Risk Factors Dashboard
Once a year, publicly traded companies issue a comprehensive report of their business, called a 10-K. A component mandated in the 10-K is the ‘Risk Factors’ section, where companies disclose any major potential risks that they may face. This dashboard highlights all major changes and additions in new 10K reports, allowing investors to quickly identify new potential risks and opportunities.
View risk factors by ticker
Search filings by term
Risk Factors - LPSN
-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing
Item 1A., “Risk Factors.” It is routine for our internal projections and expectations to change as the year or each quarter in the year progresses, and therefore it should be clearly understood that the internal projections and beliefs upon which we base our expectations may change prior to the end of each quarter or the year. Although these expectations may change, we are under no obligation to inform you if they do. Our policy is generally to provide our expectations only once per quarter, and not to update that information until the next quarter. We do not undertake any obligation to revise forward-looking statements to reflect future events or circumstances. All forward-looking statements are made pursuant to the safe harbor provisions of the Private Securities Litigation Reform Act of 1995.
The Company has implemented and maintains a cybersecurity program governed by an information security team responsible for managing and directing strategy, policy, standards, architecture, controls, and processes. The cybersecurity program is underpinned by a cybersecurity risk management framework designed to identify and prioritize cybersecurity risks to the Company and is overseen by our Board of Directors.
The Company actively engages with key vendors and industry participants, and monitors and analyzes intelligence and law enforcement community security publications as part of its continuing efforts to obtain current threat intelligence, collaborate on security enhancements, and evaluate and improve the effectiveness of its cybersecurity processes. The Company also regularly engages with external parties to perform:
In the ordinary course of our business, our third-party service providers (“TPSPs”) collect, process and store certain information and other data related to us or our customers and their users. We assess the cybersecurity practices of our TPSPs through a variety of measures, including a due diligence process designed to assess and manage the potential risks of such TPSPs to the Company. This process involves evaluation of security questionnaires, review of available SOC 2 reports, and performance of interviews prior to onboarding TPSPs over certain risk thresholds, with annual re-reviews for our highest risk tier TPSPs. Despite these measures, we are reliant on the security practices of our TPSPs, which may be outside of our direct control.
Our information security team is led by our CSO . Mr. Friedman has held the position of CSO at organizations across multiple industries, including financial services, for over 13 years and holds industry security certifications including Certified
Information Systems Security Professional (“CISSP”), Certified Information Systems Auditor (“CISA”), Certified Information Security Manager, and Certified in Risk and Information Systems Control. Many members of the information security team also hold CISSP, CISA and other security related certifications. The information security team is made aware of security risks and incidents through a number of channels and activities:
• monitoring of cyber threat intelligence and evaluation and analysis of the potential impact of “zero day” vulnerabilities.
Our Board of Directors takes an active role in overseeing the management of cybersecurity risks to the Company. The information security team provides periodic reports to the Cybersecurity and Technology Committee of the Board, as well as to the full Board, the Company’s Chief Executive Officer and other members of senior management, as appropriate. These reports include updates on the Company’s cyber risks and threats, the status of projects to strengthen its information security systems, assessments of the cybersecurity program and the emerging threat landscape. The cybersecurity program is periodically evaluated by internal and external experts with the results of those reviews reported to senior management and the Board of Directors.
ii
PART I
Item 1. Business
Overview
LivePerson, Inc. (“LivePerson”, the “Company”, “we”, “our” or “us”) is a leader in digital customer conversation. Over the past two decades, consumers have made digital conversations their primary mode of communication with others. Since 1998, we have enabled meaningful connections between consumers and our customers through our platform and currently power more than one billion conversational interactions each month. These digital and artificial intelligence (“AI”)-powered conversations decrease costs and increase revenue for our brands, resulting in more convenient, personalized and content-rich journeys across the entire consumer lifecycle, and across consumer channels. Our customers’ existing investments in Generative AI and Large Language Models (“LLMs”) are fully compatible with LivePerson’s enterprise-class digital customer conversation platform (the “LivePerson Platform”).
The LivePerson Platform is trusted by the world’s top brands to accelerate their contact center transformation, orchestrate conversations across all channels, departments and systems, increase agent productivity, and deliver more personalized, AI-empowered customer experiences in a safe and secure environment. The LivePerson Platform powers conversations across each of a brand’s primary digital channels, including mobile apps, mobile and desktop web browsers, short messaging service (“SMS”), social media and third-party consumer messaging platforms. Brands can also use the LivePerson Platform to connect conversations across voice and digital channels to give customers additional options and ensure their interactions with brands are seamlessly integrated no matter where they choose to reach out. Agents can manage all conversations with consumers through a single console interface, regardless of where the conversations originated. The LivePerson Platform has been enhanced to provide security with appropriate guardrails where Generative AI and LLMs can be deployed and continually optimized in ways that help consumers and drive results for brands without sacrificing trust.
LivePerson’s robust, cloud-based suite of rich messaging, real-time chat, Generative AI, AI and automation, and conversation orchestration offerings features LLM powered automation (Autopilot), LLM powered agent tools (Copilot: Assist, Summary, Rewrite), Conversation Intelligence tools (Generative Insights, Analytics Studio), integrations (omnichannel solution through Avaya, Inc. partnership, Salesforce connector, iHub workflows powered by Workato), and engagement solutions (proactive messaging, voice to messaging) among others. An extensible application programming interface (“API”) stack facilitates a lower cost of ownership by facilitating robust integration into back-end systems, as well as enabling developers to build their own programs and services on top of the platform. More than 40 APIs and software development kits are available on the LivePerson Platform.
The LivePerson Platform enables what the Company calls “the tango” of humans, LivePerson bots, third-party bots, and LLMs, in which humans oversee and are assisted by AI and can seamlessly step into conversations as needed. Agents become highly efficient, are able to leverage the AI engine (including generative AI capabilities) to surface relevant content, define next-best actions and take over repetitive transactional work so that the agent can focus on relationship building. By integrating customer engagement channels, LivePerson’s proprietary AI, and third-party bots and AI, the LivePerson Platform offers brands a comprehensive approach to scaling automations across all customer conversations.
Complementing the Company’s proprietary digital customer conversation offerings are teams of technical, solutions and consulting professionals that have developed deep domain expertise in the implementation and optimization of conversational services across industries and messaging endpoints. LivePerson’s products, coupled with our domain knowledge, industry expertise and professional services, have been proven to maximize the impact of digital customer service. LivePerson supports and unlocks the power of AI in safe and responsible ways, and delivers measurable return on investment (“ROI”) for our customers.
Customers can realize the following advantages from our offerings:
•the ability for each agent to manage dozens of messaging conversations at a time, as compared to one at a time for a voice agent and two to four at a time for a chat agent. Adding AI and bots provides even greater scale to the number of conversations managed;
•labor efficiency gains of at least two times that of voice agents, effectively cutting labor costs;
1
•improving the overall customer experience, thereby fueling customer satisfaction score increases by double digit percentage points, and enhancing retention and loyalty;
•more convenient, personalized and content-rich conversations that increase sales conversion by double digit percentages, and increase average order value and reduce abandonment;
•more satisfied contact center agents, thereby substantially reducing agent churn;
•a valued connection with consumers via mobile devices, either through native applications, websites, text messages, or third-party messaging platforms; and
•leveraged spending that drives visitor traffic by increasing visitor conversions.
As a “cloud computing” or software-as-a service (“SaaS”) provider, LivePerson provides solutions on a hosted basis. This model offers significant benefits over premise-based software, including lower up-front costs, faster implementation, lower total cost of ownership, scalability, cost predictability, and simplified upgrades. Organizations that adopt a fully-hosted, multi-tenant architecture that is maintained by LivePerson eliminate the majority of the time, server infrastructure costs, and information technology (“IT”) resources required to implement, maintain, and support traditional on-premise software.
Hundreds of the world’s biggest brands, including HSBC, Virgin Media, and Burberry use our digital customer conversation solutions to integrate humans and AI, at scale, and create a convenient personalized relationship with their customers.
LivePerson was incorporated in the State of Delaware in November 1995 and the LivePerson service was introduced in November 1998. The Company completed an initial public offering in April 2000 and is currently traded on The Nasdaq Global Select Market and the Tel Aviv Stock Exchange (“TASE”).
Market Opportunity
LivePerson’s proprietary digital customer conversation solutions enable consumers and businesses to communicate with each other on conversational channels such as voice, messaging apps, a brand’s own website and apps, and social platforms, in order to get answers to questions, make purchases and resolve customer care inquiries.
Consumers today expect seamless, personalized, and AI-driven digital experiences, yet many brands still rely on outdated, disconnected communication channels. LivePerson is transforming customer engagement by enabling brands to shift from legacy systems to a modern digital core powered by messaging and AI. We see a significant opportunity in voice as a channel, seamlessly integrating voice and messaging to enhance both agent and customer experiences with AI-driven insights and automation. Additionally, our conversational commerce solutions empower brands to drive revenue by allowing buyers to engage on their own terms—when, where, and how they choose. The next generation of customer engagement is being shaped by Generative AI-powered agent and customer experiences, where LivePerson’s AI capabilities work alongside human agents and automation to deliver exceptional efficiency and value. Finally, our unified conversational analytics unlock the power of conversation data across channels, providing deep insights that maximize business outcomes. As brands increasingly shift investments from legacy systems to AI-powered, digital-first experiences, LivePerson is at the forefront of this transformation, enabling businesses to drive efficiency, revenue, and customer satisfaction at scale.
LivePerson believes that AI and automation are the foundation for transforming the conversational experience, disrupting how agents operate and how brands engage with consumers. With AI at the center of the solution and by harnessing data from all primary channels, including voice, messaging, chat, and human agents, LivePerson is in a unique position to provide the best conversational experiences for consumers. In addition, our deep integrations with CRM, service, and IT systems allows us to deliver a unified agent experience through a single pane of glass.
We believe that LivePerson’s proprietary digital customer conversation offerings provide a superior alternative to traditional customer experiences. Brands that shift to digital-first customer service and support stand to outperform their competitors by giving consumers the experiences they clearly prefer.
2
Products and Services
Business solutions offerings
The LivePerson Platform enables businesses and consumers to connect through conversational channels, such as voice, in-app and mobile messaging, while leveraging bots and AI to increase efficiency. The platform, which is marketed primarily to customer care, contact center, customer experience, e-commerce, marketing, and technology executives, combines sophisticated mobile and online engagement technology with robust business intelligence and operational and conversational data to produce compelling, measurable results by intelligently engaging consumers based on a real-time understanding of consumer needs. Rich, contextually aware targeting, actionable insights and personalized experiences empower businesses to get the most out of their existing online, mobile and social platforms. Benefits of the LivePerson Platform include increased agent efficiency, decreased customer care costs, improved customer experiences, higher conversion rates and increased customer lifetime value.
The LivePerson Platform powers the Conversational Flywheel, a powerful framework for driving velocity and continuous improvement across our brands’ conversational AI journey. The Conversational Flywheel, comprising four stages, empowers brands to: (1) understand what customers want by analyzing conversational data to drive actionable business decisions through proprietary analytics utilizing data to target end users with compelling engagement options at any step in the conversion funnel and throughout the customer lifecycle; (2) connect business systems to channels, engaging consumers where they are and feeding those conversations back into the systems brands use every day, maximizing online revenue opportunities, improving conversion rates and reducing shopping cart abandonment by proactively engaging the right visitor, using the right channel, at the right time; (3) assist teams with AI-powered tools and insights designed to help them focus on the tasks and interactions that matter most, providing real-time recommendations to human agents, and leveraging automation and human agents working together seamlessly to support consumers, all over our best-in-class agent workspace; and (4) automate to enable self-service and drive faster resolutions, through personal, connected interactions; all feeding data back into the system. This comprehensive solution blends a proven value-based methodology with an active rules-based engagement engine and deep domain expertise to increase first-contact resolution, improve consumer satisfaction, and reduce attrition rates.
LivePerson’s Conversational AI. LivePerson’s Conversational AI, announced in December 2018, operates as the brains behind LivePerson AI-based products, and was developed using our conversational data set of billions of brand-to-consumer interactions. The LivePerson Platform enables what we call “the tango” of humans, LivePerson bots, third-party bots, and LLMs, in which humans oversee and are assisted by AI and can seamlessly step into conversations as needed. Through the LivePerson Platform, agents become highly efficient, leveraging the AI engine (including generative AI capabilities) to surface relevant content, define next-best actions and take over repetitive transactional work so that the agent can focus on relationship building. By seamlessly integrating the LivePerson Platform with our proprietary AI, as well as bots, the platform provides businesses with a comprehensive view of all AI-based and human-based conversations from a single console. Products developed on LivePerson’s Conversational AI engine include:
•Conversation Builder, which non-technical staff such as contact center agents use to design high-quality automated conversations. The conversations are not built from scratch. Conversation Builder creates the initial versions by mining a brand’s existing conversation transcripts. Prebuilt industry templates are also available, providing the dialogue and integrations necessary for common use cases such as billing.
•Conversation Manager, a console that suggests automated responses and next best actions to contact center agents, who edit and select from them. Edits and selections dynamically improve the responses and next best actions. When the content reaches a brand-set accuracy threshold, it can be offered to consumers without human intervention. Conversation Manager also includes sentiment monitoring to alert contact center agents to conversations that require their attention. Designed for use in large contact centers, Conversation Manager sends these requests to agents who have the capacity and appropriate skills to respond. A major retail brand that adopted this approach in its sales operation increased agent productivity up to 220% within 12 weeks of launch.
•Conversational Intelligence, dashboards and reporting which take the true voice of the customer - their direct discussions with a brand, spoken in their natural language - and turn it into actionable sales and service intelligence. Generative Insights discovers trends in what customers are saying and delivers them in an LLM-powered conversational experience that is easy to understand. Report Center measures how both AI and human-powered messaging and voice conversations are performing. Analytics Studio converts the content of voice and messaging conversations into actionable data that makes sense of customer behaviors, preferences, and signals across channels. A major wireless provider using Conversational Intelligence reported the product identifies the root cause of service
3
issues faster than monitoring software, enabling the provider to accelerate the fix and reduce inbound customer inquiries. A leading hospitality firm used Conversational Intelligence to identify and add new, top-selling items to its menu selection.
•Intent Manager, a real-time intent recognition and classification engine that analyzes consumer intentions at every turn of the conversation. Intent Manager is powered by LivePerson’s proprietary natural language understanding (“NLU”) capabilities and machine learning algorithms, which are grounded in over 20+ years of conversational data and more than one billion messaging transcripts across a variety of industries. Intent Manager is currently being used by top brands to gain real-time insights and take action to improve customer service, marketing, and sales automation.
Professional Services
The mission of our LP 360 Professional Services team is to help customers optimize the performance of our products in order to drive incremental value through their mobile and online sales and/or service channel(s). This talented group utilizes their deep domain expertise and years of hands-on experience to provide customers with detailed analyses and measurements of their LivePerson deployment that drive strategies and decisions on how to optimize mobile and online messaging, real-time chat, and bot and AI integration. Deliverables of the team include scorecards that measure and chart performance trends, analyses and recommendations for conversational design, web design and process improvement, transcript reviews to discover both voice of the consumer insight and agent improvement opportunities, custom training of call center agents and management, and ongoing management of messaging programs to ensure alignment with current business practices and objectives. The team’s value-added methodology and approach to guiding customers towards messaging channels and human/bot agent optimization is an important component of the LivePerson offering, and gives our customers a competitive advantage in the digital world.
Customers
Our solutions benefit organizations of all sizes conducting business or communicating with consumers through messaging and chat. Our customers include Fortune 500 companies, dedicated internet businesses, a broad range of online merchants, automotive dealers, educational institutions, the public sector and not-for-profit organizations. We plan to continue to focus on key target markets: telecommunications, financial services, travel/hospitality, technology, healthcare, automotive, and consumer/retail within the United States of America (“U.S.”) and Canada, Latin America, Europe, and the Asia-Pacific (“APAC”) region.
No single customer accounted for or exceeded 10% of our total revenue for 2024, 2023, or 2022.
Sales and Marketing
Sales. Our mobile and online messaging solutions are targeted at corporate executives whose primary responsibility is optimization of customer care, sales and marketing, or optimizing a consumer’s journey across the brand’s digital properties. Our solutions enable organizations to provide effective customer service, sales and marketing by orchestrating conversations across all channels, departments and systems and delivering more personalized, AI-empowered customer experiences in a safe and secure environment. We focus on the value that our solutions deliver in the form of increased agent efficiency, reduced contact center costs, increased customer satisfaction, improved customer lifetime value, maximized digital consumer acquisition, and optimized website and mobile business outcomes.
Within the business solutions segment we have aligned our field organization to address the different sales strategies of our target markets:
Enterprise and large mid-market. We target enterprises which have thousands of agents in their contact centers and collectively connect with billions of consumers each year. We leverage thought leadership and related events to showcase our strength in messaging and AI, and highlight existing reference customers who share their successes on our platform and how they achieved positive ROIs. Increasingly, we are working with large third-party system integrators, technology providers and business process outsourcers to supplement our direct sales effort.
Small business and small mid-market. We target small business and small mid-market customers with a mix of direct, online self-service, and third-party partner channels. Our customer acquisition strategy centers on leveraging customer word-of-
4
mouth, our leading brand name, online marketing and partnerships. We also leverage marketing programs and partner resources to promote increased usage and product adoption within these customers.
Customer Support. Our LP 360 Professional Services team provides deployment support and ongoing business consulting to enterprise and mid-market customers and maintains involvement throughout the engagement lifecycle. All LivePerson customers have access to 24/7 help desk services through messaging, chat, and technical support ticketing.
Marketing. We have a global team, spread across key geographies, that is focused on marketing our brand, products and services to executives responsible for the digital channel, the consumer experience, marketing, sales, IT, and consumer service operations of their organization.
Our marketing strategy encompasses a strategic communications approach that integrates public relations, social media, and analyst/influencer relations. Communications seek to highlight key customer success stories, and promote executive thought leadership via contributed content, speaking opportunities and press interviews, to raise LivePerson’s profile and reinforce our position as an industry leader.
Competition
The markets for AI-enhanced customer interaction, mobile and online business messaging, and digital engagement technology are intensely competitive, rapidly changing and characterized by aggressive marketing, pricing pressure, evolving industry standards, rapid technology developments, and frequent new product introductions.
We believe that most contact center technology vendors incorrectly view messaging as simply a feature or channel. They are content with building integrations to a messaging endpoint and offering messaging as just another product in their suite. We believe that messaging and AI are the foundation for conversational experiences, which transform how agents operate and how brands engage with consumers across service, sales, marketing, and brick and mortar. Brands must adapt their contact centers to an asynchronous messaging environment and leverage a combination of human agents, bots and AI to achieve scale and efficiencies.
We believe that our differentiated approach to enterprise conversations, combined with our unique technology and expertise, has established the Company as a market leader, with an ability to deliver superior returns on investment:
•The LivePerson Platform was designed for AI-assisted and human-powered messaging in mobile and online channels. The platform is designed for security and scalability, offers the broadest ecosystem of messaging endpoints, is designed for ease of use, and features an AI engine custom built for enterprise conversations, intent recognition, robust real-time reporting, role-based real-time analytics, predictive intelligence, and innovations in customer satisfaction and connection measurement. Additionally, our platform offers pre-built, enterprise-grade integrations into back-end systems as well as the ability to work across NLU providers.
•The platform has expanded to power conversations across a broad spectrum of channels and use cases, from traditional sales and customer service, to marketing, social, email, advertising and brick and mortar.
•We have billions of conversations across industries, geographies and use cases. This data is used to feed machine learning models that can understand and handle conversations, and can customize generative AI for enterprise-level performance and safety.
•LivePerson has deep domain expertise across verticals and messaging endpoints, a global footprint, referenceable enterprise brands and a team of technical, solutions and consulting professionals to assist customers along their transformational journeys.
We believe this focus on technological innovation, expertise and enterprise-class capabilities is positioning LivePerson as a leader in digital customer conversations.
We have current and potential competition from providers of messaging and digital engagement solutions that enable companies to engage and connect with their consumer customers, as well as technology providers that offer customer relationship management and contact center solutions. We have current and potential competitors in many different industries, including:
5
•technology or service providers offering or powering competing digital engagement, contact center, communications, or customer relationship management solutions such as eGain, Genesys, Nuance, Oracle, Salesforce.com, and Twilio;
•service providers that offer basic messaging products or services with limited functionality free of charge or at significantly reduced entry level prices;
•social media, social listening, messaging, AI, bots, e-commerce, and/or data and data analytics companies, such as Facebook, Google, and WeChat, which may leverage their existing or future capabilities and consumer relationships to offer competing business-to-business solutions; and
•customers that develop and manage their messaging solutions in-house.
Technology
Four key technological features distinguish the LivePerson services:
•LivePerson’s powerful Conversational AI capabilities have historically enabled brands to successfully automate conversations, and these tools are now made even more powerful with the advent of generative AI. To make generative AI systems usable for the enterprise, proprietary data integrations are required, along with Conversational AI test and release management capabilities, and the ability to leverage human feedback and customize models and other system behavior. LivePerson’s Conversational AI systems have these capabilities, and are integrated with best-in-class generative AI systems including OpenAI, Microsoft, Google, and others, situating the LivePerson technology stack to benefit from the anticipated growth in the generative AI space.
•We support our customers through a secure, scalable server infrastructure. Currently, in North America, our servers are hosted in a secure, top-tier, third-party server center located in the Mid-Atlantic United States, and have data backups in a top-tier facility located in the Western United States. In Europe, our servers are hosted in a secure, top-tier, third-party server center located in the United Kingdom (“U.K.”) and have data backups in a top-tier facility located in The Netherlands. In the Asia Pacific region, our servers and data backups are hosted in secure, top-tier, third-party server centers located in Australia. Utilizing scalable network infrastructure and protocols, our network, hardware and software are designed to accommodate our customers’ demand for secure, high-quality 24/7 service, including during peak times such as the holiday shopping season. We have begun the process of migrating our technology infrastructure to the public cloud.We have announced plans to migrate our technology infrastructure to the public cloud. Components of our platform are currently hosted on various hyperscalers, and we intend to continue to shift our footprint to the public cloud over the coming years.
•As a hosted service, we are able to add additional capacity and new features quickly and efficiently. This has enabled us to provide these benefits simultaneously to our entire customer base. In addition, it allows us to maintain a relatively short development and implementation cycle.
•As a SaaS provider, we focus on the development of tightly integrated software design and network architecture. Dedicated resources are allocated to designing our software and network architecture based on the fundamental principles of security, reliability and scalability.
Network Architecture and Security. Our network is scalable. Our backup data is housed in separate locations from our primary hosting facilities. We comply with security standards such as System and Organization Controls (“SOC”) 2, and Payment Card Industry (“PCI”) Data Security Standards (“DSS”), and International Standards Organization / International Electrotechnical Commission (“ISO/IEV”) 27001. For increased security, through a multi-layered approach, we use next-generation endpoint detection and response, offer enterprise encryption standards and employ third-party independent service providers to further validate our systems’ security. We also enable our customers to mask certain sensitive data.
Government Regulation
We and our customers are subject to numerous laws and regulations applicable to our and their businesses throughout the world, including laws regarding data privacy, data protection, information security, cybersecurity, restrictions on the collection, use, storage, protection, disposal, transfer or other processing of consumer data, content, consumer protection, advertising,
6
taxation, provision of online payment services (including credit card processing), and intellectual property rights, which are continuously evolving and developing. Compliance with these laws and regulations may be costly, and any failure to comply could have a material adverse effect on our and our customers’ reputation and results of operations.
Intellectual Property and Proprietary Rights
We own a portfolio of patents and patent applications in the United States and internationally and regularly file patent applications to protect intellectual property that we believe is important to our business. As of December 31, 2024, we have 372 patents issued in the U.S. and abroad, and 222 patents pending. We had 27 patents awarded in the U.S. during 2024, and added 65 global patents. Our patents cover Conversational AI and insights, messaging across various consumer channels, behavioral analytics and personalization, and agent effectiveness and call center operations.
We rely on a combination of patent, copyright, trade secret, trademark and other common law protections in the United States and other jurisdictions, as well as confidentiality requirements and contractual provisions, to protect our proprietary technology, processes and other intellectual property. We rely on a combination of patent, copyright, trade secret, trademark and other common law protections in the United States and other jurisdictions, as well as confidentiality requirements and contractual provisions, to protect our proprietary technology, processes and other intellectual property.
Human Capital Management
As a leading provider of digital customer conversation solutions, we are at the forefront of a consumer-led shift to Conversational AI, and our platform is setting the industry standard for this future.
As of December 31, 2024, we had 928 full-time employees worldwide, located in more than 20 countries. Of these, 356 were located in the Americas, 380 in Europe, the Middle East, and Africa (“EMEA”), and 184 in APAC. Although we have statutory employee representation obligations in certain countries, our U.S. employees are not covered by collective bargaining arrangements. We believe we have good relations with our employees. For 2024, our key human capital management efforts focused on the following:
We place a high priority on attracting, recruiting, developing and retaining diverse global talent. As a company, we are focused on benefits and programs that support our employees across the entire employee lifecycle, from recruitment and onboarding, to well-being, learning and development. Our recruiting processes are designed to ensure that we bring on employees who are aligned to our values and culture, and we follow a comprehensive process in order to solicit multiple perspectives and eliminate bias. Our technology platforms enable representatives of our customers as well as individual service providers to communicate with consumers and other persons seeking information or advice on the web or via mobile devices.
We support employee training and development through our online Learning Management Systems which provides access to LivePerson product and process training. In addition, employees have access to thousands of learning courses focused on a myriad of topics that include professional skills, technical skills, leadership skills, communication skills, time management skills, AI and machine learning, project management, professional certification prep courses, and additional topics that support an engaged and balanced workforce. We encourage employees to create developmental goals to support their ongoing learning.
We strive to foster an environment in which all employees are supported and enabled to perform at their best individually and collectively. We value a wide range of perspectives, and believe this supports our successful delivery of innovative AI solutions and consumer experience products and services to our global customer base.
Website Access to Reports
We make available on our website (ir.liveperson.com), our annual reports on Form 10-K, our quarterly reports on Form 10-Q, and our current reports on Form 8-K and any amendments to those reports filed or furnished pursuant to Sections 13(a) or 15(d) of the Securities Exchange Act of 1934 as soon as reasonably practicable after we have electronically filed such material with, or furnished it to, the Securities and Exchange Commission (“SEC”). The Company’s website address provided above is not intended to function as a hyperlink, and the information on the Company’s website is not and should not be considered part of this Annual Report on Form 10-K and is not incorporated by reference herein. The SEC maintains an internet site that contains reports, proxy and information statements, and other information regarding issuers that file electronically with the SEC at www.sec.gov.
7
Item 1A. Risk Factors
The following are certain of the important risk factors that make an investment in our securities speculative or risky. The risks described below are not the only ones we face. Additional risks not presently known to us, or that we currently deem to be immaterial, could also materially and adversely affect our business, results of operations, financial condition, cash flows or prospects, or the price of our outstanding securities.
Summary of Risk Factors
Our business is subject to risks and uncertainties that make an investment in our securities speculative or risky and could materially adversely affect our business, results of operations, financial condition, cash flows or prospects, or the price of our outstanding securities. These risks are discussed more fully below and include:
•The success of our business depends on retention of existing customers and their purchase of additional services, and attracting new customers.
•Supporting our customer base requires intensive personnel, infrastructure and resource commitment, and if we are unable to scale our operations and increase productivity, we may not be able to successfully implement our business plan.•Supporting our existing and growing customer base could strain our personnel resources and infrastructure, and if we are unable to scale our operations and increase productivity, we may not be able to successfully implement our business plan.
•Our business depends significantly on our ability to retain our key personnel, attract new personnel, and manage attrition.
•Our contingent pricing arrangement program offers contingent pricing and if we are unsuccessful at achieving customer objectives, the program could result in operating losses.
•Our expansion into new products, services, and technologies could subject us to additional risks.
•If we do not successfully integrate past or potential future acquisitions, we may not realize the expected business or financial benefits and our business could be adversely impacted.
•We may not be able to refinance our substantial indebtedness before it becomes due. In addition, capital needs necessary to execute our business strategy could increase substantially. There is a significant risk that we may not be able to secure necessary financing on commercially reasonable terms, or at all.
•Our sales cycles can be lengthy, and the timing of sales can cause our operating results to vary significantly.•Our sales cycles can be lengthy, and the timing of sales can be difficult to predict, which may cause our operating results to vary significantly.
•Delays in our implementation cycles could have an adverse effect on our results of operations.
•Our quarterly revenue and operating results may fluctuate significantly, which may cause a substantial decline in the trading price of our securities.
•In the past we have experienced losses, we had an accumulated deficit of $991.3 million as of December 31, 2024 and we may incur losses in the future.
•The non-payment or late payment of amounts due to us from a significant number of customers may negatively impact our financial condition or make it difficult to forecast our revenues accurately.
•There are inherent limitations on the effectiveness of our controls.
•As a “smaller reporting company,” we may comply with certain reduced reporting and disclosure requirements which could make our common stock less attractive to investors.
•Because we recognize revenue from subscriptions for our service over the term of the subscription, declines in business may not be immediately reflected in our operating results.
•If our goodwill or long-lived assets become impaired, we may be required to record a significant charge to earnings.
•If we are unable to develop and maintain successful relationships with partners, service partners, social media, and other third-party consumer messaging platforms and endpoints, our business, results of operations, and financial condition could be adversely affected.
•If we are unable to effectively operate on mobile devices, our business could be adversely affected.
•The markets in which we participate are highly competitive, and we may lose customers and revenue if we are not able to innovate or effectively compete.
•Downturns in the global economic environment or in particular industries in which our sales are concentrated may adversely affect our business and results of operations.
•Failures or security breaches in our services or systems, those of our third-party service providers, or in the websites of our customers, including those resulting from cyber-attacks, security vulnerabilities, defects, or errors, could harm our business.
8
•We may be liable if third parties access or misappropriate confidential or personal data from our systems or services.
•We provide service-level commitments to certain customers. If we do not meet these contractual commitments, we could be obligated to provide credits or refunds or face contract terminations, which could adversely affect our revenue and harm our reputation.
•Failure to license necessary third-party software for use in our products and services, or failure to successfully integrate third-party software, could cause delays or reductions in our sales, or errors or failures of our service.
•Our business is subject to a variety of U.S. and international laws and regulations regarding privacy, data protection, and AI, and increased public scrutiny of privacy, security, and AI issues could result in increased government regulation, industry standards, and other legal obligations that could adversely affect our business.
•We are the subject of a number of ongoing actions that have resulted in significant expense, and adverse developments in our ongoing actions and/or future actions could have a material adverse effect on our business results of operations and financial condition.
•We may be subject to governmental export controls and economic sanctions regulations that could impair our ability to compete in international markets due to licensing requirements and could subject us to liability if we are not in compliance with applicable laws.
•Industry-specific regulation is evolving and unfavorable industry-specific laws, regulations, or interpretive positions could harm our business.
•Future regulation of the internet or mobile devices may result in decreased demand for our services and increased costs of doing business.•Future regulation of the internet or mobile devices may slow our growth, resulting in decreased demand for our services and increased costs of doing business.
•Our products and services may infringe upon intellectual property rights of third parties and any infringement could require us to incur substantial costs and may distract our management.
•Our business and prospects would suffer if we are unable to protect and enforce our intellectual property rights.
•Issues in the use of AI in our product offerings or by our vendors may result in reputational harm or liability.
•Our results of operations may be adversely impacted due to our exposure to foreign currency exchange rate fluctuations.
•We may be unsuccessful in expanding our operations internationally due to additional regulatory requirements, tax liabilities, currency exchange rate fluctuations, and other risks, which could adversely affect our results of operations.•We may be unsuccessful in expanding our operations internationally and/or into direct-to-consumer services due to additional regulatory requirements, tax liabilities, currency exchange rate fluctuations, and other risks, which could adversely affect our results of operations.
•Our operations may expose us to greater than anticipated income, non-income, and transactional tax liabilities, which could harm our financial condition and results of operations.
•Our ability to use our net operating losses to offset future taxable income may be subject to certain limitations.
•Political, economic, and military conditions in Israel could negatively impact our Israeli operations.
•Servicing our debt may require a significant amount of cash, and we may not have sufficient cash flow from our business to pay our indebtedness.
•The terms of our First Lien Convertible Senior Notes due 2029 require us to meet certain operating and financial covenants and place restrictions on our operating and financial flexibility. If we raise additional capital through debt financing, the terms of any new debt could further restrict our ability to operate our business.
•We may not have the ability to raise the funds necessary to settle conversions of our outstanding convertible debt securities and cash-settled warrants in cash or to repurchase our outstanding convertible debt securities upon a fundamental change, and any future debt may contain limitations on our ability to pay cash upon conversion or repurchase of our outstanding convertible debt securities and cash-settled warrants.
•Provisions in the indentures for our outstanding convertible debt securities may deter or prevent a business combination that may be favorable to security holders.
•Our stock price has been, and may continue to be, highly volatile, which could reduce the value of your investment and subject us to litigation.
•If our common stock continues to trade below $1.00, we may fail to meet the continued listing requirements of The Nasdaq Stock Market LLC, which could result in a delisting of our common stock.
•Our common stock is traded on more than one market and this may result in price variations.
•Provisions in our charter documents, Delaware law and the indentures for our outstanding convertible debt securities could discourage, delay or prevent a takeover that stockholders may consider favorable.
9
Risks Related to Operating our Business
The success of our business depends on retention of existing customers and their purchase of additional services, and attracting new customers.
Our customers typically subscribe for our services for a twelve-month term and have no obligation to renew their subscription after expiration of the twelve-month term. In some cases, our agreements are terminable or may terminate upon 30 to 90 days’ notice without penalty. Factors including dissatisfaction with the nature or quality of our services as well as reductions in our customers’ spending levels, or declines in customer activity as a result of general economic conditions or uncertainty in financial markets, could lead customers to terminate our service. Dissatisfaction with the nature or quality of our services as well as reductions in our customers’ spending levels or declines in customer activity as a result of general economic conditions or uncertainty in financial markets, could also lead customers to terminate our service. If a significant number of our customers, or any one customer to whom we provide a significant amount of services, were to terminate services, reduce the amount of services purchased, or fail to purchase additional services, our results of operations may be negatively and materially affected.
We depend on monthly fees and interaction-based fees from our services for substantially all of our revenue. We depend on monthly fees and interaction-based fees from our services for substantially all of our revenue. As part of our strategy, we frequently offer customers subscriptions with interaction-based fees. As part of our strategy, we are increasingly offering customers subscriptions with interaction-based fees. While this interaction-based fee model has demonstrated success in our business to date, it could potentially produce greater variability in our revenue as revenue in this model is impacted by the number of interactions that our customers generate through use of our products.
Because of the small amount of services historically sold in initial orders, we depend significantly on the growth of our customer base, sales to new customers and sales of additional services to our existing customers. Because of the historically small amount of services sold in initial orders, we depend significantly on the growth of our customer base and sales to new customers and sales of additional services to our existing customers. If we are able to obtain additional customers or if existing customers decline to purchase additional services, our revenues will be adversely affected.
Supporting our customer base requires intensive personnel, infrastructure and resource commitment, and if we are unable to scale our operations and increase productivity, we may not be able to successfully implement our business plan.•Supporting our existing and growing customer base could strain our personnel resources and infrastructure, and if we are unable to scale our operations and increase productivity, we may not be able to successfully implement our business plan.
We anticipate that additional investments in our infrastructure, research; and development and customer support and development will be required to scale our operations and increase productivity, to address the needs of our customers, to further develop and enhance our services; and to expand our business into new geographic areas. The additional investments we are making will increase our cost base, which will make it more difficult for us to offset any future revenue shortfalls by reducing expenses, and there can be no assurance that they will be successful or meet our customers’ needs. The additional investments we are making will increase our cost base, which will make it more difficult for us to offset any future revenue shortfalls by reducing expenses in the short term, and there is no guarantee that they will be successful or meet our customers’ needs.
We regularly upgrade or replace our various software systems. If the implementations of these new applications are delayed, or if we encounter unforeseen problems with our new systems or in migrating away from our existing applications and systems, our operations and our ability to manage our business could be negatively impacted.
Our success depends in part upon the ability of our senior management to manage our business effectively. If we fail to successfully scale our operations and increase productivity, we may be unable to execute our business plan and the market price of our securities could decline.
Our business depends significantly on our ability to retain our key personnel, attract new personnel, and manage attrition.
Our success depends largely on the continued services of our senior management team. The loss of one or more members of senior management could have a material adverse effect on our business, results of operations, and financial condition. We are also substantially dependent on the continued service of other key personnel, including key sales executives responsible for revenue generation and key development personnel accountable for product and service innovation and timely development and delivery of upgrades and enhancements to our existing products and services. Changes to senior management and key employees could also lead to additional unplanned losses of key employees. The loss of key employees could seriously harm our ability to release new products and services and upgrade existing products and services on a timely basis, and put us at a competitive disadvantage.
In the technology industry, there is substantial competition for key personnel, including skilled engineers, sales executives and operations personnel. We may not be able to successfully recruit, integrate and retain qualified personnel in the future, which could impact our ability to innovate and deliver new or updated products to our customers, which could harm our business. If our retention and recruitment efforts are ineffective, employee turnover could increase and our ability to provide services to our customers would be materially and adversely affected.
10
Following the onset of the global novel coronavirus disease (“COVID-19”) pandemic, we vacated most of our physical offices around the world, and transitioned to a work-from-anywhere model. While we have been able to operate effectively from remote locations, the long-term impact of such work arrangements remains unknown. For example, such remote work arrangements may present workplace culture challenges. For example, such remote work arrangements may increase the risk of cyber incidents or data breaches and may present workplace culture challenges.
We expect to evaluate our needs and the performance of our staff on a periodic basis and may choose to make adjustments in the future. We expect to evaluate our needs and the performance of our staff on a periodic basis and may choose to make adjustments in the future. If the size of our staff is significantly reduced, either by our choice or otherwise, it may become more difficult for us to manage existing, or establish new, relationships with customers and other counterparties, or to expand and improve our service offerings. It may also become more difficult for us to implement changes to our business plan or to respond promptly to opportunities in the marketplace. Further, it may become more difficult for us to devote personnel resources necessary to maintain or improve existing systems, including our financial and managerial controls, billing systems, reporting systems and procedures. Thus, any significant amount of staff attrition could cause our business and financial results to suffer.
Our contingent pricing arrangement program offers contingent pricing and if we are unsuccessful at achieving customer objectives, the program could result in operating losses.
The Company has developed a fully managed solution where LivePerson provides messaging and AI automation technology as well as labor, automation, and end-to-end program management. This program pricing is contingent on the degree to which a customer achieves its financial objectives, such as increased revenue or reduced operating costs. Gainshare pricing is contingent on the degree to which a customer achieves its financial objectives, such as increased revenue or reduced operating costs. If we are unsuccessful in achieving these objectives for our customers (including as a result of broader market events, such as inflation and recessionary pressures or decreased consumer confidence), it will reduce the revenue that we recognize and could result in our operating the program at a financial loss, which could have a materially adverse impact on our financial results. If we are unsuccessful in achieving these objectives for our customers (including as a result of broader market events, such as inflation and recessionary pressures, decreased consumer confidence, normalization of pandemic-specific shopping trends and returns to physical, in-store shopping experiences), it will reduce the revenue that we recognize from Gainshare and could result in our operating the program at a financial loss, which could have a materially adverse impact on our financial results.
Our expansion into new products, services, and technologies could subject us to additional risks.
We have invested in new products, services, and technologies. We may have limited or no experience in new market segments that we enter or new services that we decide to offer, and customers may not choose to buy or use our service offerings. These offerings, which can present new and difficult technology challenges, may subject us to claims if customers of these offerings experience service disruptions or failures or other quality issues. Our newer activities may involve significant risks and uncertainties, including diversion of resources and management attention from current operations, as well as, in certain circumstances, the use of alternative investment, governance, or revenue strategies that may fail to adequately align incentives across our business or otherwise accomplish our objectives. In addition, new and evolving products, services, and technologies, including those that use AI, machine learning, and blockchain, can raise ethical, technological, legal, regulatory, and other challenges, which may negatively affect our business and demand for our products and services. Profitability, if any, in our newer activities may not meet our expectations, and we may not be successful enough in these newer activities to recoup our investments in them. In addition, profitability, if any, in our newer activities may not meet our expectations, and we may not be successful enough in these newer activities to recoup our investments in them. Failure to realize the benefits of amounts we invest in new technologies, products, or services could result in the value of those investments being written down or written off.
If we do not successfully integrate past or potential future acquisitions, we may not realize the expected business or financial benefits and our business could be adversely impacted.
As part of our business strategy, we have made and may continue to make acquisitions to add complementary businesses, products, technologies, revenue and intellectual property rights. As part of our business strategy, we have made and may continue to make acquisitions to add complementary businesses, products, technologies, revenue and intellectual property rights. Acquiring and integrating technology companies presents unique risks including difficulties in adapting and developing new software technologies and systems protocols, increased software integration expenses, and incompatibility of acquired technologies. Acquisitions and investments also involve numerous other risks to us, including:
• potential failure to achieve the expected benefits of the combination or acquisition;
• inability to generate sufficient revenue to offset acquisition or investment cost;
• difficulties in integrating operations, technologies, products, and personnel;
• diversion of financial and management resources from efforts related to existing operations;
• risks of entering new markets in which we have little or no experience or where competitors may have stronger market positions;
• potential loss of our existing key employees or key employees of the company we acquire;
11
• inability to maintain relationships with customers and partners of the acquired business;
• potential unknown liabilities associated with the acquired businesses; and
• the tax effects of any such acquisitions.
These difficulties could disrupt our ongoing business, expose us to unexpected costs, distract our management and employees, increase our expenses, and adversely affect our results of operations. Furthermore, we may incur debt or issue equity securities to pay for any future acquisitions. The issuance of equity securities could be dilutive to our existing stockholders.
If we do not effectively implement our plans to migrate our technology infrastructure to the public cloud, our operations could be significantly disrupted. If we do not effectively implement our plans to migrate our technology infrastructure to the public cloud, our operations could be significantly disrupted.
We have begun the process of migrating our technology infrastructure to the public cloud.We have announced plans to migrate our technology infrastructure to the public cloud. This initiative is a major undertaking as we migrate and reconfigure our current system processes, transactions, data and controls to a new cloud-based platform. It could have a significant impact on our business processes, financial reporting, information systems and internal controls.
As we implement the transition of our technology infrastructure to the public cloud, we may need to divert resources and management attention away from other important business operations.As we implement the transition of our technology infrastructure to the public cloud, we may need to divert resources away from other important business operations, including management attention. While we are implementing business contingency and other plans to facilitate continuous internet access, sustained or concurrent service denials or similar failures could limit our ability to provide our customers access to cloud-based services or otherwise operate our business. While we plan to implement business contingency and other plans to facilitate continuous internet access, sustained or concurrent service denials or similar failures could limit our ability to provide our customers access to cloud-based services or otherwise operate our business. Additionally, we have experienced and may continue to experience issues with customer migration, as many of our customers may not migrate to cloud-based technologies on a timely basis or at all or may choose not to utilize our products and services during and after our transition to cloud-based technologies, which could negatively impact our revenue. Additionally, we may experience issues with customer migration, as many of our customers may not migrate to cloud-based technologies on a timely basis or at all or may choose not to utilize our products and services during and after our transition to cloud-based technologies, which could negatively impact our revenue. Additionally, we may experience difficulties as we manage these changes and transition our technology infrastructure to the public cloud, including loss or corruption of data, interruptions in service and downtime, increased cyber threats and activity, delayed financial reporting, unanticipated expenses including increased costs of implementation and of conducting business, and lost revenue. Although we are conducting design validations and user testing, these may cause delays in transacting our business due to system challenges, limitations in functionality, inadequate management or process deficiencies in the development and use of our systems. Difficulties in implementing or an inability to effectively implement our migration plans could disrupt our operations and harm our business.
As we increase our reliance on public cloud infrastructure, our products and services will become increasingly reliant on continued access to, and the continued stability, reliability, and flexibility of third-party public cloud services. Additionally, we may in the future be unable to secure additional cloud hosting capacity on commercially reasonable terms or at all. If any of our public cloud providers increases pricing terms, terminates or seeks to terminate our contractual relationship, establishes more favorable relationships with our competitors, or changes or interprets their terms of service or policies in a manner that is unfavorable to us, we may be required to transfer to another provider and may incur significant costs and experience service interruptions. We have limited control over the public cloud operations and facilities on which we plan to host our technology infrastructure. Any changes in third-party service levels or any disruptions or delays from errors, defects, hacking incidents, security breaches, computer viruses, misconfigurations, distributed denial of service attacks, bad acts or performance problems could harm our reputation, damage our customers’ businesses, and harm our business. Any changes in third-party service levels or any disruptions or delays from errors, defects, hacking incidents, security breaches, computer viruses, DDoS attacks, bad acts or performance problems could harm our reputation, damage our customers’ businesses, and harm our business. Our public cloud providers are also vulnerable to damage or interruption from earthquakes, hurricanes, floods, fires, war, public health crises, terrorist attacks, power losses, hardware failures, systems failures, telecommunications failures and similar events. Our public cloud providers are also vulnerable to damage or interruption from earthquakes, hurricanes, floods, fires, war, public health crises, such as COVID-19, terrorist attacks, power losses, hardware failures, systems failures, telecommunications failures and similar events. Although our transition and migration to the public cloud may increase our risk of liability and cause us to incur significant technical, legal or other costs, we may have limited remedies against third-party providers in connection with such liabilities.
Additionally, our public cloud providers may not be able to effectively manage existing traffic levels or increased demand in capacity requirements, especially to cover peak levels or spikes in traffic, and as a result, our customers may experience delays in accessing our solutions or encounter slower performance in our solutions, which could significantly harm the operations of our customers. Interruptions in our services might reduce our revenue, cause us to issue credits to customers, subject us to potential liability, and cause customers to terminate their subscriptions or harm our renewal rates.
We may not be able to refinance our substantial indebtedness before it becomes due. In addition, capital needs necessary to execute our business strategy could increase substantially. There is a significant risk that we may not be able to secure necessary financing on commercially reasonable terms, or at all.
12
Our substantial level of indebtedness increases the possibility that we may be unable to generate cash sufficient to refinance our outstanding indebtedness. In particular, we have $361.2 million in aggregate principal amount of 0% Convertible Notes due in December 2026 (“2026 Notes”) and $207.1 million in aggregate principal amount of First Lien Convertible Senior Notes due 2029 (“2029 Notes”). Further, our 2029 Notes will come due 91 days before the maturity of the 2026 Notes, if greater than $60.0 million principal amount of our 2026 Notes remains outstanding on such date. From time to time, we have explored, and expect to continue to explore, a variety of transactions to improve our liquidity and/or to refinance our indebtedness, including issuing new debt or equity and repurchasing outstanding notes in the open market with available liquidity. We cannot assure you that we will enter into or consummate successfully any liquidity-generating or debt refinancing transactions, and we cannot currently predict the impact that any such transactions, if consummated, would have on us.
If additional funds are raised through the issuance of debt or preferred equity securities, or borrowing from financial institutions under credit facilities, these instruments could require materially higher interest payments than we have historically paid, have rights, additional preferences, and privileges senior to holders of common stock, and could have terms that impose further restrictions on our operations. If we are unable to continue utilizing the third-party services that support our web hosting and 26infrastructure or if our services experience interruptions or delays due to existing third-party service providers or transition to new third-party service providers, our reputation and business could be harmed, and we may be exposed to legal and reputational risk, and significant remediation costs. If additional funds are raised through the issuance of additional equity or convertible securities, our stockholders could suffer dilution. We cannot assure you that additional funding, if required, will be available to us in amounts or on terms acceptable to us. If sufficient funds are not available or are not available on acceptable terms, our ability to refinance our existing indebtedness, fund any potential expansion, take advantage of acquisition opportunities, develop or enhance our services or products, or otherwise respond to competitive pressures would be significantly limited. If sufficient funds are not available or are not available on acceptable terms, our ability to fund any potential expansion, take advantage of acquisition opportunities, develop or enhance our services or products, or otherwise respond to competitive pressures would be significantly limited. Those limitations would materially and adversely affect our business, results of operations, cash flows, and financial condition. If we cannot make scheduled payments on our indebtedness, we will be in default under one or more of the agreements governing our indebtedness, and as a result, we could be forced into bankruptcy or liquidation.
Our sales cycles can be lengthy, and the timing of sales can cause our operating results to vary significantly.•Our sales cycles can be lengthy, and the timing of sales can be difficult to predict, which may cause our operating results to vary significantly.
The sales cycle for our products can be several months or more and varies substantially from customer to customer, particularly for sales to enterprise customers. Because we sell complex, integrated solutions, it can take many months to close sales as customers evaluate our product offering against available alternatives and define their requirements. We are often required to spend substantial time, effort, and money educating potential customers about the value of our offerings. The increasingly complex needs of our customers can further contribute to a longer sales cycle. The increasingly complex needs of our customers can contribute to a longer sales cycle.
Additionally, our quarterly sales have historically reflected an uneven pattern in which a disproportionate percentage of a quarter’s total sales occur in the last month, weeks and days of each quarter. This makes prediction of revenue especially difficult and uncertain and increases the risk of unanticipated variations in our results of operations. These patterns make prediction of revenue especially difficult and uncertain and increase the risk of unanticipated variations in our results of operations. In addition, historically a large portion of our revenue has derived from large orders from large clients. Consequently, delays in the closing of sales, especially from large clients, could have a material impact on the timing of revenue and results of operations.
Delays in our implementation cycles could have an adverse effect on our results of operations.
Certain of our products require some implementation services, including but not limited to training our customers. As an open platform, we also work with third parties on implementing a variety of integrations into our platform. As an open platform, we also work with other third parties on implementing a variety of integrations into our platform. We have historically experienced a lag between signing a customer contract and recognizing revenue from that customer. Although this lag has typically ranged from 30 to 90 days, it may take more time between contract signing and recognizing revenue in certain situations. If we experience delays in implementation or do not meet project milestones in a timely manner, we could be obligated to devote more customer support, engineering and other resources to a particular project. If new or existing customers cancel or have difficulty deploying our products or require significant amounts of our professional services, support, or customized features, revenue recognition could be canceled or delayed and our costs could increase, which could negatively impact our operating results.
Our services are subject to payment-related risks.
For certain payment methods, including credit and debit cards, we pay interchange and other fees, which may increase over time and raise our operating costs and lower our profit margins. We rely on third parties to provide payment processing services, including the processing of credit cards and debit cards and it could disrupt our business if these companies become unwilling or unable to provide these services to us. We are also subject to payment card association operating rules, certification requirements and rules governing electronic funds transfers, which could change or be reinterpreted in such a way as to make compliance infeasible. If we fail to comply with these rules or requirements, we may be subject to fines and higher transaction
13
fees and lose our ability to accept credit and debit card payments from our customers or facilitate other types of online payments, and our business and operating results could be adversely affected.
We are also subject to a number of other laws and regulations relating to money laundering, international money transfers, privacy and information security, and electronic fund transfers. If we were found to be in violation of applicable laws or regulations, we could be subject to civil and criminal penalties or forced to cease our payments services business.
Our reputation depends, in part, on factors which are partially or entirely outside of our control.
Our services typically appear under the LivePerson brand or as a LivePerson-branded icon on our customers’ websites. The customer service operators who respond to the inquiries of our customers’ users are employees or agents of our customers or independent consultants rather than employees of LivePerson. The customer service operators and Experts who respond to the inquiries of our customers’ users are employees or agents of our customers or independent consultants rather than employees of LivePerson. As a result, we are not able to control the actions of these operators and the impression that any such operator leaves the user with whom they interact. As a result, we are not able to control the actions of these operators or Experts and the impression that such operator or Expert leaves the user with whom they interact. A user may not know that the operator is not a LivePerson employee. A user may not know that the operator or Expert is not a LivePerson employee. If a user were to have a negative experience in a LivePerson-powered real-time dialogue, it is possible that this experience could be attributed to us, which could diminish our brand and harm our business. Additionally, we have no control over the content of our customers’ websites on which our website chat icon appears.
Increased regulatory uncertainty and conflicting stakeholder views regarding environmental, social and governance (“ESG”) matters may increase our costs, harm our reputation, or otherwise adversely impact our business.
Governmental authorities, non-governmental organizations, rating agencies, customers, investors, employees, and other stakeholders remain focused on ESG concerns, such as diversity and inclusion, climate change, sustainability, social responsibility, and corporate governance and transparency. However, stakeholder expectations on ESG matters continue to evolve and are not uniform. This focus on ESG concerns and efforts to comply with shifting and sometimes conflicting expectations could result in increased compliance costs and other complexities, including with respect to collecting, measuring, and reporting ESG-related information in connection with expanding mandatory and voluntary reporting, diligence and disclosure requirements. Responding to ESG considerations and implementation of our ESG goals and initiatives involves risks and uncertainties, requires investments, may subject us to governmental and political scrutiny, and depends in part on third-party performance or data that is outside of our control. In addition, some stakeholders may disagree with our ESG goals and initiatives, and we could be criticized for the timing, scope or nature of our ESG goals or initiatives. If we fail to meet our goals and initiatives or otherwise do not act responsibly, or if we are perceived to not be acting responsibly, or if we become subject to regulatory scrutiny in key ESG areas, we risk negative stockholder reaction, including from proxy advisory services, as well as damage to our reputation, loss of customers or business partners, inability to attract and retain employee talent, and other material adverse effects on our business, results of operations and cash flows.
Risks Related to our Financial Condition and Operating Results
Our quarterly revenue and operating results may fluctuate significantly, which may cause a substantial decline in the trading price of our securities.
Our quarterly revenue and operating results may fluctuate significantly as a result of a variety of factors, many of which are outside of our control. Some of the important factors that may cause our revenue and operating results to fluctuate include:
•our ability to attract and retain new customers;
•our ability to retain and increase sales to existing customers;
•demand from customers for our services;
•our ability to innovate and provide new services to current and future customers;
•our ability to add AI, machine learning, and automation into our services;
•the introduction of new services by us or our competitors;
•our ability to avoid and/or manage service interruptions, disruptions, or security incidents;
•changes in our pricing models or policies or in those of our competitors;
•our ability to maintain and add integrations with third-party consumer messaging platforms and endpoints;
•levels of adoption by companies of mobile and cloud-based messaging solutions;
14
•investments in growing our sales and marketing programs;
•levels of adoption by users of conversational AI and web and mobile-based conversation technology;
•exposure to foreign currency exchange rate fluctuations; and
•the amount and timing of capital expenditures and other costs related to operation and expansion of our business, including those related to acquisitions.
Our revenue and operating results may also fluctuate significantly in the future due to the following factors that are entirely outside of our control:
•new laws, regulations, or regulatory or law enforcement initiatives;
•economic conditions specific to the web, mobile technology, electronic commerce, and cloud computing; consequences of unexpected geopolitical events, natural disasters, acts of war or terrorism, outbreaks of contagious disease, or climate change; and
•general, regional, and/or global economic and political conditions.
As a result, comparing our operating results on a period-to-period basis may not be meaningful. You should not rely upon these comparisons or our past results as indicators of our future performance. Due to the foregoing factors, it is possible that our operating results in one or more future quarters may fall below the expectations of securities analysts and investors or below any guidance we may provide to the market. If this occurs, the trading price of our securities could decline significantly.
In the past we have experienced losses, we had an accumulated deficit of $991.3 million as of December 31, 2024 and we may incur losses in the future.
We have in the past experienced, and we may in the future experience, losses and negative cash flow, either or both of which may be significant. We recorded a net loss of $134.3 million for the year ended December 31, 2024, and as of December 31, 2024, our accumulated deficit was $991.3 million. We cannot assure you that we can sustain or increase profitability on a quarterly or annual basis in the future. Failure to achieve or maintain profitability may materially and adversely affect the market price of our securities. Failure to maintain profitability may materially and adversely affect the market price of our securities.
The non-payment or late payment of amounts due to us from a significant number of customers may negatively impact our financial condition or make it difficult to forecast our revenues accurately.
For the years ended December 31, 2024, 2023 and 2022, our allowance for credit losses was $8.6 million, $9.3 million and $9.2 million, respectively. We base our allowance for credit losses on specifically identified credit risks of customers, historical trends, and other information that we believe to be reasonable. We base our allowance for doubtful accounts on specifically identified credit risks of customers, historical trends, and other information that we believe to be reasonable. A large proportion of receivables is due from larger corporate customers that typically have longer payment cycles. We adjust our allowance for credit losses when accounts previously reserved have been collected. We adjust our allowance for doubtful accounts when accounts previously reserved have been collected. As a result of increasingly long payment cycles, we have experienced unanticipated fluctuations in our revenues from period to period. Any failure to achieve anticipated revenues in a period could cause the market price of our securities to decline.
There are inherent limitations on the effectiveness of our controls.
We do not expect that our disclosure controls or our internal control over financial reporting will prevent or detect all errors and all fraud. A control system, no matter how well-designed and operated, can provide only reasonable, not absolute, assurance that the control system’s objectives will be met. The design of a control system must reflect the fact that resource constraints exist, and the benefits of controls must be considered relative to their costs. Further, because of the inherent limitations in all control systems, no evaluation of controls can provide absolute assurance that misstatements due to error or fraud will not occur or that all control issues and instances of fraud, if any, have been detected. The design of any system of controls is based in part on certain assumptions about the likelihood of future events, and there can be no assurance that any design will succeed in achieving its stated goals under all potential future conditions. Projections of any evaluation of the effectiveness of controls to future periods are subject to risks. Over time, controls may become inadequate due to changes in conditions or deterioration in the degree of compliance with policies or procedures.
15
As a non-accelerated filer, we are no longer required to include, and have not included in this Annual Report, an attestation report from our independent registered public accounting firm as to the effectiveness of our internal control over financial reporting pursuant to Section 404(b) of the Sarbanes-Oxley Act. If and when we again become subject to the auditor attestation requirements under Section 404(b) of the Sarbanes Oxley Act, our independent registered public accounting firm may issue a report that is adverse in the event it is not satisfied with the level at which our internal control over financial reporting is documented, designed or operating. Including such an attestation report would also cause us to incur additional expenses, which may be significant.
There can be no assurance that control issues will not be identified in the future. If we cannot remediate future material weaknesses or significant deficiencies in a timely manner, or if we identify additional control deficiencies that individually or together constitute significant deficiencies or material weaknesses, our ability to accurately record, process, and report financial information and our ability to prepare financial statements within required time periods, could be adversely affected. Failure to maintain effective internal controls could result in violations of applicable securities laws, stock exchange listing requirements, subject us to litigation and investigations, negatively affect investor confidence in our financial statements, and adversely impact our stock price and our ability to access capital markets.
As a “smaller reporting company,” we may comply with certain reduced reporting and disclosure requirements which could make our common stock less attractive to investors.
As a smaller reporting company, we are permitted to comply with scaled-back disclosure obligations in our SEC filings compared to other issuers, including with respect to disclosure obligations regarding executive compensation in our periodic reports and proxy statements. In addition, we are only required to provide two years of audited financial statements in our SEC reports. If we rely on these exemptions, less information will be available in our SEC reports than SEC reports filed by other public companies. We cannot predict if investors will find our common stock less attractive because we may rely on these exemptions. If some investors find our common stock less attractive as a result, there may be a less active trading market for our common stock and our stock price may be more volatile
Because we recognize revenue from subscriptions for our service over the term of the subscription, declines in our business may not be immediately reflected in our operating results.
We generally recognize revenue from customers ratably over the terms of their subscription agreements, which are typically 12 or more months. As a result, much of the revenue we report in each quarter is the result of subscription agreements entered into during previous quarters. Consequently, a decline in new or renewed subscriptions or cancellations of existing subscriptions in any one quarter may not be reflected in our revenue results for that quarter. Any such decline, however, could negatively affect our revenue in future quarters. Our subscription model also makes it difficult for us to rapidly increase our revenue through additional sales in any period, because revenue from new customers and additional revenue from existing customers is generally recognized over the applicable subscription term, rather than immediately.
If our goodwill or long-lived assets become impaired, we may be required to record a significant charge to earnings.
We review our goodwill for impairment at least annually and when events or changes in circumstances indicate that the carrying value may not be recoverable. Factors that may be considered a change in circumstances indicating that the carrying value of our goodwill or amortizable intangible assets may not be recoverable include a decline in stock price and market capitalization, reduced future cash flow estimates, and slower growth rates in our industry. As discussed in Note 5 – Goodwill and Intangible Assets, Net in the Notes to the Consolidated Financial Statements under Item 8 of this Annual Report on Form 10-K, we have experienced impairments in the past, and from time to time, we may be required to record a significant charge to earnings in our consolidated financial statements during the period in which any impairment of our goodwill or amortizable intangible assets is determined, resulting in a negative impact on our results of operations.
Risks Related to Industry Dynamics and Competition
If we are unable to develop and maintain successful relationships with partners, service partners, social media, and other third-party consumer messaging platforms and endpoints, our business, results of operations, and financial condition could be adversely affected.
We believe that continued growth for companies in our industry depends, in part, on enabling brands to connect with consumers across consumers’ preferred conversational channels and messaging endpoints, such as SMS, Facebook Messenger,
16
WhatsApp, Apple Business Chat, Google Rich Business Messenger, Line, Kakao Talk, Instagram, and WeChat. Accordingly, we have identified and developed, and maintain, strategic relationships with many key technology partners. As part of our growth strategy, we plan to further develop partnerships and specific solution areas with additional technology partners. We typically rely on our strategic partners and third-party service providers to supplement our own subject matter expertise and to leverage industry best practice, provide enhanced products and services, and reduce costs. If we fail to establish these relationships in a timely and cost-effective manner or at all, if these strategic partners or third-party service providers fail to provide the services expected, or if we lose any or all of our current relationships, then our business, results of operations, and financial condition could be adversely affected. Replacing a strategic relationship could also take a long time and result in increased expenses. Replacing a strategic relationship could also take a long period of time and result in increased expenses. Additionally, even if we are successful at developing these relationships, but there are problems or issues with the integrations, or our ability to scale and onboard our customers onto new endpoints, our reputation and our prospects may be adversely affected.
We have begun the process of migrating our technology infrastructure to the public cloud and may in the future be unable to secure additional cloud hosting capacity on commercially reasonable terms or at all. If any of our public cloud providers increases pricing terms, terminates or seeks to terminate our contractual relationship, establishes more favorable relationships with our competitors, or changes or interprets their terms of service or policies in a manner that is unfavorable to us, we may be required to transfer to another provider and may incur significant costs and experience service interruptions.
If we are unable to effectively operate on mobile devices, our business could be adversely affected.
We have extended our products and services to support messaging on mobile phone and tablet applications (together, “mobile solutions”) belonging to our company and our customers. If the mobile solutions we have developed do not meet our customers’ needs or the needs of their website visitors, we may fail to retain existing customers and we may have difficulty attracting new customers. If the mobile solutions we have developed do not meet our customers’ needs or the needs of their website visitors, or are not widely adopted by our customers and consumers, we may fail to retain existing customers and we may have difficulty attracting new customers. Such solutions also present risks related to privacy and security, which could subject us to investigations, litigation, or reputational harm. Such solutions may also create new risks related to privacy and security, which could subject us to investigations, litigation, or reputational harm. If we are unable to rapidly innovate and grow mobile revenue, or if we incur excessive expenses in this effort, our financial performance and prospects may be negatively affected. If we are unable to rapidly innovate and grow mobile revenue, or if we incur excessive expenses in this effort, our financial performance and ability to continue to grow overall revenue may be negatively affected.
Additionally, our mobile phone and tablet applications and those of our customers depend on their interoperability with popular mobile operating systems, networks, and standards that we and they do not control, such as Android and iOS operating systems, and any changes in such systems and terms of service that degrade the functionality of our solutions or give preferential treatment to competitive products could adversely affect our revenue. We may not be successful in developing products that operate effectively with these technologies, systems, networks, or standards. As new devices and platforms are released, it is difficult to predict the challenges we may encounter in developing versions of our solutions for use on these alternative devices. As new devices and platforms are continually being released, it is difficult to predict the challenges we may encounter in developing versions of our solutions for use on these alternative devices.
The markets in which we participate are highly competitive, and we may lose customers and revenue if we are not able to innovate or effectively compete.
The markets for mobile and online business messaging, digital engagement and AI technology are intensely competitive, rapidly changing, and characterized by aggressive marketing, pricing pressure, evolving industry standards, rapid technology developments, and frequent new product introductions. We believe that competition will continue to increase as our current competitors increase the sophistication of their offerings and as new participants enter the market, which may cause additional pressure. If we are unable to accurately anticipate technology developments and to innovate in the markets in which we compete and develop successful integrations with third-party consumer messaging platforms, AI providers, and endpoints, or our competitors are more successful than us at developing compelling new products, services, and integrations, or at attracting and retaining customers, we may lose revenue and market share and our operating results could be adversely affected. If we are unable to accurately anticipate technology developments and continue to innovate in the markets in which we compete and develop successful integrations with third-party consumer messaging platforms, AI providers, and endpoints, or our competitors are more successful than us at developing compelling new products, services, and integrations, or at attracting and retaining customers, we may lose revenue and market share and our operating results could be adversely affected.
We have current and potential competition from providers of messaging and digital engagement solutions that enable companies to engage and connect with their consumer customers, as well as technology providers that offer customer relationship management and contact center solutions. We have current and potential competitors in many different industries, including:
•technology or service providers offering or powering competing digital engagement, contact center, communications, or customer relationship management solutions, such as eGain, Genesys, Nuance, Oracle, Salesforce.com and Twilio;
•service providers that offer basic messaging products or services with limited functionality free of charge or at significantly reduced entry level prices;
17
•social media, social listening, messaging, AI, bots, e-commerce, and/or data and data analytics companies, such as Meta Platforms, Google and WeChat, which may leverage their existing or future capabilities and consumer relationships to offer competing B2B solutions; and
•customers that develop and manage their messaging solutions in-house.
In addition, many of our current and potential competitors have substantial competitive advantages, such as greater brand recognition, significantly larger financial, marketing, and resource and development budgets, access to larger customer bases, larger and more established marketing and distribution relationships, and/or more diverse product and service offerings. As a result, these competitors may be able to respond more quickly and effectively than we can to any change in the general market acceptance of messaging services or any new or changing opportunities, technologies, standards, pricing strategies, or customer requirements. Also, because of these advantages, potential customers may select a competitor’s products and services, even if our services are more effective. For all of these reasons, we may not be able to compete successfully against our current and future competitors.
We may be unable to respond to rapid technological change and changing customer preferences in the online sales, marketing, customer service, and/or online e-commerce industries and this may harm our business.
If we are unable, for technological, legal, financial, or other reasons, to adapt in a timely manner to changing market conditions in the online sales, marketing, customer service, and/or e-commerce industries or our customers’ requirements or preferences, our business, results of operations, and financial condition would be materially and adversely affected. Online business is characterized by rapid technological change. Sudden changes in customer and consumer requirements and preferences, frequent new product and service introductions embodying new technologies, and the emergence of new industry and regulatory standards and practices including without limitation data privacy, security, and AI standards, could render the LivePerson services and our proprietary technology and systems obsolete. Sudden changes in customer and consumer requirements and preferences, frequent new product and service introductions embodying new technologies, and the emergence of new industry and regulatory standards and practices such as but not limited to data privacy and security standards, could render the LivePerson services and our proprietary technology and systems obsolete. The rapid evolution of these products and services requires that we continually improve the performance, features and reliability of our services. The rapid evolution of these products and services will require that we continually improve the performance, features and reliability of our services. Our success depends, in part, on our ability to:
•enhance the features and performance of our services;
•develop and offer new services that are valuable to companies doing business online; and
•respond to technological advances and emerging industry and regulatory standards and practices in a cost-effective and timely manner.
If any of our new services, including upgrades to our current services, do not meet our customers’ or consumers’ expectations, we could lose customers and our business may be harmed. Updating our technology may require significant additional capital expenditures. Updating our technology may require significant additional capital expenditures and could materially and adversely affect our business, results of operations, and financial condition.
Our failure to update our technology or expand our operations in an efficient manner could cause our expenses to grow, our revenue to decline and could otherwise have a material adverse effect on our business, results of operations, and financial condition.
Downturns in the global economic environment or in particular industries in which our sales are concentrated may adversely affect our business and results of operations.
The U.S. and other global economies have experienced in the past and could in the future experience economic downturn that affects all sectors of the economy, resulting in declines in economic growth and consumer confidence, increases in unemployment rates and uncertainty about economic stability. Further, there is increased uncertainty regarding social, political, immigration and trade policies in the U.S. (including implementation of tariffs on U.S. imports and retaliatory tariffs), which could impact our global operations and our business. Global credit and financial markets have in the past experienced extreme disruptions, including diminished liquidity and credit availability and rapid fluctuations in market valuations. Our business has been affected by these conditions in the past and could be similarly impacted in the future by any downturn in global economic conditions.
Our business is, and will continue to be, dependent on sales to customers in the telecommunications, financial services, retail, travel, consumer/retail, automotive, and technology industries. A downturn in one or more of these industries could have a material adverse effect on our business, liquidity, results of operations, financial condition and cash flows. In the event that industry conditions deteriorate in one or more of these industries, we could experience, among other things, cancellation or non-renewal of existing contracts, reduced demand for our products and reduced sales. Weak economic conditions may cause our customers to experience difficulty in supporting their current operations and implementing their business plans. Weak economic conditions may also cause our customers to experience difficulty in supporting their current operations and implementing their business plans. Our customers
18
may reduce their spending on our services, may not be able to discharge their payment and other obligations to us, may experience difficulty raising capital, or may elect to scale back the resources they devote to customer service and/or sales and marketing technology, including services such as ours. Economic conditions may also lead consumers and businesses to postpone spending, which may cause our customers to decrease or delay their purchases of our products and services.
It could be difficult to predict the timing, strength or duration of any economic slowdown or subsequent economic recovery, either relating to the global economic environment or to any particular industry in which our sales are concentrated, which, in turn, could make it more challenging for us to forecast our operating results, make business decisions and identify risks that may adversely affect our business, sources and uses of cash, financial condition and results of operations. If economic conditions deteriorate for us or our customers, we could be required to record charges relating to restructuring costs or the impairment of assets, may not be able to collect receivables on a timely basis, and our business, financial condition, and results of operations could be materially adversely affected.
Risks Related to Security Vulnerabilities and Service Reliability
Failures or security breaches in our services or systems, those of our third-party service providers, customers or partners, including those resulting from cyber-attacks, security vulnerabilities, defects, or errors, could harm our business.
Our products and services involve the storage and transmission of proprietary information and personal data related to our customers and their users, employees and consumers. Theft and security breaches expose us to a risk of improper use, disclosure or loss of such information, which could result in litigation, regulatory investigation, and potential liability.
In the period prior to the completion of our public cloud migration, we are exposed to risks inherent in maintaining the stability and security of our legacy infrastructure due to prior customization, aging and obsolescence of related legacy systems and third-party technologies. Because our customers are, and may continue to be, dependent upon these legacy systems, we also face an increased level of embedded risk in maintaining the legacy systems. Moreover, our ability to timely mitigate, manage and patch vulnerabilities related to legacy systems and related legacy third-party technologies could impact our system security as well as our day-to-day operations, and the deployment of technology enhancements and innovation. In addition, we face risks related to recently acquired businesses and in-process integration of related technologies and platforms. If our operational systems, or those of external parties on which our business depends, are unable to meet our or our customers’ business and operations requirements, or if they fail, have other significant shortcomings or are impacted by cyber-attacks, we could be materially and adversely affected. If a significant number of our customers, or any one customer to whom we provide a significant amount of services, were to terminate services, reduce the amount of services purchased, or fail to purchase additional services, our results of operations may be negatively and materially affected.
We experience cyber-attacks of varying degrees on a regular basis in the ordinary course of our business. Our security measures may also be breached and such breach may be difficult to contain—due to employee or other error, lack of appropriately restricted technical and administrative or privileged access controls, intentional malfeasance and other third-party acts, and system errors or vulnerabilities, including vulnerabilities of our third-party service providers, our customers, partners, or otherwise. We have announced plans to move our technology infrastructure to the public cloud, which will require us to rely on third-party cloud providers to maintain appropriate safeguards.
Additionally, following the COVID-19 pandemic, we elected to maintain a globally distributed, substantially remote workforce. Remote working arrangements may increase the risk of cybersecurity incidents or data breaches. Remote working arrangements may potentially further increase the risk of cyber incidents or data breaches. Our use of employees and contractors from countries with higher rates of cybercrime and whose privacy laws reduce our ability to perform full background checks may increase risk of a cybersecurity incident or data breach, including insider risk.
A breach or unauthorized access, or attempts by outside parties to fraudulently induce employees, users, vendors, or customers to disclose sensitive information in order to gain access to our data or data of our customers, users, experts, or consumers, including, but not limited to, individual personal information and financial credit or debit card data that is protected by law or contract, could result in significant legal and financial exposure, damage to our reputation, and a loss of confidence in the security of our products and services that could potentially have an adverse effect on our business.
While we continue to take measures to enhance our information security program and safeguard our products and services, cybersecurity threats and vulnerabilities in desktop computers, mobile phones, smartphones and handheld devices, as well as cyber-attacks, cybersecurity threats, malicious actors and other security incidents continue to evolve in sophistication and frequency industry-wide, and there can be no assurance that we can prevent all security risks. Furthermore, while the Company has designed an information security program to protect our information systems from cybersecurity threats, and to ensure the confidentiality, integrity and availability of systems and information used, owned or managed by the Company related to our
19
employees, our customers and their users, implementation of the supporting controls has coverage gaps and weaknesses and potential for human error that could provide threat actors a window of time to exploit such weaknesses before they are identified and/or addressed. The goal of the information security program is to manage risks in a prioritized fashion; however, control gaps and/or effectiveness, resource constraints, and execution failure can pose cybersecurity risk to LivePerson. In addition, although we work to continuously improve our internal controls and procedures on cybersecurity incident management, prevention, detection, mitigation, response, and recovery, we may be unsuccessful in detecting, reporting or responding to these events in a timely manner, accurately assessing the severity of an event, or sufficiently preventing, limiting, or containing harm arising out of an event.
Because the techniques used to obtain unauthorized access, disable or degrade service, or sabotage systems are constantly evolving in sophisticated ways to avoid detection and often are not recognized until launched against a target, it may be difficult or impossible for us to anticipate or identify these techniques or to implement adequate preventative measures. Because the techniques used to obtain unauthorized access, disable or degrade service, or sabotage systems, are constantly evolving in sophisticated ways to avoid detection and often are not recognized until launched against a target, it may be difficult or impossible for us to anticipate or identify these techniques or to implement adequate preventative measures. And while technological advancements enable more data and processes, such as mobile computing and mobile payments, they also increase the risk that cyber-attacks and other security incidents will occur. Additionally, the global threat of cyber-attacks has increased in response to the Russia-Ukraine war and the Israel-Hamas war. Additionally, the global threat of cyber-attacks has increased in response to the Russia-Ukraine War. An advanced threat actor of high sophistication, such as a nation state, with essentially unlimited resources, poses a significant risk to LivePerson and arguably all similarly situated firms with LivePerson’s size and resources. A significant cyber-attack, or a security incident of any magnitude that is profiled in the media, involving our, our third-party service providers’ or our customers’ systems, could result in material harm to our brand and reputation, and our ability to deliver our services or retain customers, and expose us to lawsuits, regulatory investigations, and significant damages, fines or penalties.
Moreover, our customers may authorize third-party access to their customer data located in our cloud environment.In addition, our customers may authorize third-party access to their customer data located in our cloud environment. Because we do not control the transmissions to customer-authorized third parties, or the processing of such data by customer-authorized third parties, we cannot ensure the integrity or security of such transmissions or processing. Because our services are responsible for critical communication between our customers and consumers, any security failures, defects or errors in our components, materials or software or those used by our customers could have an adverse impact on us, on our customers and on the end users of their websites and applications. Such adverse impact could include a decrease in demand for our services, damage to our reputation and to our customer relationships, legal exposure, and other financial liability or harm to our business.
We may be liable if third parties access or misappropriate confidential or personal data from our systems or services.
The dialogue transcripts of the text-based chats, email interactions and other interactions between our customers and their users may include sensitive and/or personally identifiable information such as personal contact and demographic information, financial information, personal health matters, and account numbers. Although we employ and continually test and update our security measures to protect this information from unauthorized access, it is still possible that our security measures could be breached and such a breach could result in unauthorized access to our customers’ data or our data, including our intellectual property and other confidential business information. These risks could arise from acts of external parties or from acts or omissions of employees or third-party service provider personnel to whom we have granted access to our systems, including if the information systems used by such third parties are penetrated or compromised by an insider or by external third parties. Because the techniques employed by hackers to obtain unauthorized access or to sabotage systems change frequently and are becoming more sophisticated in circumventing security measures and avoiding detection, we may be unable to anticipate all techniques or to implement adequate preventative measures. A security breach could result in disclosure of our trade secrets or disclosure of confidential customer, supplier or employee data. Any security breach could result in disclosure of our trade secrets or disclosure of confidential customer, supplier or employee data. If third parties were able to penetrate our network security or otherwise copy and/or misappropriate personal data relating to our customers’ users or the text of customer service inquiries, our competitive position may be harmed and we could be subject to liability. If third parties were able to penetrate our network security or otherwise misappropriate personal data relating to our customers’ users or the text of customer service inquiries, our competitive position may be harmed and we could be subject to liability. In the event of a security incident, we could be required to comply with a myriad of breach notification laws at the state, federal and international level, which may cause business disruption and extensive notification costs, and could lead to penalties, government investigations and lawsuits for compliance failures. We may as a result of a security incident be deemed out of compliance with U.S. federal and state laws, international laws, securities laws or contractual commitments, and we may be subject to government investigations, lawsuits, fines, criminal penalties, statutory damages, and other costs to respond to breach or security incidents, which could have a material adverse effect on our business, results of operations, and financial condition. We may incur significant costs to protect against the threat of security breaches or to mitigate the harm and alleviate problems caused by such breaches. While we currently maintain insurance coverage that may cover certain cybersecurity risks, such insurance coverage is subject to certain exclusions and exceptions and may be insufficient to cover all losses. While we currently maintain insurance coverage that may cover certain cyber security risks, such insurance coverage is subject to certain exclusions and exceptions and may be insufficient to cover all losses.
Furthermore, certain software and services that we use to operate our business are hosted and/or operated by third parties or integrated with our systems. As we expand our use of cloud-based services, we will increasingly rely on third-party cloud
20
providers to maintain appropriate safeguards to protect confidential or personal data we receive. While we have conducted initial due diligence on these cloud providers with respect to their security and business controls, we may not have the visibility to effectively monitor the implementation, configuration, and efficacy of these controls. While we intend to conduct due diligence on these cloud providers with respect to their security and business controls, we may not have the visibility to effectively monitor the implementation and efficacy of these controls. If third-party services do not have adequate security measures in place, experience service interruptions, or have their security breached, our business operations could be similarly disrupted and we could be exposed to liability and costly investigations or litigation. The risk of circumvention of our security measures or those of third parties on which we rely has been heightened by advances in computer and software capabilities and the increasingly complex techniques employed by, bad actors. In particular, supply-chain attacks have increased in frequency and severity, and there can be no assurance that third parties’ infrastructure in our supply chain or our third-party service providers’ supply chains have not been compromised.
The need to properly secure, and securely transmit and store, confidential information online requires caution and has shaped the e-commerce and online communications landscape, and increasingly has become an area of consumer and regulatory focus and concern. Any publicized compromise of security could deter people from using online services such as the ones we offer or from using them to conduct transactions, which involve transmitting confidential information. Because our success depends on the general acceptance and reputation of our services and electronic commerce, we may incur significant costs to protect against the threat of security breaches or to alleviate problems caused by these breaches.
We provide service-level commitments to certain customers. If we do not meet these contractual commitments, or if we suffer significant outages, we could be obligated to provide credits or refunds or face contract terminations, which could adversely affect our revenue and harm our reputation. If we do not meet these contractual commitments, we could be obligated to provide credits or refunds or face contract terminations, which could adversely affect our revenue and harm our reputation.
We offer service-level commitments in certain of our customer contracts, primarily related to uptime of our service. If we are unable to meet the stated service-level commitments or suffer periods of downtime that exceed the periods allowed under our customer contracts, whether due to downtime caused by us or our third-party service providers, which has occurred on several occasions in the past and could occur in the future (including in connection with the migration of our technology infrastructure to the public cloud), we may be contractually obligated to provide these customers with service credits and/or pay financial penalties, which could significantly impact our revenue. If we are unable to meet the stated service level commitments or suffer periods of downtime that exceed the periods allowed under our customer contracts, whether due to downtime caused by us or our third-party service providers, which has occurred on several occasions in the past and could occur in the future (including in connection with the migration of our technology infrastructure to the public cloud), we may be contractually obligated to provide these customers with service credits and/or pay financial penalties, which could significantly impact our revenue. In addition, even if our contracts provide otherwise, these customers may attempt to terminate or reduce their contracts, which has occurred from time to time, and/or pursue other legal remedies. In addition, even if our contracts provide otherwise, these customers may attempt to terminate or reduce their contracts, which has occurred from time to time, and/or pursue other legal remedies. Recurring or extended service outages and the inability to recover our services and systems in a timely fashion could also cause damage to our reputation and result in substantial customer dissatisfaction or loss, could cause significant interruptions to our business operations, and could cause us to incur significant costs or divert the attention of our technical or other personnel to recover, all of which could adversely affect our current and future revenue and operating results. As we rely heavily on our servers, computer and communications systems and the internet to conduct our business and provide high quality service to our customers, such disruptions could negatively impact our ability to run our business, result in loss of existing or potential customers and increased expenses, and/or have an adverse effect on our reputation and the reputation of our products and services, any of which would adversely affect our operating results and financial condition.
We are dependent on technology systems and third-party content that are beyond our control.
The success of our services depends in part on our customers’ online services as well as the internet and mobile connectivity of consumers, both of which are outside of our control. As a result, it may be difficult to identify the source of problems if they occur. In the past, we have experienced problems related to connectivity, which has resulted in slower than normal response times to user messaging requests and interruptions in service. Our services rely both on the internet and on our connectivity vendors for data transmission. Therefore, even when connectivity problems are not caused by our services, our customers or their consumers may attribute the problem to us. This could diminish our brand and harm our business, divert the attention of our technical personnel or cause significant customer relations problems. This could diminish our brand and harm our business, divert the attention of our technical personnel from our product development efforts or cause significant customer relations problems.
In addition, we outsource certain critical business activities to third parties and plan to continue to do so.We also outsource certain critical business activities to third parties and plan to continue to increasingly do so. We rely in part on service providers and other third parties for various services, including, but not limited to, internet connectivity, network infrastructure hosting, security and maintenance, and utilize software and hardware from a variety of vendors.In addition, we rely in part on third-party service providers and other third parties for various services, including, but not limited to, internet connectivity, network infrastructure hosting, security and maintenance, and software and hardware from a variety of vendors. As a result, we rely upon the successful implementation and execution of the business continuity and repopulation planning of these providers. As a result, we rely upon the successful implementation and execution of the business continuity and repopulation planning of such entities in the current environment. These providers may experience problems that result in slower than normal response times, interruptions in service or other operational failures. These providers may experience problems that result in slower than normal response times and/or interruptions in service. If we are unable to continue utilizing the third-party services that support our web hosting and infrastructure or if our services experience interruptions or delays due to existing third-party service providers, new third-party service providers or a transition between third-party service providers, our reputation and business could be harmed, and we may be exposed to legal and reputational risk, and significant remediation costs. If we are unable to continue utilizing the third-party services that support our web hosting and 26infrastructure or if our services experience interruptions or delays due to existing third-party service providers or transition to new third-party service providers, our reputation and business could be harmed, and we may be exposed to legal and reputational risk, and significant remediation costs.
We also rely on the security of our third-party service providers to protect our proprietary information and information of our customers and their end users. IT system failures, including a breach of our or our third-party service providers’ data security, could disrupt our ability to function in the normal course of business by potentially causing, among other things, an unintentional disclosure of customer information or loss of information. Information technology system failures, including a breach of our or our third-party service providers’ data security, could disrupt our ability to function in the normal course of business by potentially causing, among other things, an unintentional disclosure of customer information or loss of information. Additionally, despite our security procedures or those of our third-party
21
service providers, information systems may be vulnerable to threats such as computer hacking, ransomware, cyber-terrorism or other unauthorized attempts by third parties to access, obtain, modify or delete our or our customers’ data. Any such breach could have a material adverse effect on our operating results and our reputation as a provider of business collaboration and communications solutions and could subject us to significant penalties and negative publicity, as well as government investigations and claims for damages or injunctive relief under state, federal and foreign laws or contractual agreements.
We also depend on third parties for hardware and software.We also depend on third parties for hardware and software, and our consumer services depend on third parties for content. Such products could contain errors, defects, software bugs, material vulnerabilities, or inaccurate information that may be difficult to detect and correct, and could require us to incur significant costs or divert the attention of our technical or other personnel from our product development efforts. To the extent any such problems require us to replace such hardware or software, we may not be able to do so on acceptable terms, if at all.
Technological or other defects could disrupt or negatively impact our services, which could harm our business and reputation.
We face risks related to the technological capabilities of our services. We expect the number of interactions between our customers’ operators and consumers over our system to increase significantly as we expand our customer base. Our network hardware and software may not be able to accommodate this additional volume. Additionally, we must continually upgrade our software to improve the features and functionality of our services in order to be competitive in our markets. If future versions of our software contain undetected errors, our business could be harmed. As a result of software upgrades at LivePerson, our customer sites have, from time to time, experienced slower than normal response times and interruptions in service. If we experience system failures or degraded response times, our reputation and brand could be harmed. We may also experience technical problems in the process of installing and initiating the LivePerson services on new web hosting services, including in connection with our plans to migrate our technology infrastructure to the public cloud. These problems, if not remedied, could harm our business.
Our services also depend on complex software which may contain defects, particularly when we introduce new versions. We may not discover software defects that affect our new or current services or enhancements until after they are deployed. It is possible that, despite testing by us, defects may occur in the software. These defects could result in:
•damage to our reputation;
•lost sales;
•contract terminations;
•loss of market share;
•delays in or loss of market acceptance of our products; and
•unexpected expenses and diversion of resources to remedy errors.
Our products are complex, and errors, failures, or “bugs” may be difficult to correct.
Our products are complex, integrating hardware, software and elements of a customer’s existing infrastructure. Despite quality assurance testing conducted prior to the release of our products, our software may contain “bugs” that are difficult to detect and fix. Any such issues could interfere with the expected operation of a solution, which might negatively impact customer satisfaction, reduce sales opportunities or affect gross margins. Depending upon the size and scope of any such issue, remediation may have a negative impact on our business. Our inability to cure an application or product defect, should one occur, could result in the failure of an application or product line, damage to our reputation, litigation, and/or product reengineering expenses. Our insurance may not cover, or may be insufficient to cover fully, expenses associated with such events. Our insurance may not cover or may be insufficient to cover expenses associated with such events.
Failure to license necessary third-party software for use in our products and services, or failure to successfully integrate third-party software, could cause delays or reductions in our sales, or errors or failures of our service.
We license third-party software that we incorporate into our products and services. In the future, we might need to license other software to enhance our products and meet evolving customer requirements. These licenses may not continue to be available on commercially reasonable terms or at all. Some of this technology could be difficult to replace once integrated. The loss of, or inability to obtain, these licenses could result in delays or reductions of our products and services until we identify, license and integrate or develop equivalent software, and new licenses could require us to pay higher royalties. If we are unable to
22
successfully license and integrate third-party technology, we could experience a reduction in functionality and/or errors or failures of our products, which may reduce demand for our products and services.
Third-party licenses may expose us to increased risks, including risks associated with the integration of new technology, the impact of new technology integration on our existing technology, open-source software disclosure requirements, the diversion of resources from the development of our own proprietary technology, and our inability to generate revenue from new technology sufficient to offset associated acquisition and maintenance costs.
Our business is subject to the risks of earthquakes, fires, floods, and other natural catastrophic events and to interruption by man-made problems such as terrorism or cyber-attacks.
Although we intend to migrate our technology infrastructure to the public cloud, a substantial majority of our computer and communications infrastructure is running in our private cloud on hardware that is located at a limited number of facilities in the United States, Europe, and Australia. Our systems, operations, and data centers are vulnerable to damage or interruption from earthquakes, fires, floods, hurricanes, other acts of nature, power losses, telecommunications failures, terrorist attacks, acts of war, human errors, break-ins, state-sponsored or other cyber-attacks or failures, pandemics or other public health crises, or similar events. Our systems and operations are vulnerable to damage or interruption from earthquakes, fires, floods, hurricanes, other acts of nature, power losses, telecommunications failures, terrorist attacks, acts of war, human errors, break-ins, state-sponsored or other cyber-attacks or failures, pandemics or other public health crises, or similar events. For example, a significant natural disaster, such as an earthquake, fire or flood, could have a material adverse impact on our business, operating results and financial condition, and our insurance coverage may be insufficient to compensate us for losses that may occur. Our global data providers could be vulnerable to the physical effects of climate change, including increased frequency and duration of extreme weather events and natural disasters. In addition, acts of terrorism could cause disruptions in our business or the economy as a whole. Our servers may also be vulnerable to computer viruses, break-ins, cyber-attacks, such as coordinated denial-of-service attacks or ransomware, or other failures, and similar disruptions from unauthorized tampering with our computer systems, which could lead to interruptions, delays, loss of critical data or the unauthorized disclosure of confidential customer data. Although we have implemented security measures and data recovery capabilities, there can be no assurance that we will not suffer from business interruption, or unavailability or loss of data, as a result of any such events, or that data recovery would be complete or on a timeline expected by our customers. If we fail to comply with these rules or requirements, we may be subject to fines and higher transaction fees and lose our ability to accept credit and debit card payments from our customers or facilitate other types of online payments, and our business and operating results could be adversely affected. As we rely heavily on our servers, computer and communications systems and the internet to conduct our business and provide high quality service to our customers, such disruptions could negatively impact our ability to run our business, result in loss of existing or potential customers and increased expenses, and/or have an adverse effect on our reputation and the reputation of our products and services, any of which would adversely affect our operating results and financial condition.
Risks Related to Regulatory and Data Privacy Issues
Our business is subject to a variety of U.S. and international laws and regulations regarding privacy, data protection and AI, and increased public scrutiny of privacy, security and AI issues could result in increased government regulation, industry standards, and other legal obligations that could adversely affect our business.
We collect, process, store, and use personal data and other information generated during mobile and online messaging between brands and consumers and between experts and consumers. We collect, process, store, and use personal data and other information generated during mobile and online messaging between brands and consumers and between experts and consumers. We post our privacy policies and practices on our websites and we also often include privacy commitments in our contracts. Our business is subject to numerous federal, state and international laws and regulations regarding privacy, data protection, personal information, security, data collection, storage, use and transfer, and the use of cookies and similar tracking technologies. To the extent that additional legislation regarding user privacy is enacted, such as legislation governing the collection and use of information regarding internet or mobile users through the use of cookies or similar technologies, the effectiveness of our services could be impaired by restricting us from collecting or using information that may be valuable to our customers and/or exposing us to lawsuits or regulatory investigations. The foregoing could have a material adverse effect on our business, results of operations, and financial condition. The foregoing could have a material adverse effect our business, results of operations, and financial condition.
U.S. and international privacy laws and regulations are evolving and changing, subject to differing interpretations, may be costly to comply with, and may be inconsistent among countries and jurisdictions or conflict with other rules. To the extent we expand our operations in other countries, our liability exposure and the complexity and cost of compliance with data and privacy requirements will likely increase. As we expand our operations in these countries, our liability exposure and the complexity and cost of compliance with data and privacy requirements will likely increase. Any failure by us to comply with our posted privacy policies, applicable federal, state or international laws and regulations relating to data privacy, data protection and AI, or the privacy commitments contained in our contracts, could result in proceedings against us by governmental entities, customers, consumers, watchdog groups or others, which could have a material adverse effect on our business, financial condition and results of operations. Any failure by us to comply with our posted privacy policies, applicable federal, state or international laws and regulations relating to data privacy and data protection, or the privacy commitments contained in our contracts, could result in proceedings against us by governmental entities, customers, consumers, watchdog groups or others, which could have a material adverse effect on our business, financial condition and results of operations. In addition, the increased attention focused upon liability as a result of lawsuits and legislative proposals and enactments could harm our reputation or otherwise impact our business, results of operations and financial condition. In addition, the increased attention focused upon liability as a result of lawsuits and legislative proposals and enactments could harm our reputation or otherwise impact the growth of our business.
23
Laws and practices regarding handling and use of personal and other information by companies have come under increased public scrutiny, and governmental entities, consumer agencies and consumer advocacy groups have called for, and in many instances, enacted increased regulation and changes in industry practices. For example, we are subject to the European Union (“E.U.”) General Data Protection Regulation (“GDPR”), which imposes significantly greater compliance burdens on companies that control or process personal data of users primarily located in the E. General Data Protection Regulation (“GDPR”) imposes significantly greater compliance burdens on companies that control or process personal data of users primarily located in the E. U. and, for noncompliance, provides for considerable fines up to the higher of 20 million Euros or 4% of global annual revenue. Additionally, following the United Kingdom’s withdrawal from the E.U., we also are subject to the U.K. General Data Protection Regulation (“U.K. GDPR”), a version of the GDPR as implemented into the laws of the U.K. While the GDPR and U.K. GDPR remain substantially similar for the time being, the U.K. government has announced that it would seek to chart its own path on data protection and reform its relevant laws, including in ways that may differ from the GDPR in some respects. While these developments increase uncertainty with regard to data protection regulation in the U.K., even in their current, substantially similar form, the GDPR and U.K. GDPR can expose businesses to divergent parallel regimes that may be subject to potentially different interpretations and enforcement actions for certain violations and related uncertainty. The GDPR and U.K. GDPR also impose certain technological requirements that may, from time to time, require us to make changes to our services to enable LivePerson and/or our customers to meet legal requirements and may impact how data protection is addressed in our customer and vendor agreements. The GDPR also imposes certain technological requirements that may, from time to time, require us to make changes to our services to enable LivePerson and/or our customers to meet legal requirements and may impact how data protection is addressed in our customer and vendor agreements. E.U. and U.K. regulators have issued numerous fines pursuant to the GDPR and U. European regulators have issued numerous fines pursuant to the GDPR. K. GDPR, respectively. Ensuring compliance with the GDPR and U.K. GDPR is an ongoing commitment that involves substantial costs, and it is possible that despite our efforts, governmental authorities or third parties will assert that our services or business practices fail to comply. Ensuring compliance with the GDPR is an ongoing commitment that involves substantial costs, and it is possible that despite our efforts, governmental authorities or third parties will assert that our services or business practices fail to comply. We also must require vendors that process personal data to take on additional privacy and security obligations, and some may refuse, causing us to incur potential disruption and expense related to our business processes. If our policies and practices, or those of our vendors, are, or are perceived to be, insufficient, we could be subject to enforcement actions or investigations by Data Protection Authorities (including in the E.U. and U.K.) or lawsuits by private parties, and our business could be negatively impacted.
The E.U. has also released a proposed Regulation on Privacy and Electronic Communications (“e-Privacy Regulation”) to replace the E.U.’s Privacy and Electronic Communications Directive (“e-Privacy Directive”) to, among other things, better align with the GDPR, to amend the current e-Privacy Directive’s rules on the use of cookies and other tracking technologies, and to harmonize across current E.U. member state e-privacy data protection laws. Compliance with changes in laws and regulations related to privacy may require significant cost, limit the use and adoption of our services, and require material changes in our business practices that result in reduced revenue. Compliance with changes in laws and regulations related to privacy may require significant cost, limit the use and adoption of our services, and require material changes in our business practices that result in reduced revenue. Noncompliance could result in material fines and penalties, litigation, regulatory investigation and/or governmental orders requiring us to change our data practices, which could damage our reputation and harm our business. Noncompliance could result in material fines and penalties, litigation, regulatory investigation and/or governmental orders requiring us to change our data practices, which could damage our reputation and harm our business.
Additionally, complexity and regulatory compliance uncertainty under the GDPR regarding certain transfers of personal information from the European Economic Area (the “EEA”) to the United States and certain other third countries remains. For instance, recent legal developments in Europe have created complexity and regulatory compliance uncertainty regarding certain transfers of personal information from the European Economic Area (the “EEA”) to the United States and certain other third countries. For example, on October 7, 2022, President Biden signed an Executive Order on “Enhancing Safeguards for United States Intelligence Activities,” which introduced new redress mechanisms and binding safeguards to address concerns raised in 2020 by the Court of Justice of the European Union in relation to data transfers from the EEA to the United States and which formed the basis of the new E.U.-US Data Privacy Framework (“DPF”), as released on December 13, 2022. The European Commission adopted its Adequacy Decision in relation to the DPF on July 10, 2023, rendering the DPF effective as an E.U. GDPR transfer mechanism to U.S. entities self-certified under the DPF. On October 12, 2023, the U. On January 31, 2020, the U. K. Extension to the DPF came into effect (as approved by the U.K. Government), as a U.K. GDPR data transfer mechanism to U.S. entities self-certified under the U.K. Extension to the DPF. We currently rely on the DPF and on a similar Swiss-US Data Privacy Framework to transfer certain personal data from the EEA and Switzerland, respectively to the United States and on the U.K. Extension to the DPF to transfer certain personal data from the U.K. to the United States. In recent years, the UK government has introduced proposed legislation intended to create a more business-friendly regime in the UK through changes to the existing data protection legislation. At this stage it is unclear whether and when changes to the legislation will be adopted and whether such legislative reforms could potentially lead the European Commission not to extend or to revoke the UK adequacy decision. We also currently rely on the E.U. standard contractual clauses and the U.K. Addendum to the E.U. standard contractual clauses and the U.K. International Data Transfer Agreement as relevant to transfer personal data outside the EEA and the U.K. with respect to both intragroup and third-party transfers. We expect the existing legal complexity and uncertainty regarding international personal data transfers to continue. In particular, we expect the DPF Adequacy Decision to be challenged and international transfers to the United States and to other jurisdictions more generally to continue to be subject to enhanced scrutiny by regulators.
If the transfer mechanisms we rely on are not sufficient and we are unable to transfer personal data between and among countries and regions in which we operate, it could affect the manner in which we provide our services and could adversely affect our financial results, and, until the legal uncertainties regarding how to legally continue transfers pursuant to the standard contractual clauses and other mechanisms are settled, we will continue to face uncertainty as to whether our efforts to comply
24
with our obligations under the GDPR and U.K. GDPR will be sufficient. Failure to comply with existing or new rules may result in significant penalties or orders to stop the alleged noncompliant activity.
In addition to the changing regulatory landscape in the E.U. and the U.K., we are subject to U.S. laws and regulations, including at the state level, such as the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act (“CPRA”), which took effect on January 1, 2023 (the “CCPA”). Among other things, the CCPA gives California residents expanded data privacy rights, allowing consumers to opt out of certain data sharing with third parties, provides a private cause of action for data breaches, imposes additional obligations such as data minimization and storage limitations; on covered businesses; and forms a dedicated privacy regulator in California, the California Privacy Protection Agency, to implement and enforce the law. The CCPA marked the beginning of a trend toward more stringent state data privacy legislation in the United States, which may result in significant costs to our business, damage our reputation, and require us to amend our business practices, and could adversely affect our business, especially to the extent the specific requirements vary from those and other existing laws.” The CCPA marked the beginning of a trend toward more stringent state data privacy legislation in the United States, which may result in significant costs to our business, damage our reputation, require us to amend our business practices, and could adversely affect our business, especially to the extent the specific requirements vary from those and other existing laws. For example, comprehensive privacy laws in multiple U.S. states have gone, or will go, into effect between 2024 and 2026, and a number of other states are considering similar laws related to the protection of consumer personal information. Moreover, laws in all 50 U.S. states require businesses to provide notice under certain circumstances to consumers whose personal information has been disclosed as a result of a data breach. Many similar laws have been proposed at the federal and state level; accordingly, we also may be subject to additional compliance obligations as such legislation is considered and adopted, which may require us to modify our data processing practices and policies and incur substantial costs and expenses to comply.
In addition to government activity, privacy advocacy and other industry groups have established and may continue to establish new self-regulatory standards that may place additional burdens on us. If our privacy practices are deemed unacceptable by watchdog groups or privacy advocates, such groups may take measures that harm our business by, for example, disparaging our reputation and our business, which may have a material adverse effect on our results of operations, and financial condition. If our privacy practices are deemed unacceptable by watchdog groups or privacy advocates, such groups may take measures that harm our business by, for example, disparaging our reputation and our business, which may have a material adverse effect on our results of operations, and financial condition. In addition, privacy concerns may cause consumers to avoid online sites that collect various forms of data or to resist providing the data necessary to allow our customers to use our services effectively. In addition, privacy concerns may cause consumers to avoid online sites that collect various forms of data or to resist providing the data necessary to allow our customers to use our services effectively. Even the perception of data security and data privacy concerns, whether or not valid, could inhibit sales and market acceptance of our products and services.
Our business is subject to a variety of U.S. and foreign laws, and existing, new and developing regulatory or other legal requirements could subject us to claims or materially impact our business.
We and our customers are subject to a number of laws and regulations in the United States and abroad, including laws related to conducting business on the internet and on mobile devices, such as laws regarding data privacy, data protection, information security, cybersecurity, restrictions or technological requirements regarding the collection, use, storage, protection, disposal, transfer or other processing of consumer data, content, consumer protection, internet (or net) neutrality, advertising, electronic contracts, taxation, provision of online payment services (including credit card processing), and intellectual property rights, which are continuously evolving and developing. Because our services are accessible worldwide, certain foreign jurisdictions may claim that we are required to comply with their laws, even if we do not have a local entity, employees or infrastructure. Foreign data protection, privacy, and other laws and regulations may often be more restrictive than those in the United States. The scope and interpretation of the laws and other obligations that apply to us, including those related to user privacy and data security, are often uncertain and may be conflicting, particularly laws and obligations outside the U.S. There is a risk that these laws may be interpreted and applied differently in any given jurisdiction in a manner that is not consistent with our current practices, which could cause us to incur substantial cost and could negatively impact our brand, reputation and business.
Businesses using our products and services may collect data from their users. Various federal, state and foreign government bodies and agencies impose laws regarding collection, use, storage, retention, disposal, transfer or other processing of data from website visitors. We offer our customers a variety of data security procedures and practices, such as encryption for data at rest and masking algorithms for sensitive data prior to transfer to our database, in an effort to protect information. Changes to applicable laws and how they are interpreted relating to privacy and data security could significantly increase the cost to us and our customers of regulatory compliance and could negatively impact our business.
For instance, some states in the U.S. have enacted legislation designed to protect consumer privacy by prohibiting the distribution of “spyware” over the internet. Such legislation typically focuses on restricting the proliferation of software that, when installed on an end user’s computer, is used to intentionally and deceptively take control of the end user’s machine. We do not believe that the data monitoring methods that we employ constitute “spyware” or are prohibited by applicable laws. However, federal, state and foreign laws and regulations, many of which can be enforced by government entities or private parties, are constantly evolving and can be subject to significant changes in application and interpretation. If, for example, the scope of the
25
previously mentioned “spyware” legislation were changed to include web analytics, such legislation could apply to the technology we use and potentially restrict our ability to conduct our business.
Similarly, some U.S. courts have interpreted certain two-party consent wiretap statutes, such as the California Invasion of Privacy Act, to require the collection of prior consent from consumers who engage in a dialogue with chatbots. If the scope of such laws or newly enacted legislation were interpreted to apply to our services, we and/or our customers may be required to obtain the express consent of web visitors in order for our technology to perform its intended functions. If the scope of such laws or newly enacted legislation were interpreted to apply to our services, we and/or our customers may be required to obtain the express consent of web visitors in order for our technology to perform its intended functions. Requirements that a website must first obtain consent from its web visitors before using our technology could reduce the amount and value of the services we provide to customers, which might impede sales and/or cause some existing customers to discontinue using our services or could subject us to fines and/or proceedings by governmental agencies, regulatory bodies, and/or private litigation, which could materially and adversely affect our business, financial condition and results of operations.
There has been an increased focus in 2024 on laws and regulations related to AI. For example, states, regions and supranational bodies, including the European Union and the United States, have passed or proposed new rules and regulations related to the development and use of AI technology, which cover, among other things, consumer protection, algorithmic accountability, privacy and transparency. In the United States, there is uncertainty at the federal level regarding applicable regulations that will apply to the development and use of AI. In January 2025, the Trump administration rescinded an Executive Order implemented by the Biden administration in 2023 aimed at establishing new standards for AI safety and security, privacy, consumer and employee protection and innovation and competition associated with the use of AI. The Trump administration then issued a new Executive Order that, among other things, directed the heads of various federal governmental bodies to review actions taken under the Biden Executive Order and develop a new action plan with respect to AI-related matters. In Europe, the EU AI Act, enacted on August 1, 2024, began to apply in February 2025, with the remaining requirements to become effective on a staggered basis through August 2027. The EU AI Act establishes, among other things, a risk-based governance framework for regulating AI systems operating in the EU. This framework categorizes AI systems, based on the risks associated with such AI systems’ intended purposes, as creating unacceptable or high risks, with all other AI systems being considered low risk. The EU AI Act prohibits certain uses of AI systems and places numerous obligations on providers and deployers of permitted AI systems, with heightened requirements based on AI systems that are considered high risk. The EU AI Act establishes requirements for the provision and use of products that leverage AI, machine learning, and similar technologies, including chatbots, with potential fines reaching up to the greater of €35 million and 7% of global income. We may not be able to anticipate how to respond to these rapidly evolving frameworks, which could impact our ability to develop and deploy AI-powered features in a timely manner. Compliance with evolving regulatory requirements may increase our operational costs, and we may need to expend additional resources to adjust our operations or offerings in certain jurisdictions if the legal frameworks are inconsistent across jurisdictions. For example, some financial services regulators have imposed guidelines for use of cloud computing services that mandate specific controls or that require financial services providers to obtain regulatory approval prior to outsourcing certain functions. This could include requirements to retrain our algorithms, disclose or provide greater transparency regarding the nature of our AI systems and the data we have employed to train them, or prevent or limit our use of AI. Any failure to comply with these regulations or delays in adapting to new requirements could result in penalties, loss of market access, competitive disadvantages, or reputational harm. As part of our business strategy, we have made and may continue to make acquisitions to add complementary businesses, products, technologies, revenue and intellectual property rights. Furthermore, because AI technology itself is highly complex and rapidly developing, it is not possible to predict all of the legal, operational or technological risks that may arise relating to the use of AI. Additionally, other countries have proposed legal frameworks on AI, which is a trend that is expected to increase, and existing laws and regulations may be interpreted in ways that may affect our use of AI. Any failure or perceived failure by us to comply with such requirements could have an adverse impact on our business. Our competitors may be developing their own AI products and technologies, which may be superior in features, functionality, compliance readiness, or cost efficiency compared to our offerings, potentially impacting our competitive position. Any of these factors could adversely affect our business, reputation, or operating results.
Further, various federal, state and foreign government bodies and agencies are highly focused on consumer protection initiatives, particularly in light of the increase in new technologies and services that incorporate or use bots, AI and/or machine learning. For example, the California B.O.T. Act requires that companies using bots on platforms with more than ten million unique monthly visitors from the U.S. use clear and conspicuous disclosure to inform consumers that they are not speaking to a human. Similar bills have been introduced from time to time at the state and federal level in recent years. Further, the use of certain AI and machine learning may be subject to laws and evolving regulations, controlling for, among other things, data bias and antidiscrimination. For example, the Federal Trade Commission (“FTC”) enforces consumer protection laws such as Section 5 of the FTC Act, which prohibits unfair and deceptive practices, including use of biased algorithms in AI. The European Commission’s EU AI Act imposes additional restrictions and obligations on providers of AI systems, including increasing transparency so consumers know they are interacting with an AI system, requiring human oversight in AI, and prohibiting certain practices of AI that could lead to physical or psychological harm. The proposed regulation would impose additional restrictions and obligations on providers of AI systems, including increasing transparency so consumers know they are interacting with an AI system, requiring human oversight in AI, and prohibiting certain practices of AI that could lead to physical or psychological harm. Given the increased focus by the FTC and other regulators on the use of AI, it is likely that additional laws, regulations, and standards related to AI may be introduced in the future. Given the increased focus by the FTC and other regulators on the use of AI, it is possible that additional laws, regulations, and standards related to AI may be introduced in the future. Regulation in this area could impact how businesses use our products and services to interact with consumers and how we provide our
26
services to our customers. As regulatory scrutiny of AI continues to grow, we may need to modify or restrict certain AI-driven functionalities in our products or services, which could impact their adoption or effectiveness.
AI tools can also present unique technological and legal challenges, such as the possibility of insufficient data sets, or data sets that contain biased or inaccurate information, which can negatively impact the decisions, predictions or analyses that AI applications produce. AI tools can also present unique technological and legal challenges, such as the possibility of insufficient data sets, or (as stated above) data sets that contain biased information, which can negatively impact the decisions, predictions or analyses that AI applications produce. AI algorithms or automated processing of data may be flawed, and datasets may be insufficient or contain inaccurate, incomplete, poor-quality or biased information, which can create discriminatory outcomes or reduce the effectiveness of AI-driven insights. Deficiencies such as these could cause us reputational harm and subject us to legal liability, including claims of product liability, breach of warranty, or negligence. Additionally, AI-generated content and AI-assisted decision-making may raise unresolved intellectual property concerns, including uncertainty regarding ownership, licensing rights, and third-party claims over training data. The scope of these laws and regulations is rapidly evolving, subject to differing interpretations, may be inconsistent among jurisdictions, or conflict with other rules and is likely to remain uncertain for the foreseeable future. Evolving regulations, legal uncertainties, and enforcement actions could increase our compliance burden, limit our ability to deploy AI-driven solutions, and create additional operational challenges. We also expect that there will continue to be new laws, regulations, and industry standards concerning AI and machine learning proposed and enacted in various jurisdictions. We also expect that there will continue to be new laws, regulations, and industry standards concerning artificial intelligence and machine learning proposed and enacted in various jurisdictions. If we fail to stay ahead of these developments, we may face additional costs, disruptions in our product development roadmap, and potential competitive disadvantages.
In addition, regulatory authorities and governments around the world are considering a number of legislative and regulatory proposals concerning privacy, collection and use of website visitor data, data storage, data protection, the “right to be forgotten,” content regulation, cybersecurity, government access to personal information, online advertising, email and other categories of electronic spam, and other matters that may be applicable to our business. Compliance with these laws may require substantial investment or may be technologically challenging for us. For example, some jurisdictions, including in the United States, are considering whether the collection of anonymous data may invade the privacy of website visitors. If laws or regulations are enacted that limit data collection or use practices related to anonymous data, we and/or our customers may be required to obtain the express consent of web visitors in order for our technology to perform certain basic functions that are based on the collection and use of technical data. Requirements that a website must first obtain consent from its web visitors before using our technology could reduce the amount and value of the services we provide to customers, which might impede sales and/or cause some existing customers to discontinue using our services.
It is also likely that, as our business evolves, an increasing portion of our business shifts to mobile, and our solutions are offered and used in a greater number of countries, we will become subject to laws and regulations in additional jurisdictions. We may need to expend considerable effort and resources to develop new product features and/or procedures to comply with any such legal requirements. It is difficult to predict how existing laws will apply to our business and what new laws and legal obligations we may become subject to. If we are not able to comply with these laws or other legal obligations, or if we become liable under them, we may be forced to implement material changes to our business practices, delay release of new and enhanced services and expend substantial resources, which would negatively affect our business, financial condition and results of operations. In addition, any increased attention focused on liability issues, or as a result of regulatory fines or lawsuits, could harm our reputation or otherwise impact our business, results of operations and financial condition. In addition, any increased attention focused on liability issues, or as a result of regulatory fines or lawsuits, could harm our reputation or otherwise impact the growth of our business. Any costs incurred as a result of this potential liability could harm our business and operating results.
We monitor pending legislation and regulatory initiatives to ascertain relevance, analyze impact and develop strategic direction surrounding regulatory trends and developments. Due to shifting economic and political conditions, tax policies or rates in various jurisdictions may be subject to significant change. A range of other proposed or existing laws and new interpretations of existing laws could have an impact on our business. For example:
Government agencies and regulators have reviewed, are reviewing and will continue to review, the personal data handling practices of companies doing business online, including privacy and security policies and practices. This review may result in new laws or the promulgation of new regulations or guidelines that may apply to our products and services. For example, the State of California and other states have passed laws relating to disclosure of companies’ practices with regard to global opt-out signals from internet browsers, the ability to delete information of minors, age appropriate design obligations for companies that offer online services, products or features “likely to be accessed” by children, and new data breach notification requirements. Washington State recently enacted the “My Health, My Data Act,” which broadly protects the privacy of certain personal health information and generally requires consent for the collection, use, or sharing of any such information. Similarly, outside the E.U. and the U.S., a number of countries have adopted or are considering privacy laws and regulations that may result in significant greater compliance burdens. Existing and proposed laws and regulations regarding cybersecurity and monitoring of online behavioral data, such as proposed “Do Not Track” regulations, regulations aimed at restricting certain targeted advertising
27
practices and collection and use of data from mobile devices, new and existing tools that allow consumers to block online advertising and other content, and other proposed online privacy legislation could potentially apply to some of our current or planned products and services. Existing and proposed laws and regulations related to email and other categories of electronic spam could impact the delivery of commercial email and other electronic communications by us or on behalf of customers using our services.
The FTC in particular has aggressively investigated and brought enforcement actions against companies that fail to comply with their privacy or data security commitments to consumers, or fail to comply with regulations or statutes such as the Children’s Online Privacy Protection Act. Any investigation or review of our practices may require us to make changes to our products and policies, which could harm our business. Currently there are many proposals by lawmakers and industry groups in this area, both in the United States and overseas, which address the collection, maintenance and use of personal information, web browsing and geolocation data, and establish data security and breach notification requirements. Further, regulators and industry groups have also released self-regulatory principles and guidelines for various data privacy and security practices. Given that this is an evolving and unsettled area of regulation, the imposition of any new significant restrictions or technological requirements could have a negative impact on our business.
Various governmental bodies and many customers and businesses are increasingly focused on environmental, social and governance issues, which has in the past resulted, and may in the future continue to result, in the adoption of new laws and regulations and changing buying practices. If we fail to keep pace with these developments, our reputation and results of operations could be adversely impacted.
We might unintentionally violate such laws now or in the future; such laws or their interpretation or application may be modified; and new laws may be enacted in the future. Any such developments could subject us to legal liability exposure, and harm our business, operating results and financial condition.
We are the subject of a number of ongoing Actions that have resulted in significant expense, and adverse developments in our ongoing Actions and/or future Actions could have a material adverse effect on our business, results of operations and financial condition.
We are actively involved in a variety of litigation and other legal matters and may be subject to additional legal, administrative, governmental and/or regulatory proceedings, inquiries and investigations as well as actual or threatened litigation, claims and/or demands, which we refer to collectively as Actions. Refer to Note 14 - Legal Matters in the Notes to the Consolidated Financial Statements under Item 8 of this Annual Report on Form 10-K for additional information regarding material ongoing Actions.
Legal proceedings in general, and securities and class action litigation and regulatory investigations in particular, can be expensive and disruptive. We cannot predict the outcome of any particular Action, or whether ongoing Actions will be resolved favorably or ultimately result in charges or material damages, fines or other penalties. Additionally, the treasury stock method for calculating earnings per share will no longer be allowed for convertible debt instruments the principal amount of which may be settled using shares. Our insurance will not cover all claims that may be asserted against us, and we are unable to predict how long the Actions to which we are currently subject will continue. An unfavorable outcome of any Action may have a material adverse impact on our business, results of operations and financial condition, and regardless of the outcome, Actions can have an adverse impact on the Company because of defense and/or settlement costs, diversion of management resources, reputational risks and other factors.
We may be subject to governmental export controls and economic sanctions regulations that could impair our ability to compete in international markets due to licensing requirements and could subject us to liability if we are not in compliance with applicable laws.
Certain of our products and services may be subject to export control and economic sanctions regulations, including the U.S. Export Administration Regulations and various economic and trade sanctions regulations administered by the U.S. Treasury Department’s Office of Foreign Assets Control. Exports of our products and the provision of our services must be made in compliance with these laws and regulations. If we fail to comply with these laws and regulations, we and certain of our employees could be subject to substantial civil or criminal penalties, including: the possible loss of export privileges; fines, which may be imposed on us and responsible employees or managers; and, in extreme cases, the incarceration of responsible employees or managers. Obtaining the necessary authorizations, including any required license, for a particular deployment may be time-consuming, is not guaranteed and may result in the delay or loss of sales opportunities. In addition, changes in our products or services, or changes in applicable export or economic sanctions regulations may create delays in the introduction and deployment of our products and services in international markets, or, in some cases, prevent the export of our products or provision of our
28
services to certain countries or end users, or for certain end uses. Any change in export or economic sanctions regulations, shift in the enforcement or scope of existing regulations, or change in the countries, governments, persons or technologies targeted by such regulations, could also result in decreased use of our products and services, or in our decreased ability to export our products or provide our services to existing or prospective customers with international operations. Any decreased use of our products and services or limitation on our ability to export our products and provide our services could adversely affect our business, results of operations, and financial condition. Further, we incorporate encryption technology into certain of our products. Various countries regulate the import of certain encryption technology, including through import permitting and licensing requirements, and have enacted laws that could limit our customers’ ability to import our products into those countries. Encryption products and the underlying technology may also be subject to export control restrictions. Governmental regulation of encryption technology and regulation of exports of encryption products, or our failure to obtain required approval for our products, when applicable, could harm our international sales and adversely affect our revenue. Compliance with applicable regulatory requirements regarding the export of our products and provision of our services and the need to determine the appropriate export classifications of our products, including with respect to new releases of our products and services, may create delays in the introduction of our products and services in international markets, prevent our customers with international operations from deploying our products and using our services throughout their globally-distributed systems or, in some cases, prevent the export of our products or provision of our services to some countries altogether. Compliance with applicable regulatory requirements regarding the export of our products and provision of our services, including with respect to new releases of our products and services, may create delays in the introduction of our products and services in international markets, prevent our customers with international operations from deploying our products and using our services throughout 33their globally-distributed systems or, in some cases, prevent the export of our products or provision of our services to some countries altogether.
Beginning on February 24, 2022, the United States, U.K., and E.U. have imposed sanctions on Russia in response to its invasion of Ukraine. Many of these sanctions are targeted at Russian banks and Russian sovereign debt. The range of sanctions includes prohibitions on dealings in the debt or equity of certain Russian companies, as well as blocking sanctions imposed on many Russian individuals and entities. On April 6, 2022, the United States issued Executive Order 14071, prohibiting new investment in Russia by a U.S. person. These measures and any future sanctions imposed by the United States or other countries may impact our ability to deal with certain persons or in certain jurisdictions.
Although we believe that we are in compliance with all applicable export control and sanctions laws and regulations, and intend to maintain such compliance, there can be no assurance that we will be in compliance in the future, particularly as the scope of certain laws may be unclear and may be subject to changing interpretations. Any such violation could result in fines or other penalties and could severely impact our ability to access U.S. capital markets and conduct our business, and could result in some investors deciding, or being required, to divest their interest, or not to invest, in us.
Changes to trade policy, including tariff and customs regulations, or failure to comply with such regulations, may have an adverse effect on our business, financial condition and results of operations. In addition, the increased attention focused upon liability as a result of lawsuits and legislative proposals and enactments could harm our reputation or otherwise impact the growth of our business.
Changes or proposed changes in U.S. or other countries’ trade policies may result in restrictions and economic disincentives on international trade. Tariffs, economic sanctions and other changes in U.S. trade policy have in the past and could in the future trigger retaliatory actions by affected countries, and certain foreign governments have instituted or are considering imposing retaliatory measures on certain U.S. goods. Further, any emerging protectionist or nationalist trends (whether regulatory- or consumer-driven) either in the U.S. or in other countries could affect the trade environment. We conduct a significant amount of business that could be impacted by changes to the trade policies of the U.S. and other countries (including governmental action related to tariffs, international trade agreements, or economic sanctions). Such changes have the potential to adversely impact the U.S. economy or certain sectors thereof or the economy of other countries in which we operate, our industry, the industries of our customers and the global demand for our services.
We cannot predict how these developments will impact us, and existing or future tariffs and trade restrictions could have a material adverse effect on our business, results of operations, and financial condition. Additionally, tariffs and retaliatory trade measures could result in an increase in supply chain costs that we may not be able to offset in full or in part or that may otherwise adversely impact our financial results.
Industry-specific regulation is evolving and unfavorable industry-specific laws, regulations, or interpretive positions could harm our business.
Our customers and potential customers do business in a variety of industries, including financial services, the public sector, healthcare and telecommunications. Regulators of various industries have adopted and may in the future adopt regulations or interpretive positions regarding the use of cloud computing and other outsourced services. The costs of compliance with, and other burdens imposed by, industry-specific laws, regulations and interpretive positions may limit our customers’ use and adoption of our services and reduce overall demand. For example, some financial services regulators have imposed guidelines for use of cloud computing services that mandate specific controls or that require financial services providers to obtain regulatory
29
approval prior to outsourcing certain functions. If we are unable to comply with these guidelines or controls, or if our customers are unable to obtain regulatory approval to use our service where required, our business may be harmed and we may be unable to conduct business with customers in such industries. In addition, an inability to satisfy the standards of certain third-party certification bodies that our customers may expect, such as the PCI Data Security Standards, may have an adverse impact on our business. If we are unable in the future to achieve or maintain these industry-specific certifications or comply with other similar requirements or standards that are relevant to our customers, our business and our revenue may be adversely impacted.
In some cases, industry-specific laws, regulations or interpretive positions may also apply directly to us as a service provider. Any failure or perceived failure by us to comply with such requirements could have a material adverse impact on our business and results of operations.
In addition, we may become subject to additional regulatory and compliance burdens to the extent we expand our product offerings into new conversational businesses that subject us to additional regulations, laws and new risks.
Future regulation of the internet or mobile devices may result in decreased demand for our services and increased costs of doing business.•Future regulation of the internet or mobile devices may slow our growth, resulting in decreased demand for our services and increased costs of doing business.
State, federal and foreign regulators could adopt laws and regulations that impose additional burdens on companies that conduct business online or that adversely affect the growth or use of the internet or mobile commerce. For example, these laws and regulations could discourage communication by e-mail or other web-based communications, which could reduce demand for our services. For example, these laws and regulations could discourage communication by e-mail or other web-based communications, particularly targeted e-mail of the type facilitated by our services, which could reduce demand for our services. Laws or regulations that affect the use of the internet or mobile devices, including but not limited to laws affecting net neutrality, could also decrease demand for our services and increase our costs.
The continued growth and development of the market for online services may prompt calls for more stringent consumer protection laws or laws that will inhibit the use of internet-based or mobile-based communications or the information contained in these communications or the ways in which information may be collected, stored, used and transferred in the course of providing services. For example, in the United States, the CAN-SPAM Act regulates the transmission and content of commercial emails, and, among other things, obligates the sending of such emails to provide recipients with the ability to opt-out or unsubscribe and other requirements; and the Children’s Online Privacy Protection Act regulates the ability of certain online services to collect or use certain categories of information from children under age 13 absent parental consent. Additionally, several states are considering or have passed social media age design laws that require age verifications and implement additional protections for children. Some of these laws have been halted by courts as violations of the First Amendment, both in regard to age verification and the requirement to disclose documents to the government creating overbroad speech restrictions. The adoption of any additional laws or regulations, or changes to existing laws or regulations or their interpretation or application, may increase our costs of doing business, decrease the expansion of the internet or smartphone usage and, in turn, unfavorably affect demand for our services.
Climate change and environmental and other sustainability regulations or requirements could adversely impact our business.
Climate change has the potential to negatively affect our business and results of operations, cash flows and prospects. The adverse physical impacts of climate change include increased frequency and severity of natural disasters and extreme weather events such as hurricanes, tornados, wildfires (exacerbated by drought), flooding, and extreme heat, which could pose physical risks to the facilities of our global data providers and other suppliers. Such risks include losses incurred as a result of physical damage to facilities, and business interruption caused by such natural disasters and extreme weather events. These risks could disrupt our operations and our supply chain, which may result in increased costs. In addition, our server infrastructure consumes significant energy resources, including those generated by the burning of fossil fuels. Our server infrastructure consumes significant energy resources, including those generated by the burning of fossil fuels. We also face climate change risks associated with the process of transitioning to a low-carbon economy. For example, in response to concerns about global climate change, governments may adopt new regulations affecting the use of fossil fuels or requiring the use of alternative fuel sources, resulting in increased costs for the energy usage of our global data centers.
Our customers, investors and other stakeholders may require us to demonstrate that we are taking ecologically responsible measures in operating our business and in sourcing services in our supply chain, including our global data center providers. The costs and any expenses we may incur to make our network more energy-efficient and to comply with any new environmental and other sustainability regulations could negatively impact our operating results. The costs and any expenses we may incur to make our network more energy-efficient and comply with any new regulations could negatively impact our operating results. Failure to comply with applicable environmental or other sustainability laws and regulations or other requirements imposed on us could result in material fines and penalties, litigation, regulatory investigation and/or governmental orders requiring us to change our data practices, which could damage our reputation and harm our business. Failure to comply with applicable laws and regulations or other requirements imposed on us could result in material fines and penalties, litigation, regulatory investigation and/or governmental orders requiring us to change our data practices, which could damage our reputation and harm our business.
30
Risks Related to our Intellectual Property
Our products and services may infringe upon intellectual property rights of third parties and any infringement could require us to incur substantial costs and may distract our management.
We have had patent and other infringement lawsuits filed against us claiming that certain of our products and services infringe third-party intellectual property rights, and we are subject to the future risk of additional third-party claims alleging infringement against us or against our customers for use of our products and services. Many of our customer and partner contracts, including certain suppliers, contain indemnification obligations requiring us to indemnify our customers from certain claims against them or arising from the use of our services. Substantial litigation regarding intellectual property rights exists in the software industry. In the ordinary course of our business, our services and/or our customers’ use of our services may be increasingly subject to third-party infringement claims as claims by non-practicing entities become more prevalent and the number of competitors in our industry segment grows and the functionality of services in different industry segments overlaps. Some of our competitors in the market for digital engagement technology, and/or web and mobile based consumer-facing services or other third parties may have filed or may intend to file patent applications covering aspects of their technology and have asserted and may in the future assert claims against us. Any claims alleging infringement of third-party intellectual property rights could require us to spend significant amounts in litigation (even if the claim is invalid), distract management from other tasks of operating our business, pay substantial damage awards, prevent us from selling our products, delay delivery of our services, require the development of non-infringing software, technology, business processes, systems or other intellectual property (none of which might be successful), or limit our ability to use the intellectual property that is the subject of any of these claims, unless we enter into license agreements with the third parties (which may be costly, unavailable on commercially reasonable terms, or not available at all). Therefore, any such claims could have a material adverse effect on our business, results of operations, cash flows and financial condition. Additionally, over the last few years, there have been multiple class action lawsuits filed against large language model developers in the Northern District of California, the Southern District of New York, and the Middle District of Tennessee, among others, concerning alleged copyright and other intellectual property violations with respect to the information used to train AI models. The outcomes of these litigations may impair our ability to provide our AI technologies.
Our business and prospects would suffer if we are unable to protect and enforce our intellectual property rights.
Our success and ability to compete depend, in part, upon the protection of our intellectual property rights relating to the technology underlying our services. We rely on a combination of patent, copyright, trade secret, trademark and other common law protections in the United States and other jurisdictions, as well as confidentiality requirements and contractual provisions, to protect our proprietary technology, processes and other intellectual property. We rely on a combination of patent, copyright, trade secret, trademark and other common law protections in the United States and other jurisdictions, as well as confidentiality requirements and contractual provisions, to protect our proprietary technology, processes and other intellectual property. We own a portfolio of patents and patent applications in the U.S. and internationally and regularly file patent applications to protect intellectual property that we believe is important to our business, including intellectual property related to digital engagement technology, and/or web and mobile based consumer-facing services. We believe the duration of our patents is adequate relative to the expected lives of our products and services. We pursue the registration of our domain names, trademarks and trade names in the U.S. and in certain locations outside the U.S. We also own copyrights, including in our software, publications and other documents authored by us. These intellectual property rights are important to our business and marketing efforts. We seek to protect our intellectual property rights by relying on federal, state, and common law rights, including registration, or otherwise in the U.S. and certain foreign jurisdictions, as well as contractual restrictions. However, we believe that factors such as the technological and creative skills of our personnel, new service developments, frequent enhancements and reliable maintenance are more essential to establishing and maintaining a competitive advantage. Others may develop technologies that are similar or superior to our technology. We enter into confidentiality and other written agreements (including invention assignment agreements) with our employees, consultants, customers, potential customers, strategic partners, and other third parties, and through these and other written agreements, we seek to control access to and distribution of our software, documentation and other proprietary information. Despite our efforts to protect our proprietary rights, third parties may, in an unauthorized manner, attempt to use, copy or otherwise obtain and market or distribute our intellectual property rights or technology or otherwise develop a service with the same functionality as our services. Policing unauthorized use of our services and intellectual property rights is difficult, and we cannot be certain that the steps we have taken will prevent misappropriation of our technology or intellectual property rights, particularly in foreign countries where we do business, where our services are sold or used, where the laws may not protect proprietary rights as fully as do the laws of the U.S. or where enforcement of laws protecting proprietary rights is not common or effective.
The duration of the protection afforded to our intellectual property depends on the type of property in question, the laws and regulations of the relevant jurisdiction and the terms of its license agreements with others. With respect to our trademarks and trade names, trademark laws and rights are generally territorial in scope and limited to those countries where a mark has been
31
registered or protected. While trademark registrations may generally be maintained in effect for as long as the mark is in use in the respective jurisdictions, there may be occasions where a mark or title is not registrable or protectable or cannot be used in a particular country. In addition, a trademark registration may be canceled or invalidated if challenged by others based on certain use requirements or other limited grounds. The duration of property rights in trademarks, service marks and trade names in the U.S., whether registered or not, is predicated on our continued use.
It is possible that:
•any issued patent or patents issued in the future may not be broad enough to protect our intellectual property rights;
•any issued patent or any patents issued in the future could be successfully challenged by one or more third parties, which could result in our loss of the right to prevent others from exploiting the inventions claimed in the patents;
•current and future competitors may independently develop similar technologies, duplicate our services or design around any patents we may have; and
•effective intellectual property protection may not be available in every country in which we do business, where our services are sold or used, where the laws may not protect proprietary rights as fully as do the laws of the United States or where enforcement of laws protecting proprietary rights is not common or effective.
Further, to the extent that the invention described in any U.S. patent was made public prior to the filing of the patent application, we may not be able to obtain patent protection in certain countries. We also rely upon copyright, trade secret, trademark and other common law in the U.S. and other jurisdictions, as well as confidentiality procedures and contractual provisions, to protect our proprietary technology, processes and other intellectual property. Any steps we might take may not be adequate to protect against infringement and misappropriation of our intellectual property by third parties. Similarly, third parties may be able to independently develop similar or superior technology, processes or other intellectual property. Third parties may register marks that are confusingly similar to the trademarks or services marks that we have used in the U.S. and our failure to monitor foreign registrations or mark usage may impact our rights in certain trademarks or services marks. Policing unauthorized use of our services and intellectual property rights is difficult, and we cannot be certain that the steps we have taken will prevent misappropriation of our technology or intellectual property rights, particularly in foreign countries where we do business, where our services are sold or used, where the laws may not protect proprietary rights as fully as do the laws of the U.S. or where enforcement of laws protecting proprietary rights is not common or effective. The unauthorized reproduction or other misappropriation of our intellectual property rights could enable third parties to benefit from our technology without paying us for it. If this occurs, our business, results of operations, and financial condition could be materially and adversely affected. In addition, disputes concerning the ownership or rights to use intellectual property could be costly and time-consuming to litigate, may distract management from operating our business and may result in our loss of significant rights.
Issues in the use of AI in our product offerings may result in reputational harm, regulatory compliance issues or liability.
We have built, and expect to continue to build, AI into many of our product offerings and we expect this element of our business to grow. We have built, and expect to continue to build, AI into many of our product offerings and we expect this element of our business to grow. We envision a future in which AI operating in our devices, applications and the cloud helps our customers be more productive in their business activities and interactions with consumers. As with many disruptive innovations, AI presents risks and challenges that could affect its adoption, and therefore our business. AI algorithms and models may be flawed. Datasets may be insufficient or contain biased information. Content generated by AI systems may be offensive, illegal, or harmful. Inappropriate or controversial data practices by us or others could impair the acceptance of AI solutions. These deficiencies could undermine the decisions, predictions, or analysis AI applications produce. These deficiencies could undermine the decisions, predictions, or analysis AI applications produce, subjecting us to competitive harm, legal liability, and brand or reputational harm. As a result of these and other challenges associated with innovative technologies, our use of AI systems could subject us to competitive harm, regulatory action, legal liability, including under current and proposed legislation regulating AI in jurisdictions such as the E.U., applications of existing data protection, privacy, intellectual property, and other laws, and brand or reputational harm. Social and ethical issues relating to new and evolving uses of AI that we may offer may result in reputational harm and liability and may cause us to incur additional research and development (“R&D”) costs to resolve such issues. If we enable or offer AI solutions that have unintended consequences, unintended usage, or are controversial because of their impact on human rights, privacy, employment, intellectual property, or other social issues, we may experience a material adverse effect on our business, results of operations and cash flows. If we enable or offer AI solutions that are controversial because of their impact on human rights, privacy, employment, or other social issues, we may experience a material adverse effect on our business, results of operations and cash flows.
The regulatory landscape regarding AI is evolving globally. Potential government regulation related to AI use and ethics may also increase the burden and cost of operations and R&D efforts in this area, and the risk of regulatory compliance issues or
32
other liabilities. Failure to properly remediate AI usage, legal or ethics issues may cause public confidence in AI to be undermined, which could slow adoption of AI in our offerings. The rapid evolution of AI will require the application of resources to develop, test and maintain our products and services to help ensure that AI is implemented ethically in order to minimize unintended, harmful impact. If we enable or offer AI solutions that are controversial because of their impact on human rights, privacy, employment, intellectual property, or other social issues, we may experience a material adverse effect on our business, results of operations and cash flows. If we enable or offer AI solutions that are controversial because of their impact on human rights, privacy, employment, or other social issues, we may experience a material adverse effect on our business, results of operations and cash flows.
We may be subject to legal liability and/or negative publicity for the services provided to consumers via our technology platforms.
Our technology platforms enable representatives of our customers as well as individual service providers to communicate with consumers and other persons seeking information or advice on the web or via mobile devices. The law relating to the liability of online platform providers, such as us, for the activities of users of their online platforms is often challenged in the U.S. and internationally. We may be unable to prevent users of our technology platforms from providing negligent, unlawful or inappropriate advice, information or content via our technology platforms, or from behaving in an unlawful manner, and we may be subject to allegations of civil or criminal liability for negligent, fraudulent, unlawful or inappropriate activities carried out by users of our technology platforms.
Claims could be made against online services companies under both U.S. and foreign law, such as fraud, defamation, libel, invasion of privacy, negligence, data breach, copyright or trademark infringement, or other theories based on the nature and content of the materials disseminated by users of our technology platforms. In addition, domestic and foreign legislation has been proposed that could prohibit or impose liability for the transmission over the internet of certain types of information. Our defense of any of these actions could be costly and involve significant time and attention of our management and other resources.
The Digital Millennium Copyright Act (“DMCA”) is intended, among other things, to reduce the liability of online service providers for transmitting or storing materials that infringe copyrights of others or referring, listing or linking to third party web properties that include materials that infringe copyrights of others. Additionally, Section 230 of the Communications Decency Act (“CDA”), is intended to provide statutory protections to online service providers who host or distribute third party content. A safe harbor for copyright infringement is also available under the DMCA to certain online service providers that provide specific services, if the providers take certain affirmative steps as set forth in the DMCA. There are various Congressional efforts to restrict the scope of the protections from liability for service providers in certain circumstances. Important questions regarding the safe harbor under the DMCA and the CDA have yet to be litigated, and there can be no assurance that we will meet the safe harbor requirements of the DMCA or of the CDA. Important questions regarding the safe harbor under the DMCA and the CDA have yet to be litigated, and we cannot guarantee that we will meet the safe harbor requirements of the DMCA or of the CDA. If we are not covered by a safe harbor, for any reason, we could be exposed to claims, which could be costly and time-consuming to defend.
If we become liable for information provided by our users and carried via our service in any jurisdiction in which we operate, we could be directly harmed, and we may be forced to implement new measures to reduce our exposure to this liability. 38If we become liable for information provided by our users and carried via our service in any jurisdiction in which we operate, we could be directly harmed, and we may be forced to implement new measures to reduce our exposure to this liability. In addition, the increased attention focused upon liability issues as a result of these lawsuits and legislative proposals could harm our reputation or otherwise impact our business, results of operations and financial condition. In addition, the increased attention focused upon liability issues as a result of these lawsuits and legislative proposals could harm our reputation or otherwise impact the growth of our business. Any costs incurred as a result of this potential liability could harm our business.
In addition, negative publicity and user sentiment generated as a result of fraudulent or deceptive conduct by customers of our technology platforms could damage our reputation, reduce our ability to attract new users or retain our current customers, and diminish the value of our brand.
In the future, we may be required to spend substantial resources to take additional protective measures or discontinue certain service offerings, either of which could harm our business. Any costs incurred as a result of potential liability relating to the sale of unlawful services or the unlawful sale of services could harm our business. In addition to legislation and regulations relating to privacy and data security and collection, we may be subject to consumer protection laws that are enforced by regulators such as the FTC and private parties and include statutes that regulate the collection and use of information for marketing purposes. Any new legislation or regulations regarding the internet, mobile devices, software sales or export and/or the cloud or SaaS industry, and/or the application of existing laws and regulations to the internet, mobile devices, software sales or export and/or the cloud or SaaS industry, could create new legal or regulatory burdens on our business that could have a material adverse effect on our business, results of operations, and financial condition. Additionally, as we operate outside the U.S., the international regulatory environment relating to the internet, mobile devices, software sales or export, and/or the cloud or SaaS industry could have a material adverse effect on our business, results of operations, and financial condition.
33
Risks Related to our International Operations and Tax Issues
Our results of operations may be adversely impacted due to our exposure to foreign currency exchange rate fluctuations.
We conduct business in currencies other than the U.S. dollar in Europe, Australia, Japan and Israel. Because we conduct business in currencies other than the U.S. dollar but report our financial results in U.S. dollars, fluctuations in currency exchange rates could adversely affect our results of operations. Fluctuations in the value of the U.S. dollar relative to other foreign currencies could materially affect our revenue, cost of revenue and operating expenses, and result in foreign currency transaction gains and losses. Expansion of our international operations increases our exposure to such fluctuations in currency exchange rates. We may seek to enter into hedging transactions or to use financial instruments, such as derivative financial instruments, to mitigate risk, but we may be unable to enter into them successfully, on acceptable terms or at all. We may seek to enter into hedging transactions in the future or to use financial instruments, such as derivative financial instruments, to mitigate risk, but we may be unable to enter into them successfully, on acceptable terms or at all. Additionally, these programs rely on our ability to forecast accurately and could expose us to additional risks that could adversely affect our financial condition and results of operations. We cannot predict whether or not we will incur foreign exchange losses. Further, as geopolitical volatility around the world increases, there is increasing risk of the imposition of exchange or price controls, or other restrictions on the conversion of foreign currencies, which could have a material adverse effect on our business.
We may be unsuccessful in expanding our operations internationally due to additional regulatory requirements, tax liabilities, currency exchange rate fluctuations, and other risks, which could adversely affect our results of operations.•We may be unsuccessful in expanding our operations internationally and/or into direct-to-consumer services due to additional regulatory requirements, tax liabilities, currency exchange rate fluctuations, and other risks, which could adversely affect our results of operations.
In addition to our operations in the U.S., we have operations in Australia, Brazil, Bulgaria, Canada, Costa Rica, France, Germany, Israel, India, Italy, Japan, Mexico, the Netherlands, Singapore, Spain, and the U.K. We have also invested in global messaging initiatives and in acquisitions. We have also continued to invest in global messaging initiatives and in acquisitions. Our ability to expand into international markets is subject to risks, including the possibility that returns on such investments will not be achieved in the near future, or ever, and the difficulty of competing in markets with which we are unfamiliar. Our ability to continue to expand into international markets and in the online consumer market involves various risks, including the possibility that returns on such investments will not be achieved in the near future, or ever, and the difficulty of competing in markets with which we are unfamiliar.
Our international operations may subject us to other risks inherent in foreign operations, including:
•varied, unfamiliar, unclear and changing legal and regulatory restrictions, including different legal and regulatory standards applicable to internet or mobile services, communications, privacy, data protection, and AI;
•difficulties in staffing and managing foreign operations;
•differing intellectual property laws that may not provide sufficient protection for our intellectual property;
•adverse tax consequences or additional tax liabilities;
•difficulty in addressing country-specific business requirements and regulations including, for instance, data privacy laws;
•fluctuations in currency exchange rates;
•strains on financial and other systems to properly administer value-added tax (“VAT”) and other taxes;
•different consumer preferences and requirements in specific international markets;
•international legal, compliance, political, regulatory or systemic restrictions, or other international governmental scrutiny, applicable to U.S. companies with sales and operations in foreign countries, including, but not limited to, possible compliance issues involving the U.S. Foreign Corrupt Practices Act, the U.K. Bribery Act, and similar laws in other jurisdictions;
•the imposition of tariffs, quotas, import duties or other market barriers (including the implementation of tariffs on U.S. imports and potential retaliatory tariffs); and
•local instability and shifting political, economic, and military conditions including armed conflict and terrorist activity.
In addition, we rely in part on third-party service providers with international operations. If the third party’s operations were disrupted or discontinued due to local instability or political, economic or military conditions or cyber-attacks, including in connection with the Israel-Hamas war or the Russia-Ukraine war, then our ability to provide services to some of our customers and the development of new products or enhancement of existing products could be delayed, and our results of operations could be adversely affected. If this third party’s operations were disrupted or discontinued due to local instability or political, economic or military conditions or cyber-attacks, then our ability to provide services to some of our current customers and the development of new products or enhancement of existing products could be delayed, and our results of operations could be adversely affected.
34
Our current and any future international expansion plans will require management attention and resources and may be unsuccessful. We may find it impossible or prohibitively expensive to continue expanding internationally or we may be unsuccessful in our efforts to do so, and our results of operations could be adversely impacted. We may find it impossible or prohibitively expensive to continue expand internationally or we may be unsuccessful in our attempt to do so, and our results of operations could be adversely impacted. In addition, violations of any foreign laws or regulations could result in fines, criminal sanctions against us, our officers or our employees, prohibitions on the conduct of our business and damage to our reputation.
Our operations may expose us to greater than anticipated income, non-income, and transactional tax liabilities, which could harm our financial condition and results of operations.
There is heightened scrutiny by fiscal authorities in many jurisdictions on the potential taxation of e-commerce businesses. The Organization for Economic Co-operation and Development (“OECD”) has issued guidelines, referred to as the Base Erosion and Profit Shifting project, to its member-nations aimed at encouraging broad-based legislative initiatives intended to prevent perceived base erosion transactions and income shifting in a tax-advantaged manner. Further, for the past several years, the OECD has had a specific focus on the taxation implications of e-commerce business, generally referred to by the OECD as the “digital economy.” In the fourth quarter of 2019, the OECD released details on its proposed approach which would, among other changes, create a new right to tax certain “digital economy” income not necessarily based on traditional nexus concepts nor on the “arm’s length principle.” At this point, there is a lack of consensus among the key members, particularly the United States, with the latest OECD proposal. The United States has expressed that it would generally support a solution along the lines proposed by the OECD only if the solution was in the form of a “safe-harbor” rather than a mandatory requirement. A failure to reach full consensus on an executable plan within the tight time frame under which the OECD is operating could result in individual jurisdictions legislating digital tax provisions in an uncoordinated and unilateral manner, and further result in greater or even double taxation that companies may not have sufficient means to remedy. For example, a number of jurisdictions, including the U.K., France and Italy, have already adopted or have formally proposed legislation that would affect the taxation of certain e-commerce businesses based on differing criteria and metrics. Efforts to alleviate this increased tax burden will increase the cost of structuring and compliance as well as the cost of doing business internationally. Any changes to the taxation of our international activities may increase our worldwide effective tax rate and adversely impact our financial position and results of operations.
Further, the prospective taxation by multiple jurisdictions of e-commerce businesses could subject us to exposure to withholding, sales, VAT and/or other transaction taxes on our past and future transactions in such jurisdictions where we currently or in the future may be required to report taxable transactions. A successful assertion by any jurisdiction that we failed to pay such withholding, sales, VAT or other transaction taxes, or the imposition of new laws requiring the registration for, collection of, and payment of such taxes, could result in substantial tax liabilities related to past, current and future sales, create increased administrative burdens and costs, discourage customers from purchasing content from us, or otherwise substantially harm our business and results of operations. We are currently subject to and in the future may become subject to additional compliance requirements for certain of these taxes. Changes in our exposure to withholding, sales, VAT and/or other transaction taxes could have an adverse impact on our financial condition in the future.
In addition, an increasing number of states have considered or adopted laws that attempt to impose tax collection obligations on out-of-state companies. In June 2018, the Supreme Court of the United States issued its decision in the matter of South Dakota v. Wayfair, Inc. This decision effectively reversed the 25-year-old “physical presence doctrine” previously established by the Supreme Court in Quill Corp. v. North Dakota, which required a minimum level of physical presence within a state before the state could impose an obligation to register and remit sales tax on revenue derived within that state. This decision may significantly increase the effort, resources and costs associated with the sales tax collection and compliance burden. Since the decision, a number of states have enacted sales tax enabling legislation which has had the effect of significantly expanding the liability of e-commerce companies to register, collect and remit state sales taxes from customers. A successful assertion by one or more states requiring us to collect taxes where we presently do not do so, or to collect more taxes in a jurisdiction in which we currently do collect some taxes, could result in substantial tax liabilities, including taxes on past sales, as well as penalties and interest. The imposition by state governments or local governments of sales tax collection obligations on out-of-state sellers could also create additional administrative burdens for us, put us at a competitive disadvantage if they do not impose similar obligations on our competitors, and decrease our future sales, which could have a material adverse effect on our business and results of operations.
Our ability to use our net operating losses to offset future taxable income may be subject to certain limitations.
As of December 31, 2024, we had federal net operating loss carryforwards (“NOLs”) of $644.0 million which are available to offset future federal taxable income. In general, under Section 382 of the Internal Revenue Code of 1986, as amended (the “Code”), a corporation that undergoes an “ownership change” (generally defined as a greater than 50-percentage-point
35
cumulative change (by value) in the equity ownership of certain stockholders over a rolling three-year period) is subject to limitations on its ability to utilize its pre-change NOLs to offset post-change taxable income. Under Section 382 of the Code, our existing NOLs may be subject to limitations arising from previous ownership changes, and if we undergo an ownership change in the future, our ability to utilize NOLs could be further limited by Section 382 of the Code, or as a result of a corresponding provision of state law. Future changes in our stock ownership, some of which may be outside of our control, could result in an ownership change under Section 382 of the Code. The use of NOLs from acquired businesses may also be limited under Section 382. Federal NOLs generated in taxable years ending on or before December 31, 2017, are eligible to be carried forward for up to 20 tax years (and carried back up to two tax years) following their incurrence. Federal NOLs generated in taxable years ending after December 31, 2017, are eligible to be carried forward indefinitely, but generally may only offset up to 80% of federal taxable income earned in a taxable year. As of December 31, 2024, $70.3 million of our $644.0 million of federal NOLs were generated in taxable years ending on or before December 31, 2017. If our ability to utilize federal NOLs were limited by Section 382 of the Code, it could result in NOLs generated on or before December 31, 2017, expiring unused. As of December 31, 2022, approximately $58.2 million of our approximately $532.6 million of federal NOLs were generated in taxable years ending on or before December 31, 2017. If our ability to utilize federal NOLs were limited by Section 382 of the Code, it could result in NOLs generated on or before December 31, 2017, expiring unused. Our ability to utilize our NOLs is conditioned upon our maintaining profitability in the future and generating U.S. federal taxable income. As a result of a change in the treatment of R&D expenses during the period ending December 31, 2022, the Company is required to capitalize and amortize amounts previously deducted currently. This is resulting in U.S. taxable income that is allowing the Company to utilize its pre-2018 NOLs. The capitalized R&D costs will give rise to future deductions that could result in new NOLs being generated, which NOLs would be eligible to be carried forward indefinitely but would only be able to offset up to 80% of federal taxable income earned in a taxable year.
We have entered into a Tax Benefits Preservation Plan (the “Tax Benefits Preservation Plan”), which is designed to reduce the risk of substantial impairment to our NOLs that could result from an “ownership change” within the meaning of Section 382 of the Code. Although the Tax Benefits Preservation Plan is intended to reduce the risk of an “ownership change” within the meaning of Section 382 of the Code, the Company cannot provide any assurance that the Company will not experience such an ownership change or that the Company will otherwise be able to utilize, in full or in part, the Company’s NOLs. Additionally, the Tax Benefits Preservation Plan could deter or prevent a third party from acquiring us even when the acquisition may be favorable to you, make the Company’s common stock less attractive to large institutional holders or otherwise adversely affect the market price of our common stock.
Political, economic, and military conditions in Israel could negatively impact our Israeli operations.
A substantial portion of our product development staff, help desk and online sales support operations are located in Israel. As of December 31, 2024, we had 68 full-time employees in Israel. Although substantially all of our sales to date have been made to customers outside Israel, we are directly influenced by the political, economic and military conditions affecting Israel. Since the establishment of the State of Israel in 1948, a number of armed conflicts have taken place between Israel and its neighboring countries, Hamas, Hezbollah and other armed groups, including the Israel-Hamas war. Since the establishment of the State of Israel in 1948, a number of armed conflicts have taken place between Israel and its neighboring countries, Hamas (an Islamist militia and political group that controls the Gaza Strip), Hezbollah (an Islamist militia and political group based in Lebanon) and other armed groups. Furthermore, Iran has threatened to attack Israel and may be developing nuclear weapons.
In addition, the State of Israel and Israeli companies have been subject to economic boycotts. Several countries and international organizations still restrict business with the State of Israel and with Israeli companies or support and advocate for the implementation of such boycotts. In addition, the increased attention focused upon liability as a result of lawsuits and legislative proposals and enactments could harm our reputation or otherwise impact the growth of our business. These restrictive laws and policies may have an adverse impact on our results of operations, financial condition or the expansion of our business. A campaign of boycotts, divestment, and sanctions has been undertaken against Israel, which could also adversely affect our business. Actual or perceived political instability in Israel or any negative changes in the political environment, may individually or in the aggregate adversely affect the Israeli economy and, in turn, our business, financial condition and results of operations.
Parties with whom we do business may sometimes decline to travel to Israel during periods of heightened unrest or tension, forcing us to make alternative arrangements when necessary in order to meet our business partners face to face. In addition, the political and security situation in Israel may result in parties with whom we have agreements involving performance in Israel claiming that they are not obligated to perform their commitments under those agreements pursuant to force majeure provisions in such agreements.
Further, shifting economic and political conditions in the U.S. and in other countries may result in changes in how the U.S. and other countries conduct business and other relations with Israel, which may have an adverse impact on our Israeli operations and a material adverse impact on our business.
36
Our commercial insurance may not cover losses that could occur as a result of events associated with the security situation in the Middle East. Any losses or damages incurred by us could have a material adverse effect on our business. Armed conflicts or political instability in the region could negatively affect our business and could harm our results of operations.
Continued hostilities and both current and any future armed conflict, terrorist activity or political instability in the region could adversely affect our operations in Israel and adversely affect the market price of our securities. In addition, escalation of tensions or violence might require more widespread military reserve service by some of our Israeli employees and could result in a significant downturn in the economic or financial condition of Israel, either of which could have a material adverse effect on our operations in Israel and our business. In addition, escalation of tensions or violence might require more widespread military reserve service by some of our Israeli employees and might result in a significant downturn in the economic or financial condition of Israel, either of which could have a material adverse effect on our operations in Israel and our business.
Risks Related to our Outstanding Convertible Notes
Servicing our debt may require a significant amount of cash, and we may not have sufficient cash flow from our business to pay our indebtedness.
In December 2020, we issued $517.5 million in aggregate principal amount of 2026 Notes, which do not bear any regular interest, in a private placement. In June 2024, we privately exchanged $100.0 million in principal amount of newly issued 2029 Notes, which, depending on time- and event-based conditions, bear cash interest at a rate ranging from 4.375% to 5% and paid-in-kind interest at a rate ranging from 7% to 8%, for $146.0 million aggregate principal amount of outstanding 2026 Notes, and issued $50.0 million in aggregate principal amount of 2029 Notes in a private placement. In December 2024, we issued an additional $57.1 million in aggregate principal amount of 2029 Notes, including $7.1 million in aggregate principal amount of 2029 Notes issued as paid-in-kind interest. The remaining 2026 Notes will need to be refinanced on or prior to their December 15, 2026 maturity. Further, if greater than $60.0 million principal amount of 2026 Notes remains outstanding 91 days prior to such maturity date, then the 2029 Notes will immediately become due and payable.
Our ability to make scheduled payments of the principal of, to pay interest on or to refinance our outstanding Notes or any additional future indebtedness depends on our future performance, which is subject to economic, financial, competitive and other factors beyond our control.Our ability to make scheduled payments of the principal of, to pay interest on or to refinance our Notes or any additional future indebtedness depends on our future performance, which is subject to economic, financial, competitive and other factors beyond our control. Our business may not generate cash flow from operations in the future sufficient to service our debt and make necessary capital expenditures. If we are unable to generate such cash flow, we may be required to adopt one or more alternatives, such as selling assets, restructuring debt or obtaining additional debt financing or equity capital on terms that may be onerous or highly dilutive. Our ability to refinance our current or any future indebtedness will depend on the capital markets and our financial condition at such time. We may not be able to engage in any of these activities or engage in these activities on desirable terms, which could result in a default on our debt obligations. In addition, any of our future debt agreements may contain restrictive covenants that may prohibit us from adopting any of these alternatives. Our failure to comply with these covenants could result in an event of default which, if not cured or waived, could result in the acceleration of our debt.
The terms of our First Lien Convertible Senior Notes due 2029 require us to meet certain operating and financial covenants and place restrictions on our operating and financial flexibility. If we raise additional capital through debt financing, the terms of any new debt could further restrict our ability to operate our business.
The 2029 Notes are guaranteed on a senior basis by certain of our direct and indirect domestic and foreign subsidiaries and secured by first priority security interests in substantially all of the assets of the Company and the subsidiary guarantors, subject to customary exceptions.
The indenture governing the 2029 Notes restricts our ability to, among other things, pursue certain dispositions, mergers or acquisitions, encumber our intellectual property, incur debt, preferred stock or liens, pay dividends or make other payments in respect of our capital stock, or make investments and engage in certain business transactions. The indenture governing the 2029 Notes also includes a financial covenant that requires us at all times to maintain a minimum cash balance of $60.0 million (excluding proceeds of the 2029 Notes). Our failure to comply with these covenants could result in an event of default which, if not cured or waived, could result in the acceleration of our debt.
If we raise any additional debt financing, the terms of such additional debt could further restrict our operating and financial flexibility.
We may not have the ability to raise the funds necessary to settle conversions of our outstanding convertible debt securities and cash-settled warrants in cash or to repurchase our outstanding convertible debt securities upon a fundamental change, and
37
any future debt may contain limitations on our ability to pay cash upon conversion or repurchase of our outstanding convertible debt securities and cash-settled warrants.
Holders of our outstanding Notes have the right to require us to repurchase all or a portion of their Notes upon the occurrence of a fundamental change before the maturity date at a fundamental change repurchase price equal to 100% of the principal amount of the Notes to be repurchased, plus accrued and unpaid interest, (including cash and PIK components thereof in the case of the 2029 Notes), if any, plus, in the case of the 2029 Notes, an amount equal to 66% of the remaining future interest payments (including cash and PIK components thereof) that would have been payable through June 15, 2029, discounted at a rate equal to the comparable treasury rate plus 50 basis points. In addition, upon conversion of the Notes, we are required to make cash payments in respect of the Notes being converted (except, in the case of the 2026 Notes, if we elect to deliver solely shares of our common stock to settle such conversion (other than paying cash in lieu of delivering any fractional share)). In addition, upon conversion of the Notes, unless we elect to deliver solely shares of our common stock to settle such conversion (other than paying cash in lieu of delivering any fractional share), we are required to make cash payments in respect of the Notes being converted. Further, upon the exercise of the cash-settled warrants, we are required to make cash payments in respect of the cash-settled warrants being exercised (except to the extent that, following payment, we would have “available cash” (as defined therein) of less than $100.0 million, in which case we may defer payment of the settlement amount at an annualized interest rate of 6.0%, compounded monthly).
However, we may not have enough available cash or be able to obtain financing at the time we are required to make repurchases of the Notes surrendered therefor, to pay cash with respect to the Notes being converted or to pay cash with respect to the cash-settled warrants being exercised. In addition, our ability to repurchase Notes, to pay cash upon conversions of Notes or to pay cash upon exercises of cash-settled warrants may be limited by law, regulatory authority, or agreements governing our indebtedness. In addition, our ability to repurchase Notes or to pay cash upon conversions of Notes may be limited by law, regulatory authority, or any agreements governing our future indebtedness. Our failure to repurchase Notes at a time when the repurchase is required by the governing indenture or to pay any cash upon conversions of Notes as required by the governing indenture would constitute a default under the governing indenture. Our failure to repurchase Notes at a time when the repurchase is required by the indenture or to pay any cash upon conversions of Notes as required by the indenture would constitute a default under the indenture. A default under the governing indenture or the fundamental change itself could also lead to a default under the indenture governing the other series of Notes or agreements governing any future indebtedness. If the payment of either or both Series of Notes were to be accelerated after any applicable notice or grace periods, we may not have sufficient funds to repay the Notes, to repurchase the Notes or to pay cash upon conversions of the Notes. If the payment of the related indebtedness were to be accelerated after any applicable notice or grace periods, we may not have sufficient funds to repay the indebtedness and repurchase the Notes or to pay cash upon conversions of Notes.
Provisions in the indentures for our outstanding convertible debt securities may deter or prevent a business combination that may be favorable to securityholders.Provisions in the indentures for the Notes may deter or prevent a business combination that may be favorable to you.
If a fundamental change occurs prior to the maturity date of the outstanding Notes, the holders of such Notes will have the right, at their option, to require us to repurchase all or a portion of their Notes. In addition, if a make-whole fundamental change occurs prior to the maturity date of a series of Notes, we will in some cases be required to increase the conversion rate for a holder that elects to convert its Notes of such series in connection with such make-whole fundamental change. In addition, if a make-whole fundamental change occurs prior the maturity date of the Notes, we will in some cases be required to increase the conversion rate for a holder that elects to convert its Notes in connection with such make-whole fundamental change. Furthermore, the indentures governing the outstanding Notes prohibit us from engaging in certain mergers or acquisitions unless, among other things, the surviving entity assumes our obligations under the relevant series of Notes. Furthermore, the indentures for the Notes prohibit us from engaging in certain mergers or acquisitions unless, among other things, the surviving entity assumes our obligations under the Notes. These and other provisions in the indentures governing the Notes could deter or prevent a third party from acquiring us even when the acquisition may be favorable to securityholders.
The conditional conversion feature of our outstanding convertible debt securities, if triggered, may adversely affect our financial condition and operating results.•The conditional conversion feature of the Notes, if triggered, may adversely affect our financial condition and operating results.
In the event the conditional conversion feature of an outstanding series of Notes is triggered, holders of the relevant series of Notes will be entitled to convert their Notes of such series at any time during specified periods at their option. If one or more holders elect to convert their Notes (unless, in the case of the 2026 Notes, we elect to satisfy our conversion obligation by delivering solely shares of our common stock (other than paying cash in lieu of delivering any fractional share)), we would be required to settle a portion or all of our conversion obligation through the payment of cash, which could adversely affect our liquidity. If one or more holders elect to convert their Notes, unless we elect to satisfy our conversion obligation by delivering solely shares of our common stock (other than paying cash in lieu of delivering any fractional share), we would be required to settle a portion or all of our conversion obligation through the payment of cash, which could adversely affect our liquidity. In addition, even if holders of the relevant series of Notes do not elect to convert their Notes of such series, we could be required under applicable accounting rules to reclassify all or a portion of the outstanding principal of the Notes of such series as a current rather than long-term liability, which would result in a material reduction of our net working capital. In addition, even if holders of Notes do not elect to convert their Notes, we could be required under applicable accounting rules to reclassify all or a portion of the outstanding principal of the Notes as a current rather than long-term liability, which would result in a material reduction of our net working capital.
The capped call transactions may affect the value of our outstanding convertible debt securities and our common stock.The capped call transactions may affect the value of the Notes and our common stock.
In connection with the transaction in which we issued the 2026 Notes, we entered into capped call transactions with certain option counterparties. The capped call transactions are expected generally to reduce the potential dilution to our common stock upon any conversion of the 2026 Notes and/or offset any cash payments we are required to make in excess of the principal
38
amount of the converted 2026 Notes, as the case may be, upon any conversion of the 2026 Notes, with such reduction and/or offset subject to a cap.
The option counterparties or their respective affiliates are expected to modify their hedge positions by entering into or unwinding various derivatives with respect to our common stock and/or purchasing or selling our common stock, the 2026 Notes or other of our securities or instruments (if any), in secondary market transactions prior to the maturity of the 2026 Notes (and are likely to do so during any observation period related to a conversion of the 2026 Notes or following any earlier conversion or any repurchase of the 2026 Notes by us on any fundamental change repurchase date or otherwise).The option counterparties or their respective affiliates are expected to modify their hedge positions by entering into or unwinding various derivatives with respect to our common stock and/or purchasing or selling our common stock, the Notes or other of our securities or instruments (if any), in secondary market transactions prior to the maturity of the Notes (and are likely to do so during any observation period related to a conversion of Notes or following any earlier conversion or any repurchase of Notes by us on any fundamental change repurchase date or otherwise). This activity could also cause or avoid an increase or a decrease in the market price of our common stock or the 2026 Notes, which could affect a holder’s ability to convert the 2026 Notes and, to the extent the activity occurs during any observation period related to a conversion of the 2026 Notes, it could affect the amount and value of the consideration that a holder will receive upon conversion of such 2026 Notes. This activity could also cause or avoid an increase or a decrease in the market price of our common stock or the Notes, which could affect a holder’s ability to convert the Notes and, to the extent the activity occurs during any observation period related to a conversion of Notes, it could affect the amount and value of the consideration that a holder will receive upon conversion of such Notes.
The potential effect, if any, of these transactions and activities on the market price of our common stock or the 2026 Notes will depend in part on market conditions and cannot be ascertained at this time.44The potential effect, if any, of these transactions and activities on the market price of our common stock or the Notes will depend in part on market conditions and cannot be ascertained at this time. Any of these activities could adversely affect the value of our common stock and the value of the 2026 Notes (and as a result, the amount and value of the consideration that a holder would receive upon the conversion of any 2026 Notes) and, under certain circumstances, a holder’s ability to convert 2026 Notes. Any of these activities could adversely affect the value of our common stock and the value of the Notes (and as a result, the amount and value of the consideration that a holder would receive upon the conversion of any Notes) and, under certain circumstances, a holder’s ability to convert his or her Notes.
We do not make any representation or prediction as to the direction or magnitude of any potential effect that the transactions described above may have on the price of our common stock or the 2026 Notes. In addition, we do not make any representation that the option counterparties or their respective affiliates will engage in these transactions or that these transactions, once commenced, will not be discontinued without notice.
Risks Related to our Common Stock
Our stock price has been, and may continue to be, highly volatile, which could reduce the value of your investment and subject us to litigation.
The price of our common stock has fluctuated significantly in the past and may continue to be highly volatile, with extreme price and volume fluctuations. Our trading price could fluctuate substantially in the future, including in response to the following factors, some of which are beyond our control:
•quarterly variations in our operating results or those of our competitors;
•earnings announcements that are not in line with analyst expectations;
•changes in recommendations or financial estimates by securities analysts;
•announcements or rumors about mergers or strategic acquisitions by us or by our competitors;
•announcements about customer additions and cancellations or failure to complete significant sales;
•changes in market valuations of companies that investors believe are comparable to us;
•additions or departures of key personnel;
•consequences of unexpected geopolitical events, natural disasters, acts of war or climate change;
•pandemics, epidemics or similar widespread public health concerns; and
•general economic, political and market conditions, such as recessions, political unrest or terrorist attacks, or in the specific locations where we operate, such as the United States, Israel and the U.K.
In addition, extreme price and volume fluctuations in the stock markets generally, and in the markets for technology companies in particular, could cause the market price for our common stock to decline. As a result of such volatility in the market price of our common stock, we have been the subject of securities class action litigation and may in the future be the target of similar litigation, which could result in substantial costs and distract management’s attention and resources.
If our common stock continues to trade below $1.00, we may fail to meet the continued listing requirements of The Nasdaq Stock Market LLC (“Nasdaq”), which could result in a delisting of our common stock.
39
Our common stock currently is listed on The Nasdaq Global Select Market. We are required to meet specified financial requirements in order to maintain such listing, including a closing bid price of at least $1.00. If the closing bid price of our common stock is less than $1.00 for 30 consecutive trading days, then our common stock will be subject to delisting. As of the date of the filing of this Form 10-K, the closing bid price of our common stock has been below $1.00 for six trading days (not including the date of filing of this Form 10-K). Our common stock closing bid price also was below $1.00 on multiple occasions during 2024, including on March 14, 2024, from March 28, 2024 through July 17, 2024; on July 19, 2024; from November 8, 2024 through November 22, 2024 and from November 26, 2024 through December 27, 2024.
We can provide no assurance that we will be able to maintain or restore our compliance with the listing requirements or that any actions taken by us in an effort to maintain or restore our compliance would allow our common stock to remain listed, stabilize the market price of our common stock, improve the liquidity of our common stock, prevent our common stock from again dropping below the minimum bid price requirement, or prevent future non-compliance with the listing requirements. In addition, to maintain a listing with Nasdaq, we must satisfy minimum financial and other continued listing requirements and standards, including those regarding minimum stockholders’ equity, and certain corporate governance requirements. If we are unable to satisfy these requirements or standards, we could be subject to delisting, which would have a negative effect on the price of our common stock and would impair your ability to sell or purchase our common stock when you wish to do so. If we are unable to comply with these guidelines or controls, or if our customers are unable to obtain regulatory approval to use our service where required, our business may be harmed and we may be unable to conduct business with customers in such industries. Further, the failure of our common stock to be listed or quoted on any of The Nasdaq Global Select Market, The Nasdaq Global Market or The New York Stock Exchange would constitute a “fundamental change” under the indentures governing the 2026 Notes and the 2029 Notes.
If our common stock is delisted from Nasdaq, it is unlikely that our common stock would qualify for listing on another national securities exchange in the United States, and trading of our common stock would most likely take place on an over-the-counter market established for unlisted securities, such as the OTCQX, the OTCQB or the Pink Market maintained by OTC Markets Group Inc. We cannot assure you that our common stock, if delisted from Nasdaq, will ever be listed on another securities exchange or quoted on an over-the-counter quotation system. An investor would likely find it less convenient to sell, or to obtain accurate quotations in seeking to buy, our common stock on an over-the-counter market, and many investors would likely not buy or sell our common stock due to difficulty in accessing over-the-counter markets, policies preventing them from trading in securities not listed on a national exchange or other reasons. Accordingly, delisting from Nasdaq could make trading our common stock more difficult for investors, likely leading to declines in our share price, trading volume and liquidity. Delisting from Nasdaq could also result in negative publicity and make it more difficult for us to raise additional capital. The absence of such a listing may adversely affect the acceptance of our common stock as transaction consideration or the value accorded our common stock by other parties. Further, if we are delisted, we would also incur additional costs under state blue sky laws in connection with any sales of our securities. These requirements could severely limit the market liquidity of our common stock and the ability of our stockholders to sell our common stock in the secondary market.
If our common stock is delisted, it may come within the definition of “penny stock” as defined in the Exchange Act and would be covered by Rule 15g-9 of the Exchange Act. This rule imposes additional sales practice requirements on broker-dealers who sell securities to persons other than established customers and accredited investors which may further limit the market liquidity of our common stock and the ability of our stockholders to sell our common stock in the secondary market. The regulations relating to penny stocks, coupled with the typically higher cost per trade to the investor of penny stocks due to factors such as broker commissions generally representing a higher percentage of the price of a penny stock than of a higher-priced stock, would further limit the ability of investors to trade in our common stock.
Our common stock is traded on more than one market and this may result in price variations.
Our common stock is currently traded on The Nasdaq Global Select Market and the TASE. Trading in our common stock on these markets takes place in different currencies (U.S. dollars on The Nasdaq Global Select Market and New Israeli Shekels (“NIS”) on the TASE) and at different times (due to different time zones, trading days and public holidays in the United States and Israel). The trading prices of our common stock on these two markets may differ due to these and other factors. Any decrease in the trading price of our common stock on one of these markets could cause a decrease in the trading price of our common stock on the other market. Differences in trading prices on the two markets could negatively impact our trading price.
Future sales of substantial amounts of our common stock may negatively affect our stock price.
If we or our stockholders sell substantial amounts of our common stock, including shares issuable upon the exercise of outstanding options and warrants, or upon the conversion of 2026 Notes or 2029 Notes, in the public market, or if the market perceives that these sales might occur, the market price of our common stock could fall. These sales also might make it more
40
difficult for us to sell equity securities in the future at a time and price that we deem appropriate. No prediction can be made as to the effect, if any, that market sales of our common stock will have on the market price of our common stock.
Provisions in our charter documents and Delaware law could discourage, delay, or prevent a takeover that stockholders may consider favorable.
Provisions in our amended and restated certificate of incorporation and amended and restated bylaws may have the effect of discouraging, delaying or preventing a change in control or changes in our management that stockholders may deem advantageous. These provisions include the following:
•Our board of directors is divided into three classes, with each class serving three-year staggered terms, which prevents stockholders from electing an entirely new board of directors at any annual meeting;
•Vacancies on our board of directors may only be filled by a vote of a majority of directors then in office, even if less than a quorum;
•Our amended and restated certificate of incorporation prohibits cumulative voting in the election of directors or any other matters. This limits the ability of minority stockholders to elect director candidates;
•Our stockholders may only act at a duly called annual or special meeting and may not act by written consent;
•Stockholders must provide advance notice to nominate individuals for election to our board of directors or to propose other matters that can be acted upon at a stockholders’ meeting;
•We require supermajority voting by stockholders to amend certain provisions in our amended and restated certificate of incorporation and to amend our amended and restated bylaws; and
•Our amended and restated bylaws expressly authorize a supermajority of the board of directors to amend our amended and restated bylaws.
As a Delaware corporation, we are also subject to Section 203 of the Delaware General Corporation Law, which generally prohibits a Delaware corporation from engaging in any of a broad range of business combinations with an interested stockholder for a period of three years following the date on which the stockholder became an interested stockholder, unless certain conditions are met. These anti-takeover provisions could discourage, delay or prevent a change in control of our company, whether or not it is desired by or beneficial to our stockholders, which in turn could have a material adverse effect on the market price of our common stock. This anti-takeover provision defenses could discourage, delay or prevent a change in control of our company, whether or not it is desired by or beneficial to our stockholders, which in turn could have a material adverse effect on the market price of our common stock.
Item 1B. Unresolved Staff Comments
None.
Item 1C.Item 1A. Cybersecurity
Risk management and strategy
Our cybersecurity program is designed to protect our information systems from cyber threats and to ensure the confidentiality, integrity and availability of systems and information used, owned or managed by the Company related to our employees, our customers and their users. This involves an ongoing effort to protect against, detect and respond to cybersecurity threats and vulnerabilities. LivePerson maintains a security risk management program that is tasked with determining the cybersecurity threats that pose the greatest risk to the Company. This program is managed by the Security Risk Committee, chaired by the Chief Security Officer (“CSO”), as well as representative members from security, operations, and internal audit leadership. The committee meets at least twice annually. A resultant risk assessment produced by the committee is leveraged to inform senior leadership and our Board of Directors on top areas of risk, as well as to shape the security and technology team’s roadmap.
41
Our cybersecurity program includes a number of components, such as:
•regular cybersecurity risk assessments, audits, and penetration tests;
•policies generally aligned with industry standards such as Information Security Standard (“ISO”) / International Electrotechnical Commission –27001 and the PCI Data Security Standard;
•measures to block and prevent certain malicious activity, such as endpoint detection and response controls;
•measures to block and prevent certain network attacks, such as firewalls and Distributed Denial of Service mitigation tools;
•measures to secure remote access, such as virtual private networks and multi-factor authentication;
•cybersecurity training programs for employees, contractors and agents, including regular phishing simulations;
•a vulnerability disclosure program to compensate researchers for responsible disclosure of vulnerabilities in our platform;
•the maintenance of a Security Incident Response Plan with periodic tabletop testing; and
•third-party risk management processes designed to manage risks associated with vendors and suppliers.
The goal of the Company’s information security program is to manage risks in a prioritized fashion; however, control gaps and/or their related control effectiveness, resource constraints, and execution failure can pose cybersecurity risk to the Company. In the event of a cyber incident, the Company has a process in place whereby the information security team will alert the appropriate levels of management, as well as the legal and finance departments so that the materiality of any such event can be determined.
•periodic cybersecurity assessments, such as maturity assessments against the National Institute of Standards and Technology Cybersecurity Framework;
•managed detection and response for certain public cloud environments;
•penetration testing;
•continuous proactive threat hunting;
•cyber threat intelligence services including dark web monitoring; and
•audits against industry standards including Systems and Organization Controls 2 (“SOC 2”), ISO 27001, PCI, and the HITRUST CST.
We experience cyber-attacks of varying degrees on a regular basis in the ordinary course of our business. As of the date of this report and for the time period of January 1, 2024, through December 31, 2024, the Company is not aware of any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. However, there can be no assurance that we will not be materially affected by such risks in the future. For information on the cybersecurity threats and risks we face and the potential impacts on the business related thereto, see Item 1A. Risk Factors – Risks Related to Security Vulnerabilities and Service Reliability.
Governance
42
•performance of risk assessments on at least an annual basis by the Security Risk Committee;
•providing SOC capabilities for the detection and response of cyber incidents;
•serving as the point of contact for reporting actual or suspected cyber incidents;
•managing compliance and certification for in-scope security related compliance frameworks and regulations;
•managing internal and external penetration tests, vulnerability scans, and the Company’s vulnerability disclosure program; and
Recently Filed
Click on a ticker to see risk factors
Ticker * | File Date |
---|---|
HWBK | 17 hours ago |
TRSO | 18 hours ago |
SAIC | 18 hours ago |
BHRB | 18 hours ago |
NUVR | 19 hours ago |
TETEF | 19 hours ago |
NRC | 20 hours ago |
PACK | 21 hours ago |
CVGI | 22 hours ago |
NEWT | 22 hours ago |
PACB | 22 hours ago |
CTGO | 22 hours ago |
SNDA | 22 hours ago |
CRVO | 22 hours ago |
MBX | 22 hours ago |
PLX | 23 hours ago |
TSQ | 1 day ago |
FMCB | 3 days, 11 hours ago |
ANIK | 3 days, 12 hours ago |
ACR | 3 days, 12 hours ago |
BGSF | 3 days, 13 hours ago |
NXU | 3 days, 13 hours ago |
SSBK | 3 days, 13 hours ago |
BPRN | 3 days, 13 hours ago |
HNVR | 3 days, 13 hours ago |
MUX | 3 days, 13 hours ago |
HYAC | 3 days, 13 hours ago |
LPSN | 3 days, 13 hours ago |
NEN | 3 days, 13 hours ago |
HSON | 3 days, 13 hours ago |
BMRC | 3 days, 13 hours ago |
UHG | 3 days, 13 hours ago |
AMTX | 3 days, 13 hours ago |
GRI | 3 days, 13 hours ago |
GAN | 3 days, 13 hours ago |
USCB | 3 days, 13 hours ago |
LSBK | 3 days, 13 hours ago |
SKYT | 3 days, 14 hours ago |
XPOF | 3 days, 14 hours ago |
MYPS | 3 days, 14 hours ago |
FRAF | 3 days, 14 hours ago |
HBIA | 3 days, 14 hours ago |
AROW | 3 days, 14 hours ago |
WMT | 3 days, 14 hours ago |
MCHX | 3 days, 14 hours ago |
BZFD | 3 days, 14 hours ago |
MX | 3 days, 14 hours ago |
MNTK | 3 days, 14 hours ago |
KBSR | 3 days, 14 hours ago |
NRXP | 3 days, 14 hours ago |