Table of Contents

our debt obligations or to refinance on commercially reasonable terms could have a material adverse effect on our business, financial condition, cash flows and results of operations, could cause the market value of our securities to decline and impact our ability to continue as a going concern.

We have a history of net losses and may continue to incur losses in the future. Our ability to continue as a going concern is highly dependent upon our ability to raise additional funds in the future. There can be no assurance that we will be able to raise any additional funds, or if we are able to raise additional funds, that such funds will be in the amounts required or on terms favorable to us. As a result of our financial condition and other factors described herein, the Company believes there is substantial doubt about our ability to continue as a going concern.

Our future profitability and ability to achieve positive cash flow is uncertain. Our future profitability and ability to achieve positive cash flow is uncertain.

Our future profitability depends on our ability to generate revenue in excess of our expenses, including fixed costs relating to the maintenance of our business and debt service requirements. Our future profitability also may be impacted by non-cash charges such as stock-based compensation charges and potential impairment of goodwill, which has at times negatively affected our reported financial results. Even if we achieve profitability on an annual or quarterly basis, we may incur significant losses in the future for a number of reasons and risks described in this Annual Report and we may encounter unforeseen expenses, difficulties, complications, and delays that may cause our costs to exceed our expectations.

Generating positive cash flow depends on our ability to generate collections from sales in excess of our expenditures. Our ability to generate and collect on sales can be negatively affected by many factors, including our inability to sell to new customers or convince existing customers to renew or expand their services; the lengthening of sales cycles; failure of customers to pay our invoices on a timely basis or at all; a failure in the performance of our solutions or internal controls that adversely affects our reputation or results in loss of business; the loss of market share to competitors; the failure to enter or succeed in new markets; regional or global economic conditions or regulations affecting perceived need for or value of our services; or our inability to develop and sell new or expanded offerings to meet evolving market needs.

We anticipate that we will incur increased sales and marketing and general and administrative expenses as we continue to diversify our business into new industries and geographic markets and that we will require significant amounts of working capital to support our growth.We anticipate that we will incur increased sales and marketing and general and administrative expenses as we continue to diversify our business into new industries and geographic markets. We may not achieve collections from sales to offset these anticipated expenditures. We may not achieve collections from sales to offset these anticipated expenditures sufficient to maintain positive future cash flow. An inability to generate positive cash flow as a result may decrease our long-term viability. An inability to generate positive cash flow may decrease our long-term viability.

Our securities may be delisted from Nasdaq

Our Common Stock is currently listed for trading on the Nasdaq, and the continued listing of our Common Stock on the Nasdaq is subject to our compliance with a number of listing standards, including Nasdaq Listing Rule 5550(b)(2), which requires that the Company maintain a market value of listed securities (“MVLS”) of at least $35 million (the “MVLS requirement”) and Listing Rules 5620(a) and 5810(c)(2)(G), which require us to hold an annual shareholder meeting within twelve months of the December 31, 2022 fiscal year end (the “Annual Meeting Requirement”). On November 13, 2023, we received an anticipated notice (the “MVLS Notice”) from Nasdaq notifying the Company that it is not in compliance with Nasdaq Listing Rule 5550(b)(2) because, for the last 30 consecutive business days, the Company’s MVLS was below the minimum requirement of $35 million. In the MVLS Notice, Nasdaq indicated that the Company has 180 calendar days from the date of the MVLS Notice (or until May 13, 2024) to regain compliance with the MVLS Rule by having our MVLS close at or above $35 million for a minimum of ten consecutive business days. On March 14, 2023, we received a second notice stating that the Company is not in compliance with the Annual Meeting Requirement and that the Company had 45 calendar days, or until April 29, 2024, to submit a plan to regain compliance.

There can be no assurance that we will remedy and continue to satisfy these and other continuing listing requirements and remain listed on the Nasdaq. If our Common Stock or Series B Preferred Stock were no longer listed on the Nasdaq, investors might only be able to trade on one of the over-the-counter markets. If our Common Stock were no longer listed on the Nasdaq, investors might only be able to trade on one of the over-the-counter markets. This would impair the liquidity of our securities not only in the number of shares that could be bought and sold at a given price, which might be

26

Table of Contents

depressed by the relative illiquidity, but also through delays in the timing of transactions and reduction in media and analyst coverage. In addition, we could face significant material adverse consequences, including limited availability of market quotations for our securities and a decreased ability to issue additional securities or obtain additional financing. In addition, we could face significant material adverse consequences, including: a limited availability of market quotations for our securities; a limited amount of news and analyst coverage for us; and a decreased ability to issue additional securities or obtain additional financing.

We substantially increased the outstanding number of shares during 2023, substantially diluting existing stockholders’ interests in Exela, and we may engage in dilutive transactions in the future.

In 2023 we increased the outstanding shares of Common Stock from 1,393,276 at January 1, 2023 (adjusted to give effect for the 1:200 stock split on May 12, 2023) to 6,365,353 at December 31, 2023. The increase in outstanding shares was due principally to the sale of additional shares for cash, which resulted in all the shares of Common Stock outstanding on January 1, 2023 representing less than 22% of the outstanding shares of Common Stock on December 31, 2023. Due to the need to repay existing indebtedness and fund operations, we may issue a material number of additional shares of Common Stock in the future, which would have the effect of further diluting existing shareholders. Such issuances, or market perception of the possibility of substantial future dilution, could make our stock less attractive to investors and could have a material adverse effect on the price of our stock. Such issuances, or market perception of the possibility of substantial future dilution, could make our stock less attractive to investors, including institutional investors, and could have a material adverse effect on the prices at which our stock trades.

​

We have recorded significant goodwill impairment charges and may be required to record additional charges to future earnings if our goodwill or intangible assets become impaired.

As of December 31, 2023, our goodwill balance was $170.5 million which represented 26.8% of total consolidated assets. There was no impairment of goodwill and other intangible assets for the year ended December 31, 2023. Goodwill is required to be tested for impairment at least annually. We may be required to record additional charges to earnings during the period in which any impairment of our goodwill or other intangible assets is determined which could have a material adverse impact on our results of operations. Even though these charges may be non-cash items and may not have an immediate impact on our liquidity, the fact that we report charges of this nature could contribute to negative market perceptions about us or our securities, including our Common Stock.

The HGM Group has significant influence over us and our corporate governance.

Our Executive Chairman, Par Chadha, our Interim Chief Financial Officer, Matthew Brown, our director, Ms. Sharon Chadha, and several of our other executives have or have had affiliations with the HGM Group. Sharon Chadha, and several of our other executives have affiliations with the HGM Group. The HGM Group’s interests may not align with the interests of our other stakeholders. The HGM Group is in the business of making investments in companies and may acquire and hold interests in businesses that compete directly or indirectly with us. The HGM Group may also pursue acquisition opportunities that may be complementary to our business, and, as a result, those acquisition opportunities may not be available to us.

Certain of our contracts are subject to termination rights, audits and/or investigations, which, if exercised, could negatively impact our reputation and reduce our ability to compete for new contracts and have an adverse effect on our business, results of operations and financial condition.

Many of our customer contracts may be terminated by our customers without cause and without any fee or penalty, with only limited notice. We may not be able to replace a customer that elects to terminate or fails to renew its contract with us. We may not be able to replace a customer that elects to terminate or not renew its contract with us, which would reduce our revenues.

In addition, a portion of our revenues is derived from contracts with the U.S. federal and state governments and their agencies and from contracts with foreign governments and their agencies. Government entities typically finance projects through appropriated funds. The public procurement environment is unpredictable and this could adversely affect our ability to perform work under new and existing contracts, including as a result of our business being diverted to a small or disadvantaged or minority-owned business pursuant to set-aside programs. The public procurement environment is unpredictable and this could adversely affect our ability to perform work under new and existing contracts.

Moreover, government contracts are generally subject to a right to conduct audits and investigations by government agencies. Moreover, government contracts are generally subject to a right to conduct audits and investigations by government agencies. If the government finds that it was inappropriately charged any costs to a contract, the costs are not reimbursable or, if already reimbursed, the cost must be refunded to the government. If the government finds that it was inappropriately charged any costs to a contract, the costs are not reimbursable or, if already reimbursed, the cost must be refunded to the government. Additionally, we may be subject to various civil and criminal penalties and administrative sanctions, which may include termination of contracts,

27

Table of Contents

forfeiture of profits, suspension of payments, fines and suspensions or debarment from doing business with the government. Further, the negative publicity that could arise from any such penalties, sanctions or findings in such audits or investigations could have an adverse effect on our reputation in the industry and reduce our ability to compete for new contracts and could materially adversely affect our results of operations and financial condition. Further, the negative publicity that could arise from any such penalties, sanctions or findings in such audits or investigations could have an adverse effect on our reputation in the industry and reduce our ability to compete for new contracts and could materially adversely affect our results of operations and financial condition.

Downgrades in our credit ratings could impact our ability to access capital and materially adversely affect our business, financial condition and results of operations.

Credit rating agencies continually review their ratings for the companies that they follow, including us. Credit rating agencies also evaluate the industries in which we and our affiliates operate as a whole and may change their credit rating for us based on their overall view of such industries. There can be no assurance that any rating assigned to our currently outstanding public debt securities will remain in effect for any given period of time or that any such ratings will not be further lowered, suspended or withdrawn entirely by a rating agency if, in that rating agency’s judgment, circumstances so warrant. A further downgrade of our credit ratings could, among other things, limit our ability to access capital or otherwise adversely affect the availability of other new financing on favorable terms, which could materially adversely affect our results of operations and financial condition.

We may not be able to offset increased costs with increased fees under long-term contracts. We may not be able to offset increased costs with increased fees under long-term contracts.

The pricing and other terms of our customer contracts, particularly our long-term contact center agreements, are based on estimates and assumptions we make at the time we enter into these contracts. These estimates reflect our best judgments regarding the nature of the engagement and our expected costs to provide the contracted services and could differ from actual results. Not all our larger long-term contracts allow for escalation of fees as our cost of operations increase and those that allow for such escalations do not always allow increases at rates comparable to increases that we experience. Where we cannot negotiate long-term contract terms that provide for fee adjustments to reflect increases in our cost of service delivery, our business, financial conditions, and results of operation would be materially impacted. If and where we cannot negotiate long-term contract terms that provide for fee adjustments to reflect increases in our cost of service delivery, our business, financial conditions, and results of operation would be materially impacted.

Our business process automation solutions often require long selling cycles and long implementation periods that may result in significant upfront expenses that may not be recovered.

We often face long selling cycles to secure new contracts for our business process automation solutions. If we are successful in obtaining an engagement, the selling cycle can be followed by a long implementation period. If we are successful in obtaining an engagement, the selling cycle can be followed by a long implementation period during which we plan our services in detail and demonstrate to the customer our ability to successfully integrate our solutions with the customer’s internal operations. Delays in internal approvals, technology implementations, or customer decisions can prolong these cycles. Even if we succeed in developing a relationship with a potential customer and begin to discuss the services in detail, the potential customer may choose a competitor or decide to retain the work in-house prior to the time a contract is signed. Additionally, we may not begin receiving revenue until after the implementation period and our solution is fully operational, leading to upfront expenses without immediate profits. These extended cycles can strain finances, especially when hiring new staff before revenue collection. Our inability to obtain contractual commitments after a selling cycle, maintain contractual commitments after the implementation period or limit expenses prior to the receipt of corresponding revenue may have a material adverse effect on our business, results of operations and financial condition.

We face significant competition from U.S.-based and non-U.S.-based companies and from our customers who may elect to perform their business processes in-house or invest in their own technologies in-house.

Our industry is highly competitive, fragmented and subject to rapid change. We compete primarily against local, national, regional and large multi-national information and payment technology companies, including focused BPO companies based in offshore locations, BPO divisions of information technology companies located in India, other BPO and BPA and consulting services and digital transformation solution providers and the in-house capabilities of our customers and potential customers. These competitors may include entrants from adjacent industries or entrants in geographic locations with lower costs than those in which we operate.

Some of our competitors have stronger financial, marketing, and technological capabilities, larger customer bases, and better brand recognition. Expansion of competitors' global delivery centers or strategic partnerships with larger firms may increase competition. Further, we expect competition to intensify in the future as more companies enter

28

Table of Contents

our markets and customers consolidate the services they require among fewer vendors. Increased competition, our inability to compete successfully against competitors, pricing pressures or loss of market share could result in reduced operating margins, which could adversely affect our business, results of operations and financial condition. Increased competition, our inability to 29 Table of Contentscompete successfully against competitors, pricing pressures or loss of market share could result in reduced operating margins, which could adversely affect our business, results of operations and financial condition.

Our industry is characterized by rapid technological change and failure to compete successfully within the industry and address rapid technological change could adversely affect our results of operations and financial condition.

The process of developing new services and solutions is inherently complex and uncertain, requiring accurate anticipation of customer needs and emerging trends.The process of developing new services and solutions is inherently complex and uncertain. It requires that we make long-term investments and commit significant resources before knowing whether these investments will eventually result in services that achieve customer acceptance and generate the revenues required to provide desired returns. We must make long-term investments and commit significant resources before knowing whether these investments will eventually result in services that achieve customer acceptance and generate the revenues required to provide desired returns. If we fail to accurately anticipate and meet our customers’ needs through the development of new technologies and service offerings or if our new services are not widely accepted, we could lose market share and customers to our competitors and that could materially adversely affect our results of operations and financial condition.

More specifically, the business process solutions industry is characterized by rapid technological change, evolving industry standards and changing customer preferences. The success of our business depends, in part, upon our ability to develop technology and solutions that keep pace with changes in our industry and the industries of our customers. Although we have made, and will continue to make, significant investments in the research, design and development of new technology and platforms-driven solutions, we may not be successful in addressing these changes on a timely basis or in marketing the changes we implement. In addition, products or technologies developed by others may render our services uncompetitive or obsolete. Failure to address these developments could have a material adverse effect on our business, results of operations and financial condition.

In addition, existing and potential customers are actively shifting their businesses away from paper-based environments to electronic environments with reduced needs for physical document management and processing. This shift may result in decreased demand for the physical document management services we provide such that our business and revenues may become more reliant on technology-based services in electronic environments, which are typically provided at lower prices compared to physical document management services. Though we have solutions for customers seeking to make these types of transitions, a significant shift by our customers away from physical documents to non-paper based technologies, whether now existing or developed in the future, could adversely affect our business, results of operation and financial condition.

Also, some of the large international companies in the industry have significant financial resources and compete with us to provide document processing services and/or business process services. We compete primarily on the basis of technology, performance, price, quality, reliability, brand, distribution and customer service and support. Our success in future performance is largely dependent upon our ability to compete successfully, to promptly and effectively react to changing technologies and customer expectations and to expand into additional market segments. To remain competitive, we must develop services and applications; periodically enhance our existing offerings; remain cost efficient; and attract and retain key personnel and management. If we are unable to compete successfully, we could lose market share and important customers to our competitors and that could materially adversely affect our results of operations and financial condition.

We rely, in some cases, on third-party hardware and software, which could cause errors or failures of our services and could also result in adverse effects for our business and reputation if these third-party services fail to perform properly or are no longer available.

Although we developed our platform-driven solutions internally, we rely, in some cases, on third-party hardware and software in connection with our service offerings which we either purchase or lease from third-party vendors. While we are able to select from various competing hardware and software applications, detecting design defects or software errors is challenging due to complexity and unique specifications. Any errors or defects in third-party hardware or software incorporated into our service offerings, may result in a delay or loss of revenue, diversion of resources, damage to our reputation, or potential claims against us. Any errors or defects in third-party hardware or software incorporated into our service offerings, may result in a delay or loss of revenue, diversion of resources, damage to our reputation, the loss of the affected customer, loss of future business, increased service costs or potential litigation claims against us.

29

Table of Contents

Further, this hardware and software may not continue to be available on commercially reasonable terms or at all. Any loss of the right to use any of this hardware or software, or any increases in the price charged by third-party vendors, could negatively affect our business until equivalent technology is either developed by us or, if available, is identified, obtained and integrated on commercially reasonable terms. Any loss of the right to use any of this hardware or software could result in delays in the provisioning of our services, which could negatively affect our business until equivalent technology is either developed by us or, if available, is identified, obtained and integrated. Further, changing hardware vendors or software licensors could detract from management’s ability to focus on the ongoing operations of our business or could cause delays in the operations of our business.

Our ability to deliver our services is dependent on the development and maintenance of the infrastructure of the Internet by third parties.

The Internet’s infrastructure comprises many different networks and services that are highly fragmented and distributed by design. This infrastructure is run by a series of independent third-party organizations that work together to provide the infrastructure and supporting services of the Internet. The Internet has experienced a variety of outages and other delays as a result of damages to portions of its infrastructure, denial-of-service attacks or related cyber incidents, and it could face outages and delays in the future, potentially reducing the availability of the Internet to us or our customers for delivery of our Internet-based services. Any resulting interruptions in our services or the ability of our customers to access our services could result in a loss of potential or existing customers and harm our business. Additionally, regulatory actions in certain countries may limit access to the Internet or change the legal protections available to businesses that depend on the Internet for the delivery of their services, which would negatively impact access to our services, increase our risk or add liabilities, impede our growth, productivity and operational effectiveness, result in the loss of potential or existing customers and harm our business. We have implemented policies to identify and address potentially impermissible transactions under such laws and regulations; however, there can be no assurance that all of our and our subsidiaries’ employees, consultants, and agents, including those that may be based in or from countries where practices that violate US or other laws may be customary, will not take actions in violation of our policies, for which we may be ultimately responsible.

Some of the work we do involves greater risks than other types of claims processing or document management engagements.

We provide certain business process solutions for customers that, for financial, legal or other reasons, may present higher risks compared to other types of claims processing or document management engagements. Examples of higher risk engagements include class action and other legal distributions involving significant sums of money, economic analysis and expert testimony in high stakes legal matters, and engagements where we receive or process sensitive data, including personal consumer or private health information. Examples of higher risk engagements include, but are not limited to:●class action and other legal distributions involving significant sums of money;●economic analysis and expert testimony in high stakes legal matters; and●engagements where we receive or process sensitive data, including personal consumer or private health information.

While we attempt to identify higher risk engagements and customers and mitigate our exposure by taking certain preventive measures and, where necessary, turning down certain engagements, these efforts may be ineffective and an actual or alleged error or omission on our part, the part of our customer or other third parties or possible fraudulent activity in one or more of these higher-risk engagements could result in the diversion of management resources, damage to our reputation, increased service costs or impaired market acceptance of our services, any of which could negatively impact our business and our financial condition.

Our business could be materially and adversely affected if we do not protect our intellectual property or if our services are found to infringe on the intellectual property of others.

Our success depends in part on certain methodologies and practices we utilize in developing and implementing applications and other proprietary intellectual property rights. In order to protect such rights, we rely upon a combination of nondisclosure and other contractual arrangements, as well as trade secret, copyright, trademark and patent laws. We also generally enter into confidentiality agreements with our employees, customers and potential customers and limit access to and distribution of our proprietary information. There can be no assurance that the laws, rules, regulations and treaties in effect in the U.S., India and the other jurisdictions in which we operate and the contractual and other protective measures we take are adequate to protect us from misappropriation or unauthorized use of our intellectual property, or that such laws will not change. There can be no assurance that the resources invested by us to protect our intellectual property will be sufficient or that our intellectual property portfolio will adequately deter misappropriation or improper use of our technology, and our intellectual property rights may not prevent competitors from independently developing or selling products and services similar to or duplicative of ours. We may not be able to detect unauthorized use and take appropriate steps to enforce our rights, and any such steps may be costly and unsuccessful. Infringement by others of our intellectual property, including the costs of enforcing our intellectual property rights, may have a material

30

Table of Contents

adverse effect on our business, results of operations and financial condition. We could also face competition in some countries where we have not invested in an intellectual property portfolio. If we are not able to protect our intellectual property, the value of our brand and other intangible assets may be diminished, and our business may be adversely affected. Further, although we believe that we are not infringing on the intellectual property rights of others, claims may nonetheless be successfully asserted against us in the future, and we may be the target of enforcement of patents or other intellectual property by third parties, including aggressive and opportunistic enforcement claims by non-practicing entities. Regardless of the merit of such claims, responding to infringement claims can be expensive and time-consuming. If we are found to infringe any third-party rights, we could be required to pay substantial damages or we could be enjoined from offering some of our products and services. The costs of defending any such claims could be significant, and any successful claim may require us to modify our services. The value of, or our ability to use, our intellectual property may also be negatively impacted by dependencies on third parties, such as our ability to obtain or renew on reasonable terms licenses that we need in the future, or our ability to secure or retain ownership or rights to use data in certain software analytics or services offerings. Any such circumstances may have a material adverse effect on our business, results of operations and financial condition.

Our revenues are highly dependent on a limited number of industries, and any decrease in demand for business process solutions in these industries could reduce our revenues and adversely affect the results of operations.

A substantial portion of our revenues are derived from three specific industry based segments: ITPS, HS, and LLPS. Customers in ITPS accounted for 68.8% and 71.0% of our revenues in 2023 and 2022, respectively. Customers in HS accounted for 23.6% and 22.2% of our revenues in 2023 and 2022, respectively. Customers in HS accounted for 22.2% and 18.7% of our revenues in 2022 and 2021, respectively. Customers in LLPS accounted for 7.6% and 6.8% of our revenues in 2023 and 2022, respectively. Our success largely depends on continued demand for our services from customers in these segments, and a downturn or reversal of the demand for business process solutions in any of these segments, or the introduction of regulations that restrict or discourage companies from engaging our services, could materially adversely affect our business, financial condition and results of operations. For example, consolidation in any of these industries or combinations or mergers, particularly involving our customers, may decrease the potential number of customers for our services. We have been affected by the worsening of economic conditions and significant consolidation in the financial services industry and continuation of this trend may negatively affect our revenues and profitability.

We derive significant revenue and profit from commercial and government contracts awarded through competitive bidding processes, including renewals, which can impose substantial costs on us, and we will not achieve revenue and profit objectives if we fail to accurately and effectively bid on such projects. In addition, even if bids are won and we are awarded a contract, revenue and profit objectives may not be achieved due to a number of factors outside our control, including cases where an applicable contract or framework arrangement does not guarantee transaction volume.

Many of the contracts we are awarded through competitive bidding procedures are extremely complex and require the investment of significant resources in order to prepare accurate bids and proposals. Competitive bidding imposes substantial costs and presents a number of risks that may adversely affect our financial position, including: (i) the substantial cost and managerial time and effort that we spend to prepare bids and proposals for contracts that may or may not be awarded to us; (ii) the need to estimate accurately the resources and costs that will be required to implement and service any contracts we are awarded, sometimes in advance of the final determination of their full scope and design; (iii) the expense and delay that may arise if our competitors protest or challenge awards made to us pursuant to competitive bidding and the risk that such protests or challenges could result in the requirement to resubmit bids and in the termination, reduction or modification of the awarded contracts, or may eventually lead to litigation; and (iv) the opportunity cost of not bidding on and winning other contracts we might otherwise pursue. Competitive bidding imposes substantial costs and presents a number of risks, including: (i) the substantial cost and managerial time and effort that we spend to prepare bids and proposals for contracts that may or may not be awarded to us; (ii) the need to estimate accurately the resources and costs that will be required to implement and service any contracts we are awarded, sometimes in advance of the final determination of their full scope and design; (iii) the expense and delay that may arise if our competitors protest or challenge awards made to us pursuant to competitive bidding and the risk that such protests or challenges could result in the requirement to resubmit bids and in the termination, reduction or modification of the awarded contracts; and (iv) the opportunity cost of not bidding on and winning other contracts we might otherwise pursue.

Our profitability is dependent upon our ability to obtain adequate pricing for our services and to improve our cost structure.

Our success depends on our ability to obtain adequate pricing for our services. Depending on competitive market factors, future prices we obtain for our services may decline from previous levels. If we are unable to obtain adequate pricing for our services, it could materially adversely affect our results of operations and financial condition. In

31

Table of Contents

addition, our contracts are increasingly requiring tighter timelines for implementation as well as more stringent service level metrics. This makes the bidding process for new contracts much more difficult and requires us to adequately consider these requirements in the pricing of our services.

We, from time to time, engage in restructuring actions to reduce our cost structure. We, from time to time, engage in restructuring actions to reduce our cost structure. If we are unable to continue to maintain our cost base at or below the current level and maintain process and systems changes resulting from prior restructuring actions or to realize the expected cost reductions in the ongoing strategic transformation program, it could materially adversely affect our results of operations and financial condition. In addition, in order to meet the service requirements of our customers, which often includes 24/7 service, and to optimize our employee cost base, including our back-office support, we often locate our delivery service and back-office support centers in lower-cost locations, including several developing countries. Concentrating our centers in these locations presents a number of operational risks, many of which are beyond our control, including the risks of political instability, natural disasters, safety and security risks, labor disruptions, excessive employee turnover and rising labor rates. Additionally, a change in the political environment in the U.S. or the adoption and enforcement of legislation and regulations curbing the use of such centers outside of the U.S. could materially adversely affect our results of operations and financial condition. These risks could impair our ability to effectively provide services to our customers and keep our costs aligned to our associated revenues and market requirements.

Our ability to sustain and improve profit margins is dependent on a number of factors, including our ability to continue to improve the cost efficiency of our operations through such programs as robotic process automation, to absorb the level of pricing pressures on our services through cost improvements and to successfully complete information technology initiatives. If any of these factors adversely materialize or if we are unable to achieve and maintain productivity improvements through restructuring actions or information technology initiatives, our ability to offset labor cost inflation and competitive price pressures would be impaired, each of which could materially adversely affect our results of operations and financial condition.

Defects or disruptions in our services could diminish demand for our services and subject us to substantial liability.

Since our customers use our services for important aspects of their business, any errors, defects, disruptions in service or other performance problems could hurt our reputation and may damage our customers’ businesses. As a result, customers could elect to not renew our services or delay or withhold payment to us. We could also lose future sales or customers may make warranty or other claims against us, which could result in an increase in our allowance for expected credit losses, an increase in collection cycles for accounts receivable or the expense and risk of litigation.

We are subject to regular customer and third-party security reviews and failure to pass these may have an adverse impact on our operations.

Many of our customer contracts require that we maintain certain physical and/or information security standards, and, in certain cases, we permit a customer to audit our compliance with these contractual standards. Any failure to meet such standards or pass such audits may have a material adverse impact on our business. Further, customers from time to time may require stricter physical and/or information security than they negotiated in their contracts, and may condition continued volumes and business on the satisfaction of such additional requirements. Some of these requirements may be expensive to implement or maintain, and may not be factored into our contract pricing. Further, on an annual basis we obtain third-party audits of certain of our locations in accordance with Statement on Standards for Attestation Engagements No. 16 (SSAE 16) put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). SSAE 16 is the current standard for reporting on controls at service organizations, and many of our customers expect that we will perform an annual SSAE 16 audit, and report to them the results. Negative findings in such an audit and/or the failure to adequately remediate in a timely fashion such negative findings may cause customers to terminate their contracts or otherwise have a material adverse effect on our reputation, results of operation and financial condition.

32

Table of Contents

Cybersecurity issues, vulnerabilities, and criminal activity resulting in a data or security breach could result in risks to our systems, networks, products, solutions and services resulting in liability or reputational damage.

We collect and retain large volumes of internal and customer data, including personally identifiable information and other sensitive data both physically and electronically, for business purposes, and our various information technology systems enter, process, summarize and report such data. We also maintain personally identifiable information about our employees. Safeguarding customer, employee and our own data is a key priority for us, and our customers and employees have come to rely on us for the protection of their information. Despite our efforts to protect sensitive, confidential or personal data or information, we can provide no assurances that our security measures designed to protect our customers’ and our customers’ customers’ data will always be effective. Our services and underlying infrastructure may in the future be materially breached or compromised as a result of the following:

These risks are mitigated, to the extent possible, by enhanced processes and internal security controls. However, our ability to mitigate these risks may be impacted by the following:

33

Table of Contents

Yet, we remain vulnerable to such threats. A security breach or incident could result in unauthorized parties obtaining access to, or the denial of authorized access to, our IT systems or data, or our customers’ systems or data, including intellectual property and proprietary, sensitive or other confidential information. A security breach could also result in a loss of confidence in the security of our services, damage our reputation, negatively impact our future sales, disrupt our business and lead to increases in insurance premiums and legal, regulatory and financial exposure and liability. As an example in June 2022 we experienced a network outage which required us, among other things, to incur costs to respond to the incident and to limit access to our applications and services by our employees and customers. We believe the June 2022 network outage caused some of our customers to reduce volumes, look for alternate vendors and consider other providers for new requirements resulting in claims against us and lost revenue. Finally, the detection, prevention and remediation of known or potential security vulnerabilities, including those arising from third-party hardware or software, may result in additional financial burdens due to additional direct and indirect costs, such as additional infrastructure capacity spending to mitigate any system degradation and the reallocation of resources from development activities.

The use or capabilities of AI in our offerings may result in increased costs, and reputational harm and liability.

​

We are increasingly building AI into many of our offerings. As with many innovations, AI presents additional risks and challenges that could affect our business. If we enable or offer solutions that draw controversy due to their perceived or actual impact on human rights, privacy, employment, or in other social contexts, we may experience reputational harm, competitive harm or legal liability. Data practices by us or others that result in controversy could also impair the acceptance of AI solutions. This in turn could undermine the decisions, predictions or analysis AI applications produce, subjecting us to competitive harm, legal liability or reputational harm. The rapid evolution of AI will require the application of resources to develop, test and maintain our products and services to help ensure that AI is implemented ethically in order to minimize unintended, harmful impact. Uncertainty around new and emerging AI applications such as generative AI content creation may require additional investment in the development of proprietary datasets, machine learning models and systems to test for accuracy, bias and other variables, which are often complex, may be costly and could impact our profit margin as we decide to further expand generative AI into our product offerings.

Currency fluctuations among the Euro, British Pound, Swedish Krona, Indian rupee, the Philippine Peso, the Mexican Peso, the Canadian Dollar and the U.S. Dollar could have a material adverse effect on our results of operations.

The functional currencies of our businesses outside of the U.S. are the local currencies. Changes in exchange rates between these foreign currencies and the U.S. Dollar will affect the recorded levels of our assets, liabilities, net sales, cost of goods sold and operating margins and could result in exchange gains or losses. The primary foreign currencies to which we have exposure are the European Union Euro, Swedish Krona, British Pound Sterling, Canadian Dollar and Indian rupees. Exchange rates between these currencies and the U.S. Dollar in recent years have fluctuated significantly and may do so in the future. Our operating results and profitability may be affected by any volatility in currency exchange rates and our ability to manage effectively currency transaction and translation risks. To the extent the U.S. Dollar strengthens against foreign currencies, our foreign revenues and profits will be reduced when converted into and reported in U.S. Dollars.

Although the vast majority of our revenues are denominated in U.S. dollars, a significant portion of our expenses are incurred and paid in Euros, British Pound Sterling, Swedish Krona, Indian rupees, and to a lesser extent in other currencies, including the Philippine Peso, the Mexican Peso and the Canadian dollar. We report our financial results in U.S. Dollars. The exchange rate between the Indian rupee and the U.S. Dollar has changed substantially in recent years and may fluctuate substantially in the future. Our results of operations may be adversely affected if such fluctuations continue, or increase, or other currencies fluctuate significantly against the U.S. Dollar. Further, although we

34

Table of Contents

do not currently take steps to hedge our foreign currency exposures, should we choose in the future to implement a hedging strategy, there can be no assurance that our hedging strategy will be successful.

Fluctuations in the costs of paper, ink, energy, by-products and other raw materials may adversely impact the results of our operations.

Purchases of paper, ink, energy and other raw materials represent a large portion of our costs. Increases in the costs of these inputs may increase our costs and we may not be able to pass these costs on to customers through higher prices. In addition, we may not be able to resell waste paper and other print-related by-products or may be adversely impacted by decreases in the prices for these by-products. Increases in the cost of materials may adversely impact customers’ demand for our printing and printing-related services.

Sales tax laws in the U.S. may change resulting in service providers having to collect sales taxes in states where the current laws do not require us to do so. This could result in substantial tax liabilities.

Our U.S. subsidiaries collect and remit sales tax in states in which the subsidiaries have physical presence or in which we believe sufficient nexus exists which obligates us to collect sales tax. Other states may, from time to time, claim that we have state-related activities constituting physical nexus to require such collection. Additionally, many other states seek to impose sales tax collection or reporting obligations on companies that sell goods to customers in their state, or directly to the state and its political subdivisions, regardless of physical presence. Such efforts by states have increased recently, as states seek to raise revenues without increasing the income tax burden on residents. We cannot predict whether the nature or level of contacts we have with a particular state will be deemed enough to require us to collect sales tax in that state nor can we be assured that Congress or individual states will not approve legislation authorizing states to impose tax collection or reporting obligations on our activities. A successful assertion by one or more states that we should collect sales tax could result in substantial tax liabilities related to past sales and would result in considerable administrative burdens and costs for us.

We are subject to laws of the United States and foreign jurisdictions relating to processing certain financial transactions, including payment card transactions and debit or credit card transactions, and failure to comply with those laws could subject us to legal actions and materially adversely affect our results of operations and financial condition.

​

We process, support and execute financial transactions, and disburse funds, on behalf of both government and commercial customers, often in partnership with financial institutions. This activity includes receiving debit and credit card information, processing payments for and due to our customers and disbursing funds on payment or debit cards to payees of our customers. As a result, the transactions we process may be subject to numerous United States (both federal and state) and foreign jurisdiction laws and regulations, including the Electronic Fund Transfer Act, as amended, the Currency and Foreign Transactions Reporting Act of 1970 (commonly known as the Bank Secrecy Act), as amended, the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, as amended, the Gramm-Leach-Bliley Act, as amended, and the USA PATRIOT ACT of 2001, as amended. Other United States (both federal and state) and foreign jurisdiction laws apply to our processing of certain financial transactions and related support services. These laws are subject to frequent changes, and new statutes and regulations in this area may be enacted at any time. Changes to existing laws, the introduction of new laws in this area or failure to comply with existing laws that are applicable to us may subject us to, among other things, additional costs or changes to our business practices, liability for monetary damages, fines and/or criminal prosecution, unfavorable publicity, restrictions on our ability to process and support financial transactions and allegations by our customers, partners and clients that we have not performed our contractual obligations. Any of these could materially adversely affect our results of operations and financial condition.

As a smaller reporting company, we are subject to scaled disclosure requirements that may make it more challenging for investors to analyze our results of operations and financial prospects and certain investors may find investing in our securities less attractive.

Currently, we are a “smaller reporting company,” as defined by Rule 12b-2 of the Exchange Act. As a “smaller reporting company,” we are able to provide simplified executive compensation disclosures in our filings and have certain

35

Table of Contents

other decreased disclosure obligations in our filings with the SEC, including being required to provide only two years of audited financial statements in annual reports. Consequently, it may be more challenging for investors to analyze our results of operations and financial prospects.

Furthermore, we are a non-accelerated filer as defined by Rule 12b-2 of the Exchange Act, and, as such, are not required to provide an auditor attestation of management’s assessment of internal control over financial reporting, which is generally required for SEC reporting companies under Section 404(b) of the Sarbanes-Oxley Act. Because we are not required to, and have not, had our auditor’s provide an attestation of our management’s assessment of internal control over financial reporting, a material weakness in internal controls may remain undetected for a longer period. If some investors find our securities less attractive as a result, there may be a less active trading market for our securities and their market price may be more volatile.

If we fail to maintain an effective system of disclosure controls and internal control over financial reporting, our ability to produce timely and accurate financial statements or comply with applicable regulations could be impaired.

As a public company, we are subject to the reporting requirements of the Exchange Act, the Sarbanes-Oxley Act of 2002, as amended (the "Sarbanes-Oxley Act"), and the listing standards of the Nasdaq.​As a public company, we are subject to the reporting requirements of the Exchange Act, the Sarbanes-Oxley Act of 2002, as amended (the "Sarbanes-Oxley Act"), and the listing standards of the Nasdaq. We expect that the requirements of these rules and regulations will continue to increase our legal, accounting and financial compliance costs, make some activities more difficult, time consuming and costly, and place significant strain on our personnel, systems and resources. The Sarbanes-Oxley Act requires, among other things, that we maintain effective disclosure controls and procedures and internal control over financial reporting. We are continuing to develop and refine our disclosure controls and other procedures that are designed to ensure that information required to be disclosed by us in the reports that we will file with the SEC is recorded, processed, summarized and reported within the time periods specified in SEC rules and forms, and that information required to be disclosed in reports under the Exchange Act is accumulated and communicated to our principal executive and financial officers. We are continuing to develop and refine our disclosure controls and other 35 Table of Contentsprocedures that are designed to ensure that information required to be disclosed by us in the reports that we will file with the SEC is recorded, processed, summarized and reported within the time periods specified in SEC rules and forms, and that information required to be disclosed in reports under the Exchange Act is accumulated and communicated to our principal executive and financial officers. In order to maintain and improve the effectiveness of our disclosure controls and procedures and internal control over financial reporting, we have expended, and anticipate that we will continue to expend, significant resources, including accounting-related costs and significant management oversight.

Our current controls and any new controls that we develop may become inadequate because of changes in conditions in our business. Further, deficiencies in our disclosure controls or our internal control over financial reporting may be discovered in the future. Any failure to develop or maintain effective controls, or any difficulties encountered in their implementation or improvement, could harm our operating results or cause us to fail to meet our reporting obligations and may result in a restatement of our financial statements for prior periods. Any failure to implement and maintain effective internal control over financial reporting also could adversely affect the results of management evaluations of our internal control over financial reporting that we are required to include in our periodic reports that we file with the SEC. Ineffective disclosure controls and procedures and internal control over financial reporting could also cause investors to lose confidence in our reported financial and other information, which would likely have a negative effect on the trading price of our Common Stock. In addition, if we are unable to meet these requirements, we may not be able to remain listed on the Nasdaq.

Management assessed the effectiveness of our internal control over financial reporting as of December 31, 2023 and based on its assessment, our management, including our Executive Chairman and Interim Chief Financial Officer, has concluded that our internal control over financial reporting was not effective as of December 31, 2023 due to material weaknesses in our internal control over financial reporting.Management assessed the effectiveness of our internal control over financial reporting as of December 31, 2022 and based on its assessment, our management, including our Executive Chairman and Chief Financial Officer, has concluded that our internal control over financial reporting was not effective as of December 31, 2022 due to material weaknesses in our internal control over financial reporting. For more information, see Part II—Item 9A—Controls and Procedures of the Annual Report. For more information, see Part II—Item 9A—Controls and Procedures of the Annual Report.

Any failure to maintain effective disclosure controls and internal control over financial reporting could have a material and adverse effect on our business and operating results and cause a decline in the price of our Common Stock.

Internal control matters are more fully discussed in Part II—Item 9A—Controls and Procedures of the Annual Report.

Certain of our subsidiaries completed a business combination with a SPAC, which resulted in our EMEA business operating as a separate public company.Certain of our subsidiaries have entered into an agreement with a SPAC, which will result in our EMEA business operating as a separate public company.

36

Table of Contents

On November 29, 2023, the Company completed the merger of its European business with CFFE. The combined company now operates as XBP Europe. We indirectly own a majority of the outstanding capital stock of XBP and control the majority of the board of directors of that entity. In addition certain of our employees and officers continue to serve our EMEA business. In addition certain of our employees and officers will be employed by and continue to serve our EMEA business. There can be no assurances that we will continue to own a control position in XPB Europe either as a result of dilution or a decision by us, in the future, to exit all or a portion of our position. Since XBP Europe has begun operating as a standalone public company, we have faced additional reporting and other obligations imposed by various rules and regulations applicable to public companies. Increased legal and financial compliance costs related to XBP Europe could potentially have an adverse effect on the Company’s revenue growth and profit margins.

General Risk Factors

Our results of operations could be adversely affected by economic and political conditions, creating complex risks, many of which are beyond our control.

Our business depends on the continued demand for our services. If global economic conditions worsen, our business could be adversely affected. Along with our customers we are subject to global political, economic and market conditions, including inflation, interest rates, energy costs, the impact of natural disasters, disease, military action and the threat of terrorism. Along with our customers we are subject to global political, economic and market conditions, including inflation, 36 Table of Contentsinterest rates, energy costs, the impact of natural disasters, disease, military action and the threat of terrorism. Our revenue heavily depends on customers in North America and EMEA. Economic downturns like those we recently experienced as a result of COVID-19, could result in decreased demand for our services. Other developments such as consolidations, restructurings or reorganizations, particularly involving our customers, could also cause the demand for our services to decline. We may not be able to plan effectively for or respond to such impact. To adapt we have undertaken or may undertake initiatives to reduce our cost structure, such as consolidation of resources to provide region-wide support to our international subsidiaries in a centralized fashion. Any future workforce and/or facility reductions that may be implemented will be subject to local employment laws which may impose expenses and logistical challenges in connection with any such workforce reductions, and the costs actually incurred may prove higher than our anticipated cost savings in undertaking those initiatives. Any future workforce and/or facility reductions that may be implemented will be subject to local employment laws which may impose expenses and logistical challenges in connection with any such workforce reductions. In addition, future disruptions in the global credit markets may adversely affect our liquidity and financial condition, and the liquidity and financial condition of our customers.In addition, any future disruptions or turbulence in the global credit markets may adversely affect our liquidity and financial condition, and the liquidity and financial condition of our customers. Such disruptions may limit our ability to access or increase the cost of financing needed to meet liquidity needs and affect the ability of our customers to use credit to purchase our services or to make timely payments to us. Such disruptions may limit our ability to access financing, increase the cost of financing needed to meet liquidity needs and affect the ability of our customers to use credit to purchase our services or to make timely payments to us, adversely affecting our financial condition and results of operations.

Our industry may be adversely impacted by a negative public reaction in the U.S. and elsewhere to providing certain of our services from outside the U.S. and related legislation.

We have based our strategy of future growth on certain assumptions regarding our industry and future demand in the market for the provision of business process solutions in part using offshore resources. However, providing services from offshore locations is a politically sensitive topic due to a perceived association between offshore service providers and the loss of jobs in their home countries. However, providing services from offshore locations is a politically sensitive topic in the US and elsewhere, and many organizations and public figures have publicly expressed concern about a perceived association between offshore service providers and the loss of jobs in their home countries. In addition, there has been some negative publicity about the experience of certain companies that provide their services offshore, particularly in India. The trend of providing business process solutions offshore may not continue and could reverse if companies elect to develop and perform their business processes internally or are discouraged from transferring these services to offshore service providers. Any slowdown or reversal of existing industry trends could harm our business and could have a material adverse effect on our business, results of operations, financial condition and cash flows. Any slowdown or reversal of existing industry trends could negatively affect the amount of business that we are able to obtain or retain and could have a material and adverse effect on our business, results of operations, financial condition and cash flows.

If we fail to attract, train and retain skilled professionals, including highly skilled technical personnel to satisfy customer demand and senior management to lead our business globally, or our labor expenses increase, our business and results of operations will be materially adversely affected.If we are unable to attract, train and retain skilled professionals, including highly skilled technical personnel to satisfy customer demand and senior management to lead our business globally or our labor expenses increase, our business and results of operations may be materially adversely affected.

Our success relies on our ability to retain skilled professionals, including project managers, IT engineers and senior technical personnel to meet sufficient to meet customer demand and on our ability to attract and retain senior management to lead our business globally.We collect and retain large volumes of internal and customer data, including personally identifiable information and other sensitive data both physically and electronically, for business purposes, and our various information technology systems enter, process, summarize and report such data. Competition for skilled labor is intense and the costs associated with recruiting and training employees can be significant. Increased labor costs due to competition, increased minimum wage or employee benefits costs (including various federal, state and local actions to increase minimum wages), unionization activity or other factors would adversely impact our cost of sales and operating expenses.Increased labor costs due to competition, increased minimum wage or employee benefits costs (including various federal, state and local actions to increase minimum wages), unionization activity or other factors would adversely impact our cost of sales and operating expenses. For example, as minimum

37

Table of Contents

wage rates increase, we may need to increase not only the wages of our minimum wage employees but also the wages paid to employees at wage rates that are above minimum wage.

We are also subject to applicable rules and regulations relating to our relationship with our employees, including minimum wage and break requirements, health benefits, unemployment and sales taxes, overtime, and working conditions and immigration status. Legislated increases in the minimum wage and increases in additional labor cost components, such as employee benefit costs, workers’ compensation insurance rates, compliance costs and fines, as well as the cost of litigation in connection with these regulations, would increase our labor costs. Should employees become represented by unions, we would be obligated to bargain with those unions with respect to wages, hours, and other terms and conditions of employment, which could increase our labor costs. Should our employees become represented by unions, we would be obligated to bargain with those unions with respect to wages, hours, and other terms and conditions of employment, which could increase our labor costs. In addition, many employers have been subject to actions brought by governmental agencies and private individuals under wage-hour laws on a variety of claims, such as improper classification of workers as exempt from overtime pay requirements and failure to pay overtime wages or record breaks properly, with such actions sometimes brought as class actions or under “private attorney general” statutes. Employment litigation risks, including wage-hour disputes, could result in substantial liabilities and expenses, diverting management attention and elevating labor costs. If costs of labor increase significantly, our business, results of operations, and financial condition will be adversely affected.

Failure to comply with data privacy and data protection laws in processing and transferring personal data across jurisdictions may subject us to penalties and other adverse consequences, and the enactment of more stringent data privacy and data protection laws may increase its compliance costs.

Our failure to address privacy and security concerns could result in expenses and liabilities, and have an adverse impact on us.Any inability to adequately address privacy and security concerns could result in expenses and liabilities, and an adverse impact on us. Privacy and data security regulations continue to become more complex and have greater consequences. For example, Europe’s General Data Protection Regulation, or GDPR, imposes several stringent requirements for controllers and processors of personal data, including, higher standards for obtaining consent from individuals to process their personal data, more robust disclosures to individuals and a strengthened individual data rights regime, and shortened timelines for data breach notifications. Failure to comply with the requirements of the GDPR and the applicable national data protection laws of the European Union member states may result in fines of up to €20,000,000 or up to 4% of the total worldwide annual turnover of the preceding financial year.

In addition, new domestic data privacy laws, such as the California Consumer Privacy Act (“CCPA”) as amended by the California Privacy Rights Act (“CPRA”), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act and the Utah Consumer Privacy Act similarly impose or may impose new obligations on us and many of our customers, potentially as both businesses and service providers. These laws continue to evolve, and as various states introduce similar proposals, we and our customers could be exposed to additional regulatory burdens.

Although we monitor the regulatory, judicial and legislative environment and have invested in addressing these developments, these laws may require us to make additional changes to our practices and services to enable us or our customers to meet the new legal requirements, and may also increase our potential liability exposure through new or higher potential penalties for noncompliance. Furthermore, privacy laws and regulations are subject to differing interpretations and may be inconsistent among jurisdictions. In addition to government activity, privacy advocates and other industry groups have established or may establish new self-regulatory standards that may place additional burdens on our ability to provide our services globally. In addition to any legal liability, data or security breaches may lead to negative publicity, reputational damage and otherwise adversely affect our business, financial condition and results of our operations. Our customers expect us to meet voluntary certification and other standards established by third parties, such as PCIDSS. If we are unable to maintain these certifications or meet these standards, it could adversely affect our ability to provide our solutions to certain customers and could harm our business. If we are unable to compete successfully, we could lose market share and important customers to our competitors and that could materially adversely affect our results of operations and financial condition.

The costs of compliance with, and other burdens imposed by, privacy laws, regulations and standards may limit the use and adoption of our services, reduce overall demand for our services, make it more difficult to meet expectations from our commitments to customers and our customers’ customers, lead to significant fines, penalties or liabilities for noncompliance, impact our reputation, or slow the pace at which we close sales transactions, in particular where customers request specific warranties and unlimited indemnity for noncompliance with privacy laws, any of which could harm our business.

38

Table of Contents

Furthermore, the uncertain and shifting regulatory environment may cause our customers or our customers’ customers to resist providing the data necessary to allow our customers to use our services effectively. In addition, new services we develop or acquire in connection with changing events may expose us to liability or regulatory risk. Even the perception that the privacy and security of personal information are not satisfactorily protected or do not meet regulatory requirements could inhibit sales of our products or services and could limit adoption of our cloud-based solutions.

Failure to comply with the U.S. Foreign Corrupt Practices Act, or the FCPA, economic and trade sanctions, regulations, and similar laws could subject us to penalties and other adverse consequences.

We operate internationally and are subject to anti-corruption laws and regulations, including the FCPA, the U.We operate internationally, and we are subject to anti-corruption laws and regulations, including the FCPA, the U. K. Bribery Act and other laws that prohibit the making or offering of improper payments to foreign government officials and political figures. Bribery Act and other laws that prohibit the making or offering of improper payments to foreign government officials and political figures, including anti-bribery provisions enforced by the Department of Justice and accounting provisions enforced by the SEC. These laws prohibit improper payments or offers of payments to foreign governments and their officials and political parties for the purpose of obtaining or retaining business. These laws prohibit improper payments or offers of payments to foreign governments and their officials and political parties by the US and other business entities for the purpose of obtaining or retaining business. We are also subject to certain economic and trade sanctions programs which prohibit or restrict transactions to or from or dealings with specified countries, their governments, and in certain circumstances, their nationals, and with individuals and entities that are specially-designated nationals of those countries, narcotics traffickers, and terrorists or terrorist organizations. We are also subject to certain economic and trade sanctions programs that are administered by the Department of Treasury’s Office of Foreign Assets Control, or OFAC, which prohibit or restrict transactions to or from or dealings with specified countries, their governments, and in certain circumstances, their nationals, and with individuals and entities that are specially-designated nationals of those countries, narcotics traffickers, and terrorists or terrorist organizations. We have implemented policies to identify and address potentially impermissible transactions under such laws and regulations; however, there can be no assurance that all of our and our subsidiaries’ employees, consultants, and agents will not take actions in violation of our policies for which we may be ultimately responsible. We have implemented policies to identify and address potentially impermissible transactions under such laws and regulations; however, there can be no assurance that all of our and our subsidiaries’ employees, consultants, and agents, including those that may be based in or from countries where practices that violate US or other laws may be customary, will not take actions in violation of our policies, for which we may be ultimately responsible.

Changes in laws or regulations, or a failure to comply with any laws and regulations, may adversely affect our business, investments and results of operations.

We are subject to laws, regulations and rules enacted by national, regional and local governments and Nasdaq. Compliance with applicable laws, regulations and rules may be difficult, time consuming and costly. Compliance with, and monitoring of, applicable laws, regulations and rules may be difficult, time consuming and costly. Those laws, regulations and rules and their interpretation and application may also change from time to time and any failure to comply with applicable laws, regulations and rules, as interpreted and applied, could have a material adverse effect on our business and results of operations. Those laws, regulations and rules and their interpretation and application may also change from time to time and those changes could have a material adverse effect on our business, investments and results of operations.

​

In addition, our customers conduct business in a variety of industries, including financial services, the public sector, healthcare and telecommunications. Regulators have adopted and may in the future adopt regulations or interpretive positions regarding the use of cloud computing and other outsourced services. The costs of compliance with and other burdens imposed by industry-specific laws, regulations and interpretive positions may limit our customers’ use and adoption of our services and reduce overall demand for our services. Compliance with these regulations may also require us to devote greater resources to support certain customers increasing costs and lengthening sales cycles. If we are unable to comply with these guidelines or controls, or if our customers are unable to obtain regulatory approval to use our services where required, our business may be harmed.

​

We operate in a number of jurisdictions and, as a result, may incur additional expenses in order to comply with the laws of those jurisdictions.

Our business operates globally, and is required to comply with the laws of multiple jurisdictions. These laws regulating the internet, payments, payments processing, privacy, taxation, terms of service, website accessibility, consumer protection, intellectual property ownership, services intermediaries, labor and employment, wages and hours, worker classification, background checks, and recruiting and staffing companies, among others, could be interpreted to apply to us, and could result in greater rights to competitors, users, and other third parties. Compliance with these laws and regulations may be costly, and at times, may require us to change our business practices or restrict our product offerings, and the imposition of any such laws or regulations on us, our clients, or third parties that we or our clients utilize to provide or use our services, may adversely impact our revenue and business. In addition, we may be subject to multiple overlapping legal or regulatory regimes that impose conflicting requirements and enhanced legal risks.

​

39

Table of Contents

ITEM 1B. UNRESOLVED STAFF COMMENTS

None.

ITEM 1C.ITEM 1A. CYBERSECURITY

Risk Management and Strategy

Exela has developed and maintained a comprehensive cybersecurity program which is integrated within Exela’s enterprise risk management program and encompasses the corporate and operational technology environments, as well as client-facing products and services. Our cybersecurity program has implemented a governance structure and process to identify, assess, manage, mitigate, respond to and report on cybersecurity incidents and risks within an ever-changing threat landscape. We utilize cybersecurity policies and frameworks based on industry and government standards, including the National Institute of Standards and Technology Cyber Security Framework (“NIST CSF”). This does not imply that we meet any particular technical standards, specifications, or requirements, but rather that we use NIST CSF as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business.

Our cybersecurity program includes an incident response plan, which establishes (1) a framework for classifying security incidents according to their severity level, taking into account the nature and scope of the incident; and (2) protocols for the escalation of incident. Exela owns and operates a 24 x 7 security operations center (“SOC”) which monitors our global cybersecurity solutions and production environments, and serves as a central location for the reporting of cybersecurity matters. The roles and responsibilities of the SOC and our cybersecurity team in the incident response context are established by the incident response plan, as well as in associated playbooks and other procedural documentation

We partner with third parties to support and evaluate our cybersecurity program including cybersecurity maturity assessments, incident response, penetration testing and consulting on best practices. Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including those who have access to our data or our systems. Third-party risks are included within our risk assessment of vendors, as well as our cybersecurity-specific risk identification program. In addition, cybersecurity considerations affect the selection and oversight of third-party service providers. We perform diligence on third parties, particularly those that have access to our systems, data or facilities that house such systems or data, and continually monitor cybersecurity threat risks identified through such diligence.

The Company has implemented a cybersecurity awareness program which covers topics such as phishing, social networking safety, password security and mobile device usage. We regularly communicate these and other pertinent security issues or compliance across our organization. Additionally, Exela has mandatory security awareness training addressing cybersecurity, privacy and confidential information.

In 2023, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. In June 2022, we experienced a previously disclosed network outage which required us to, among other things, limit access to our applications and services by our employees and customers. In response, we incurred considerable costs to restore the security of our internal systems and networks and adopted various enhancements. Please refer to “Item 1A. Risk Factors” for further information about the material risks associated with various cybersecurity threats.

Governance

Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to its Audit Committee oversight of cybersecurity and other information technology risks. Our Audit Committee oversees management’s ongoing activities related to our cybersecurity risk management and compliance programs.

Our cybersecurity program is led by our Chief Technology Officer (“CTO”), who has two decades of experience in various cybersecurity, software development, product management, and other technology-related roles. Our CTO

40

Table of Contents

oversees teams across the company supporting our security functions of identify, prevent, detect, respond, and recover. These teams are comprised of personnel with a broad range of experience across the private and public sectors, the technology industry, and different geographic regions.

Our Audit Committee receives periodic reports from our CTO and management on our cybersecurity risks and the current threat landscape trends. In addition, management will update the Board directly, as necessary, regarding cybersecurity incidents. The full Board also receives presentations on cybersecurity topics from our CTO and other security management staff as part of the Board’s continuing oversight of topics that impact the Company.