequently buying lower-priced identical securities to return to the lender. Accordingly, it is in the interest of a short seller to want the price of our common stock to decline. Short sellers may seek to profit from declines in the market price of our common stock and, in some cases, may publish, or arrange for the publication of, false or misleading information regarding our business. We have been, and may in the future be, the target of short sellers. The

Table of Contents

dissemination of such information, regardless of its veracity, can lead to significant stock price volatility, reputational harm, and the diversion of management’s attention from our core business. Such activities may result in a decline in the market price of our stock or could lead to costly litigation or regulatory inquiries.

ITEM 1B. UNRESOLVED STAFF COMMENTS

None.

ITEM 1C. CYBERSECURITY

Cybersecurity Risk Management and Strategy

Our cybersecurity program is designed and implemented to assess, identify, mitigate and manage risks from cybersecurity threats that may result in adverse effects on the integrity and availability of our production and information systems and support our track record of more than 28 years of 100% DNS uptime for .com and .net. Among other items, our cybersecurity program is comprised of policies, standards, plans and frameworks for information security, business resilience, insider threat mitigation, technology asset management, cyber risk management, incident response and procurement. Material risks from cybersecurity threats include, among other things, operational disruption, including failure to meet our service level agreements, loss or destruction of data, hardware or intellectual property, and cyber extortion through ransomware. While we have not identified any material cybersecurity incidents, we continuously manage cyber-attacks, including from sophisticated nation-state actors. In addition, AI continues to enhance the capabilities of threat actors. The management of cybersecurity risks, which involves significant and sustained resource commitments and management attention, is also integrated into the Company’s enterprise risk management (“ERM”) program through formal processes that help identify and elevate the most serious risks, including those pertaining to cybersecurity, for management at the enterprise level and oversight at the Board level. For more information on the Company’s cybersecurity risks and their possible impact on our business strategy, results of operations, or financial condition see “Risk Factors – Cybersecurity and Technology Risk Factors” in Part I, Item 1A of this Form 10-K”.

Our cybersecurity program leverages the NIST Cybersecurity Framework to help protect the Company’s operations, information, production systems and networks from threats through cybersecurity practices, programs and tools that establish defenses in depth. The program has dedicated business resilience, insider threat and governance, risk and compliance (“GRC”) functions that report to our Chief Information Security Officer (“CISO”). Incident management is governed by our Incident Response Plan that assigns incident command and control parameters and escalation protocols to management and the Board of Directors. Our incident response plan includes procedures for immediate escalation of cybersecurity events to our Legal department to ensure timely evaluation of disclosure obligations. Our cybersecurity program also focuses on risks from the use of third-party services. Our GRC team assesses the cybersecurity practices of current and prospective service providers for compliance with our requirements, and our procurement functions seek terms and conditions, including by example, audit rights and vulnerability or breach disclosure obligations, to enhance our defenses against supply chain risks.

Our cybersecurity program incorporates several control and best practice regimes, including for example, the Center for Internet Security (“CIS”) controls tailored for our specific environment. We conduct regular internal and external assessments, audits, and tabletop exercises to assess security vulnerabilities, control compliance and incident preparedness. These assessments and exercises include breach attack simulation tools, red team exercises simulating insider and external attacks, threat and vulnerability assessments, ransomware, application, and secure image testing, crisis management exercises, including incident response and escalation procedures, and internal audit reviews. Management and the Board’s Cybersecurity Committee reviews the results of these exercises, audits and assessments. We also actively engage with third parties, such as key vendors, auditors, consultants, industry participants, and intelligence and law enforcement communities as part of our continuing efforts to evaluate and enhance the effectiveness of our cybersecurity program. We monitor emerging data protection laws and cybersecurity and privacy regulatory requirements and implement changes to our standards and processes for continued compliance. Our cybersecurity program also includes employee and contractor training, which primarily consists of monthly educational videos, annual trainings and certifications, and phishing exercises.

Cybersecurity Governance

Our cybersecurity strategy and program are led by our Executive Vice President of Technology and Chief Security Officer (“CSO”), who reports to the CEO. Our CSO has over 30 years of experience in technology and cybersecurity leadership positions and has authored several security-related books and numerous patents, IP standards, and security research publications. He has served in various capacities on various technology working groups and standards setting organizations

including the Internet Architecture Board and the Internet Engineering Task Force. Our CSO manages a converged security, engineering and operations organization that helps to ensure that cyber and other security priorities are comprehensively considered throughout the Company. Our CISO, Chief Information Officer (“CIO”), Chief Technology Officer (“CTO”) and the head of architecture, engineering, operations, and corporate security functions report to our CSO. These and other experienced employees lead the teams responsible for implementing various parts of our cybersecurity program.

The Council receives information, typically monthly, on the status of the cybersecurity program, initiatives, incidents, cybersecurity risks, assessments, and threats, among other items. The Chair of the Board’s Cybersecurity Committee is the Board’s liaison to the Council and attends the regular meetings of the Council.

Our Board has delegated primary oversight of the Company’s cybersecurity risks and our cybersecurity program to the Cybersecurity Committee. The Audit Committee also reviews material cybersecurity risks as part of the Company’s ERM program. The Cybersecurity Committee and the full Board receive quarterly status reports on the cybersecurity program from the CSO, addressing progress and updates on multiple cybersecurity functions and initiatives including, for example, compliance, assessments, security operations and incident response, business resilience, DDoS attacks, data privacy, technology and asset management, controls, and vulnerability management.

In addition, the Cybersecurity Committee conducts oversight on behalf of the Board of our use of AI and AI risks, including as it pertains to cybersecurity and data governance. At the management level, the Company’s use of AI, including in the cybersecurity area, is managed pursuant to a corporate AI policy by a cross-functional AI Steering Committee comprised of senior Verisign technology, cybersecurity and legal resources.

Recently Filed

Click on a ticker to see risk factors

Ticker *	File Date
AAT	7 hours ago
LVS	7 hours ago
RTX	7 hours ago
APTV	7 hours ago
SYF	7 hours ago
POWI	7 hours ago
MAA	7 hours ago
CHAC	7 hours ago
VTR	8 hours ago
ELV	9 hours ago
MSCI	9 hours ago
HNOI	10 hours ago
HAL	10 hours ago
AXP	11 hours ago
RLEA	12 hours ago
ATR	12 hours ago
MTD	12 hours ago
TXN	13 hours ago
UNP	14 hours ago
OMF	15 hours ago
BIIB	16 hours ago
PM	17 hours ago
AMZN	1 day, 5 hours ago
RDDT	1 day, 6 hours ago
CCIX	1 day, 6 hours ago
VRSN	1 day, 7 hours ago
CUZ	1 day, 7 hours ago
XPO	1 day, 7 hours ago
PINE	1 day, 7 hours ago
BYRN	1 day, 7 hours ago
BKR	1 day, 7 hours ago
OTIS	1 day, 8 hours ago
APPF	1 day, 8 hours ago
LUV	1 day, 8 hours ago
BSET	1 day, 8 hours ago
CFR	1 day, 8 hours ago
HII	1 day, 8 hours ago
CARR	1 day, 8 hours ago
TT	1 day, 8 hours ago
FAST	1 day, 12 hours ago
SIRI	1 day, 14 hours ago
IDCC	1 day, 15 hours ago
ICE	1 day, 15 hours ago
OCUL	1 day, 16 hours ago
TW	1 day, 17 hours ago
AMD	3 days, 5 hours ago
PYPL	3 days, 7 hours ago
KREF	3 days, 7 hours ago
ISRG	3 days, 7 hours ago
DOC	3 days, 7 hours ago

OTHER DATASETS

House Trading

Dashboard

Corporate Flights

Dashboard

App Ratings

Dashboard

Strategies

Alerts

Browse Data

Risk Factors Dashboard

View risk factors by ticker

Search filings by term

Risk Factors - VRSN

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

Recently Filed

OTHER DATASETS

House Trading

Corporate Flights

App Ratings

TRADE SMARTER

TRADE SMARTER

Strategies

Alerts

Browse Data

Risk Factors Dashboard

View risk factors by ticker

Search filings by term

Risk Factors - VRSN

-New additions in green-Changes in blue-Hover to see similar sentence in last filing

Recently Filed

OTHER DATASETS

House Trading

Corporate Flights

App Ratings

TRADE SMARTER

TRADE SMARTER

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing