Risk Factors Dashboard
Once a year, publicly traded companies issue a comprehensive report of their business, called a 10-K. A component mandated in the 10-K is the ‘Risk Factors’ section, where companies disclose any major potential risks that they may face. This dashboard highlights all major changes and additions in new 10K reports, allowing investors to quickly identify new potential risks and opportunities.
View risk factors by ticker
Search filings by term
Risk Factors - NOW
-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing
ITEM 1A.RISK FACTORS
We take a comprehensive approach to cybersecurity risk management. While securing the data customers and other stakeholders entrust to us is a top priority, we, like all companies, are subject to threats of breaches of our cybersecurity programs. Our board of directors (the “Board”) and our management are actively involved in the oversight of our risk management program, of which cybersecurity represents an important component. As described in more detail below, we have established policies, standards, processes and practices for assessing, identifying, and managing material risks from cybersecurity threats. We have devoted significant financial and personnel resources to implement and maintain security measures to meet regulatory requirements and customer expectations, and we intend to continue to make significant investments in our data and cybersecurity infrastructure. There can be no guarantee that our policies and procedures will be properly followed in every instance or that those policies and procedures will be effective as cyber criminals are becoming more sophisticated and effective every day and increasingly targeting enterprise software companies. There can be no guarantee that our policies and procedures will be properly followed in every instance or that those policies and procedures will be effective. Although our Risk Factors include further detail about the material cybersecurity risks we face, we believe that risks from prior cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected our business to date. We can provide no assurance that there will not be incidents in the future or that they will not materially affect us, including our business strategy, results of operations, or financial condition.
Our policies, standards, processes and practices for assessing, identifying, and managing material risks from cybersecurity threats are integrated into our overall risk management program and are based on frameworks established by the National Institute of Standards and Technology (“NIST”), the International Organization for Standardization and other applicable industry standards. Our cybersecurity program in particular focuses on the following key areas:
Third-Party Risk Management
We have implemented controls designed to identify and mitigate cybersecurity threats associated with our use of third-party service providers. Such providers are subject to security risk assessments at the time of onboarding, contract renewal, and upon detection of an increase in risk profile. We use a variety of inputs in such risk assessments, including information supplied by providers and third parties. In addition, we require our providers to meet appropriate security requirements, controls and responsibilities and investigate security incidents that have impacted our third-party providers, as appropriate.
Our cybersecurity policies, standards, processes and practices are regularly assessed by consultants and external auditors. These assessments include a variety of activities including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness. For example, in 2022, 2023 and 2024 we conducted independent cyber maturity assessments to review our controls against the NIST Cybersecurity Framework. For example, in 2022 and 2023, we conducted independent cyber audits to assess our controls against the NIST Cybersecurity Framework. The results of significant assessments are reported to management, the Board and Audit Committee. Cybersecurity processes are adjusted, as appropriate, based on the information provided from these assessments. Cybersecurity processes are adjusted based on the information provided from these assessments. We have also obtained industry certifications and attestations that demonstrate our dedication to protecting the data our customers entrust to us.
Our Board, in coordination with the Audit Committee, oversees our management of cybersecurity risk. They receive regular reports from management about the prevention, detection, mitigation, and remediation of material information security risks, including cybersecurity incidents and vulnerabilities. They receive regular reports from management about the prevention, detection, mitigation, and remediation of cybersecurity incidents, including material security risks and information security vulnerabilities. Our Audit Committee is responsible for overseeing our cybersecurity program. Our Audit Committee directly oversees our cybersecurity program. The Audit Committee receives regular updates from management on cybersecurity risk resulting from risk assessments, progress of risk reduction initiatives, third-party compliance certifications, control maturity assessments, and relevant ServiceNow, customer and industry cybersecurity incidents. The Audit Committee receives regular updates from management on cybersecurity risk resulting from risk assessments, progress of risk reduction initiatives, external auditor feedback, control maturity assessments, and relevant internal and industry cybersecurity incidents.
• General Counsel, who oversees the legal and compliance functions
These individuals, among others, also serve as members of management’s Security Steering Committee (the “Security Committee”), which is a governing body that drives alignment on security decisions across the Company. The Security Committee meets quarterly to review security performance metrics, identify security risks, and assess the status of approved security enhancements. The Security Committee also considers and makes recommendations on security policies and procedures, security service requirements, and risk mitigation strategies.
and information security for almost 20 years, including serving as the Chief Information Security Officer or Chief Security Officer at two other large public companies. He holds an undergraduate and master’s degree in computer science. Our CTO has served in various roles in information technology for over 25 years and has been with us since 2011. Our General Counsel has over 20 years of experience managing risks, including risks arising from cybersecurity threats, at several large public technology companies.
Investing in our securities involves risks. You should carefully consider the risks and uncertainties described below, together with the other information in this Annual Report on Form 10-K, before making an investment decision. The occurrence of any of the following risks, or additional risks and uncertainties not presently known to us or that we currently believe to be immaterial, could materially and adversely affect our business, financial condition, results of operations, stock price or reputation. The following risks have been grouped by categories and are not in order of significance or probability of occurrence.
Risk Factors Summary
This summary provides an overview of the risks we face and should not be considered a substitute for the more fulsome risk factors discussed immediately following this summary.
•Risks Related to Our Ability to Grow Our Business
•Laws, regulations and customer expectations regarding the use, storage and movement of data may restrict our ability to continue to optimize our platform.
•A failure to innovate in response to rapidly evolving technological changes and in the midst of an intensely competitive market may harm our competitive position and business prospects.
•We may not successfully increase our penetration of international markets or manage risks associated with foreign markets.
•Incorporating AI technology into our offerings may result in operational, legal, regulatory, ethical and other challenges.
•We rely on our network of partners for an increasing portion of our revenues, and if these partners fail to perform, our business may be harmed.
•Doing business with the public sector and heavily-regulated entities subjects us to risks related to government procurement processes, regulations and contracting requirements.
•If we fail to comply with applicable anti-corruption and anti-bribery laws, export control laws, economic and trade sanctions laws, or other global trade laws, we could be subject to penalties and civil and/or criminal sanctions and our business could be materially adversely affected.
•Our customer deals are becoming more complex, which tend to involve longer and more expensive sales cycles, increased pricing pressure and implementation and configuration challenges.
•As we acquire or invest in companies and technologies, we may not realize the expected business or financial benefits and the acquisitions and investments may divert our management’s attention and result in additional shareholder dilution or costs.
•Risks Related to the Operation of Our Business
•Actual or perceived cybersecurity events experienced by us or our third-party service providers may create the perception that our platform is not secure, and we may lose customers or incur significant liabilities.
•We may lose key members of our management team or qualified employees or may not be able to attract and retain employees we need.
•Delays in the release of, or actual or perceived defects in, our products may slow the adoption of our latest technologies, reduce our ability to efficiently provide services, decrease customer satisfaction, and adversely impact future product sales.
•Disruptions or defects in our services could damage our customers’ businesses, subject us to substantial liability and harm our business.
•Delays in improving our information systems and processes could interfere with our ability to support our existing and growing customer and employee base as we scale.
•We may not be able to protect or enforce our intellectual property rights.
•Our use of open-source software could harm our ability to sell our products and services and subject us to possible litigation.
•Various factors, including our customers’ business, integration, migration, compliance and security requirements, or errors by us, our partners, or our customers, may cause implementations of our products to be delayed, inefficient or otherwise unsuccessful.
•Our failure or perceived failure to achieve our ESG goals or maintain ESG practices that meet evolving stakeholder expectations could adversely affect us.
•We may face natural disasters, including climate change, and other events beyond our control.
14
•Risks Related to the Financial Performance or Financial Position of Our Business
•Because we generally recognize revenues from our subscription service over the subscription term, a decrease in new subscriptions or renewals may not be immediately reflected in our operating results.
•As our business grows, we expect our revenue growth rate to decline over the long term.
•Changes in our effective tax rate or disallowance of our tax positions may adversely affect our business.
•We may be adversely affected by our debt service obligations.
•Risks Related to General Economic Conditions
•Our industry and business may be harmed by global economic conditions.
•We may be harmed by foreign currency exchange rate fluctuations.
•Risks Related to Ownership of Our Common Stock
•Our stock price is likely to continue to be volatile.
•Provisions in our governing documents or Delaware law might discourage, delay or prevent a change of control or changes in our management and, therefore, depress our stock price.Provisions in our governing documents, Delaware law or 2030 Notes might discourage, delay or prevent a change of control or changes in our management and, therefore, depress our stock price.
Risks Related to Our Ability to Grow Our Business
Laws, regulations and customer expectations regarding the use, storage and movement of data may restrict our ability to continue to optimize our platform.
Governments have adopted, and likely will continue to adopt, laws and regulations affecting the use, storage and movement of data, including laws related to data privacy and security, the use of machine learning and artificial intelligence (“AI”), and data sovereignty or residency requirements. Changing laws, regulations and standards applying to the collection, storage, use, sharing, portability, transfer or other control or processing of data, including personal data, could affect our ability to efficiently and cost-effectively offer our services and to develop our products and services for maximum utility, as well as our customers’ ability to use data or share data. Such changes may restrict our ability to use, store or otherwise process customer data in connection with providing services and could alter or increase our compliance requirements. In some cases, this could impact our ability to offer our services in certain locations or our customers’ ability to deploy our services globally. For example, the EU Data Act has significant requirements regarding data portability, interoperability and accessibility and unclear data transfer restrictions, any of which could impact our operations. For example, the EU Data Act is a proposed law with potential significant requirements regarding data portability, interoperability and accessibility and unclear data transfer restrictions, any of which could impact our operations. In addition, the relatively new Trans-Atlantic Data Privacy Framework, which facilitates the transfer of data between the United States (“U.S.”) and European Union (“EU”), may be subject to legal challenges and regulatory interpretations that could create uncertainties and impact our operations and compliance obligations.
We offer region-specific services, by which customer data is hosted locally and customers may elect to receive support from locally-based ServiceNow teams. Setting up and maintaining these region-specific services require significant investment, including to comply with applicable laws and regulations. Actual or perceived non-compliance with those laws and regulations could result in proceedings or investigations against us by regulatory authorities or others, lead to significant fines, damages, orders, litigation or reputational harm and may otherwise adversely impact our business.
We will also need to continually adapt to customer privacy and security requirements as they change over time. For example, as customers increasingly adopt a hybrid (on-premises and off-premises/hyperscale cloud) approach for their IT workloads, our cloud services may fail to address evolving customer requirements, including data localization. Further, due to heightened concerns relating to privacy and security regulatory matters, our customers may request certain certifications and failure to obtain, or consistently maintain, those certifications may adversely impact our reputation and business.
A failure to innovate in response to rapidly evolving technological changes and in the midst of an intensely competitive market may harm our competitive position and business prospects.
We compete in markets that evolve rapidly.We compete in markets that continue to evolve rapidly. The pace of innovation will continue to accelerate as customers recognize the advantages of acquiring leading digital technologies and adopting modern cloud-based infrastructure. Cutting-edge capabilities such as AI, machine learning, hyper automation, low-code/no-code application development, system observability and predictive insights become increasingly relevant to the customer’s evolving needs. With this rapid evolution, we are increasingly competing with alternative solutions and approaches to solve customer needs, and we expect additional competition as we shift our products and services to compete with providers in new and adjacent markets.
Competitors, regardless of their size, may be able to respond more quickly and effectively to new or changing opportunities, technologies, standards, customer requirements and buying practices. They may introduce new technology, solve similar problems in different ways or more effectively utilize existing technology that reduces demand for our services. They may utilize acquisitions, integrations or consolidations to offer integrated or bundled products, enhanced
15
functionality or other advantages. Some of our existing competitors and potential competitors are larger and have greater name recognition, the ability to more efficiently scale their business, more established operations and customer relationships, and greater financial and technical resources than we do. “Systems of record” operators may attempt to create technology solutions or other mechanisms that would prevent our systems from integrating with theirs. They may create pricing pressures by reducing the price of competing products, services or subscriptions or bundling their offerings causing our offerings to appear relatively more expensive. Competition from cloud-based vendors may increase as they build business applications or AI powered automation solutions that compete with our products and services. We may also encounter customer reluctance or unwillingness to migrate away from their current solutions.
If we are not able to compete successfully, we could experience reduced sales and margins, losses or failure of our products to achieve or maintain market acceptance. Accordingly, to compete effectively, we must:
•identify and innovate in the right technologies;
•keep pace with rapidly changing technological developments, such as AI, which may disrupt resource and talent needs and the enterprise software marketplace;
•accurately predict and meet our customers’ changing digital transformation needs, priorities and adoption practices, including their technology infrastructures and buying and budgetary practices;
•invest in and continually optimize our own technology platform so that we continue to meet the very high-performance expectations of our customers;
•successfully deliver and promote new, scalable technologies and products to meet customer needs and priorities;
•efficiently integrate with technologies within our customers’ digital environments;
•expand our offerings into new and adjacent industries and comply with regulations in such industries;
•successfully sell to buyers who are not familiar with our offerings;
•profitably and efficiently market and sell our new and existing products;
•effectively scale our business processes and operations as we grow;
•successfully adapt new pricing models;
•promote ongoing customer relationships and customer value realization;
•effectively secure our platform, data and customers’ data; and
•effectively deliver, directly or through our partner ecosystem, the digital transformation process planning, IT systems architecture planning, and product implementation services that our customers require to be successful.
Further, in response to evolving customer needs, we may make significant investments in changing how we offer our products or services, such as bundling offerings or shifting to consumption-based pricing for support services or how our services are delivered or priced. However, customers may not be satisfied with these changes and, therefore, may not grow or maintain their business with us.
We may not successfully increase our penetration of international markets or manage risks associated with foreign markets.
Sales outside of North America represented 37% and 36% of our total revenues for the years ended December 31, 2024 and 2023, respectively. The growth of our business depends on our ability to increase our sales outside of the U.S. as a percentage of our total revenues. Additionally, operating in international markets requires significant investment and management attention and subjects us to varying regulatory, political and economic risks. We have made, and will continue to make, substantial investments in data centers, geographic-specific service delivery models, advisory councils, cloud computing infrastructure, sales, marketing, partnership arrangements, personnel and facilities in new geographic markets. We 15Table of Contentshave made, and will continue to make, substantial investments in data centers, geographic-specific service delivery models, advisory councils, cloud computing infrastructure, sales, marketing, partnership arrangements, personnel and facilities in new geographic markets. When we make these investments, it is typically unclear when we will see a return on our investment, and we may significantly underestimate the level of investment and time required to be successful. Our rate of acquisition of new large enterprise customers, a factor affecting our growth, has been generally lower in territories where we are less established and where there may be heightened or evolving regulations and operational and IP risks. We have experienced, and may continue to experience, difficulties in new geographic markets, including hiring qualified sales management personnel, penetrating the target market, and managing local operations. Risks associated with making our products and services available in international markets include, for example:
•compliance with multiple, conflicting and changing governmental laws and regulations;
•requirements to have local partner(s), local entity ownership limitations or technology transfer or sharing requirements, or to comply with data residency and transfer laws and regulations, privacy and data protection laws and regulations, which may increase operational costs and restrictions;
•the possibility that illegal or unethical activities of our local employees or business partners will be attributed to us or cause us harm;
•longer and potentially more complex sales and payment receipt cycles and other collection difficulties;
•different pricing and distribution environments;
•potential changes in international trade policies, tariffs, agreements and practices, including the adoption and expansion of formal or informal trade restrictions or regulatory frameworks that may favor local competitors;
16
•governmental direction, business practices and/or cultural norms that may favor local competitors;
•more prevalent cybersecurity, intellectual property and AI risks; and
•localization of our services, including translation into foreign languages and associated expenses.
If we are unable to manage these risks, our business will be adversely affected.
Incorporating AI technology into our offerings may result in operational, legal, regulatory, ethical and other challenges.
We are increasingly innovating and expanding offerings on our platform by integrating AI technology. We expect AI to be an increasingly important driver of future growth, although, like many innovations, it presents risks and uncertainties that may impact our ability to realize its desired or anticipated benefits for our business.
AI technology is rapidly evolving and to remain competitive, we will need to make significant investments to continue to successfully develop and incorporate the technology into our products. Our ability to incorporate AI technology into our products depends on the availability and pricing of third-party hardware and software equipment and technical infrastructure. Our competitors or other third parties may develop or incorporate AI into their products more quickly or successfully than us. Other companies may also have or in the future may obtain intellectual proprietary rights that would prevent, limit, or interfere with our ability to make, use, or sell our AI products. For these reasons, among others, we may not be able to compete effectively in the evolving AI market.
Our business model may be affected by global trends and laws that govern the use of AI and machine learning. For example, the EU AI Act places new requirements on providers of AI technologies that will need to be addressed in alignment with various deadlines in the coming years. These and other laws or regulations may cause us to modify our data handling and compliance practices, which could be costly or disruptive to our operations, and may also impact our ability to use certain data to support our products or our product development efforts or hinder our customers’ ability to adopt or continue to use our products.
We may face new or heightened legal, ethical and other challenges arising out of the perceived or actual impact of AI on human rights, intellectual property, privacy and employment, among other areas. For example, our use of AI could lead to copyright infringement or other intellectual property claims, potentially requiring us to pay compensation or licensing fees to third parties. Additionally, social and ethical concerns surrounding the use of AI in our offerings could harm our brand and may cause us to incur additional costs. Failure by us or others in our industry to adequately address these concerns could erode public confidence in AI and slow adoption of AI in our products.
We rely on our network of partners for an increasing portion of our revenues, and if these partners fail to perform, our business may be harmed.
An increasing portion of our revenues is generated by sales through our network of partners, including resellers, distributors and managed service providers. Increasingly, we and our customers rely on our partners to provide professional services, including custom implementations, and there may be insufficient qualified implementation partners available to meet customer demand. While we provide our partners with training and programs, including accreditations and certifications, these programs may not be effective or utilized consistently by partners. In addition, new partners may require extensive training and/or significant time and resources to become productive. Additionally, our relationships with partners may require us, along with our partners, to comply with complex regulations, contractual requirements and government procurement rules. Failure to adhere to these requirements could result in the loss of business opportunities, potential liabilities or penalties. For example, our partners could misrepresent to our customers the functionality of our platform or products, fail to perform services to our customers’ expectations, or violate laws or our corporate policies. Further, changes to our direct go-to-market models may cause friction with our partners. Changes to our direct go-to-market models may cause friction with our partners. Our partners may also use our platform to develop products and services that compete with our products and services, which could raise IP ownership concerns and strain these partnerships. In addition, our partners may use our platform to develop products and services that compete with our products and services, which could raise IP ownership concerns and strain these partnerships. If we fail to effectively manage and grow our network of partners, our ability to sell our products and efficiently provide our services may be impacted and our business may be harmed.
17
Doing business with the public sector and heavily-regulated entities subjects us to risks related to government procurement processes, regulations and contracting requirements.
We provide products and services to governmental and heavily-regulated entities directly and through our partners. We have made, and may continue to make, significant investments to support our efforts to sell to those entities. Processes to obtain authorizations and certifications required for us to provide our products and services to those entities often are lengthy and encounter delays, and we may not be able to satisfy, or maintain compliance with, the associated requirements.
A substantial majority of our sales to government entities in the U.S. have been made indirectly through our distributors, resellers or service provider partners. Doing business with government entities presents a variety of risks. The procurement process for governments and their agencies is highly competitive and time-consuming, may be subject to political influence and may involve different rules and conditions on the offering or pricing of products and services. We incur significant up-front time and expense without any assurance that we (or a third-party distributor, reseller or service provider) will win a contract. Beyond this, demand for our products and services may be adversely impacted by public sector budgetary cycles and funding availability that in any given fiscal cycle may be reduced or delayed, including in connection with an extended federal government shutdown, partisan gridlock or changes to government policy. Further, if we or our partners are successful in receiving a contract award, that award could be challenged during a bid protest process. Bid protests may result in an increase in expenses related to obtaining contract awards or an unfavorable modification or loss of an award. 16Table of ContentsBid protests may result in an increase in expenses related to obtaining contract awards or an unfavorable modification or loss of an award. Even if a bid protest were unsuccessful, the delay in the startup and funding of the work under these contracts may cause our actual results to differ materially and adversely from those anticipated.
Our customers also include non-U.S. governments, to which government procurement risks similar to those present in U.S. government contracting and regulatory compliance also apply, particularly in certain emerging markets where our customer base is less established. Across the globe, we have seen political volatility increase, with rapid changes in governments and increased partisanship affecting many aspects of government, including the ability to approve budgets and make commitments. This can significantly delay or impair a government’s ability to contract for software and services such as ours. We have also seen challenges to successful awards through bid protest procedures in jurisdictions outside the U.S. As our non-U.S. government business grows, we may see an increase in bid protests as part of the standard government procurement legal procedures that exist in many jurisdictions. In addition, compliance with complex regulations and contracting provisions in a variety of jurisdictions can be expensive and consume significant management resources. In certain jurisdictions, our ability to win business may be constrained by political and other factors unrelated to our competitive position in the market.
Our public sector customers may have contractual, statutory or regulatory rights to terminate current contracts with us or our third-party distributors or resellers for convenience or due to a default, though such risk may be assumed by such third-party distributor or reseller.In addition, public sector customers may have contractual, statutory or regulatory rights to terminate current contracts with us or our third-party distributors or resellers for convenience or due to a default, though such risk may be assumed by such third-party distributor or reseller. If a contract is terminated for convenience, we may only be able to collect fees for products or services delivered prior to termination and settlement expenses. If a contract is terminated due to a default, we may be liable for excess costs incurred by the customer for procuring alternative products or services or be precluded from doing further business with governmental entities. Further, we are required to comply with a variety of complex laws, regulations, and contractual provisions relating to the formation, administration, or performance of government contracts that give public sector customers substantial rights and remedies, many of which are not typically found in commercial contracts. These may also include rights with respect to price protection, refund and setoff, performance of services in languages other than English, the accuracy of information provided to the government, contractor compliance with supplier diversity policies, constraints on sales practices and other obligations that are particular to government contracts. These obligations may apply to us and/or our third-party resellers or distributors whose practices we may not control. Such parties’ non-compliance could create legal, contractual and customer satisfaction issues. Such parties’ non-compliance could create contractual and customer satisfaction issues.
We and governments routinely investigate and audit compliance with contractual and regulatory requirements. For example, as disclosed in Note 17 in the notes to our consolidated financial statements, the Company informed certain U.S. government agencies of an internal investigation and preliminary findings and is cooperating with, among others, the Department of Justice, which commenced its own investigation into the matters. If it is determined that we or our third-party distributors, resellers or service providers have failed to comply with applicable contractual or regulatory requirements, we may be subject to civil and criminal penalties and administrative sanctions, including termination of contracts, forfeiture of profits, cost associated with the triggering of price reduction clauses, fines, and suspensions or debarment from future government business, among others, all of which may adversely affect our business. If it is determined that we have failed to comply with these requirements, we may be subject to civil and criminal penalties and administrative sanctions, including termination of contracts, forfeiture of profits, cost associated with the triggering of price reduction clauses, fines, and suspensions or debarment from future government business, all of which may cause us to suffer reputational harm and adversely affect our business and operating results. In the United States, our federal business has been concentrated with a small number of third-party distributors, resellers or service providers. If one of those third parties is limited in its ability to do business with the government due to a regulatory or legal issue arising from their own conduct and we are not able to move our business to another third party, our business could be negatively impacted.
18
Further, we are increasingly doing business in heavily regulated industries, such as financial services, telecommunication, media and television, and health care. Current and prospective customers in those industries may be required to comply with more stringent regulations to subscribe to and/or implement our services. In addition, regulatory agencies may impose requirements on third-party vendors that we may not meet. Customers in these heavily-regulated industries often have a right to conduct audits of our systems, products and practices, and in some cases the regulators of customers in heavily-regulated industries may directly examine vendors that provide outsourced services to such customers. If one or more customers and/or regulators determine that some aspect of our business does not meet regulatory requirements, our ability to continue or expand our business with those customers may be restricted. If one or more customers determine that some aspect of our business does not meet regulatory requirements, our ability to continue or expand our business with those customers may be restricted.
If we fail to comply with applicable anti-corruption and anti-bribery laws, export control laws, economic and trade sanctions laws, or other global trade laws, we could be subject to penalties and civil and/or criminal sanctions and our business could be materially adversely affected.
As we continue to expand our business internationally, we will inevitably do more business with large private enterprises and the public sector in countries outside of the U.S. Increased business in countries with heightened levels of corruption subjects us and our officers and directors to increased scrutiny and potential liability from our business operations. We have an established compliance program, but there is a risk that our employees, partners, vendors, customers and agents, as well as those companies to which we outsource certain of our business operations, could violate our policies and applicable law, exposing us to additional scrutiny and potential liability. We have an established compliance program, but there is a risk that our employees, partners, customers and agents, as well as those companies to which we outsource certain of our business operations, could violate our policies and applicable law, exposing us to additional scrutiny and potential liability. We have experienced this in the past and may experience it again in the future. In addition, we are subject to customs laws that may impose tariffs on us, directly or indirectly. Higher tariffs on imports related to our operations could increase our operating costs. We are also subject to global trade laws that apply to our worldwide operations, including prohibitions or restrictions on conducting business in certain geographies or involving certain counterparties, end-users or end-use cases. In addition, we are subject to global trade laws that apply to our worldwide operations, including prohibitions or restrictions on conducting business in certain geographies or involving certain counterparties or end-users. As a result of the Russia-Ukraine conflict, for example, the U.S. and other jurisdictions have imposed economic and trade sanctions and export control restrictions against Russia and Belarus, as well as certain persons, assets and interests associated with those countries. If this conflict continues or if serious conflict arises elsewhere, the U.S. and other jurisdictions could impose wider economic and trade sanctions as well as export restrictions, which could impact our business opportunities and operations. Any violation of the U.S. Foreign Corrupt Practices Act of 1977, as amended, the UK Bribery Act, other applicable anti-corruption and anti-bribery laws, or applicable export control or economic and trade sanctions laws by our employees or third-party intermediaries could subject us to significant risks such as adverse media coverage and/or severe criminal or civil sanctions, which could materially adversely affect our reputation and business.
Our customer deals are becoming more complex, which tend to involve longer and more expensive sales cycles, increased pricing pressure and implementation and configuration challenges.
The customer deals we pursue are becoming more complex as we engage with increasingly larger enterprise customers with multiple workflow products that span the enterprise. These deals can lead to increased costs, longer sales cycles, greater competition and less predictability in our ability to close sales. These customers tend to require considerable time evaluating our portfolio of products and testing our platform prior to making a purchasing decision, require multiple levels of review and approval from a broader set of buyers and stakeholders, and demand more configuration, integration services and features, particularly when switching from legacy on-premises solutions. These conditions can arise suddenly and affect the rate of digital transformation spending and could adversely affect our customers’ or prospective customers’ ability or willingness to purchase our services, delay purchasing decisions, reduce the value or duration of their subscriptions, or affect renewal rates, all of which could harm our operating results. As a result, these sales opportunities may require us to devote significant sales support and professional services to a smaller number of transactions, diverting those resources from other sales opportunities. If we fail to effectively manage these risks, our business may be negatively affected. If we fail to effectively manage these risks, our business, financial condition, and results of operations may be negatively affected.
As we acquire or invest in companies and technologies, we may not realize the expected business or financial benefits and the acquisitions and investments may divert our management’s attention and result in additional shareholder dilution or costs.
We have acquired and invested in companies and technologies as part of our business strategy and will continue to evaluate and enter into potential strategic transactions, including, among other things, acquisitions of or investments in businesses, technologies, services, products and other assets.We have acquired and invested in companies and technologies as part of our business strategy and will continue to evaluate and enter into potential strategic transactions, including acquisitions of or investments in businesses, technologies, services, products and other assets, to expand or improve our service offerings and functionality, go-to-market and sales efforts, our operations or our ability to source necessary expertise and provide services in international locations. These transactions are intended to, among other things, expand or improve our service offerings and functionality, go-to-market and sales efforts, our operations or our ability to source necessary expertise and provide services in international locations. Although we conduct due diligence regarding these businesses and assets, our efforts may not reveal every material issue. Although we conduct reasonably extensive due diligence regarding these businesses and assets, our efforts may not reveal every material issue. Strategic transactions involve numerous risks, including:
•difficulties assimilating or integrating the businesses, technologies, products, personnel or operations of the acquired companies;
•failing to achieve the expected benefits of the acquisition or investment;
•potential loss of employees of the acquired company;
•inability to maintain relationships with customers, suppliers and partners of the acquired business;
19
•introducing vulnerabilities or threats by integrating acquired technologies or businesses;
•introducing increased complexity and burden to maintain the technology platform;
•potential adverse tax consequences;
•disruption to our business and diversion of management attention and other resources;
•potential financial, credit or regulatory risks associated with acquired customers, suppliers and partners of the acquired business;
•dependence on acquired technologies or licenses for which alternatives may not be available to us or which may involve significant cost or complexity;
•in the case of foreign acquisitions, the challenges associated with integrating operations across different cultures, languages, and legal regimes and any currency and regulatory risks associated with specific countries;
•data security or privacy risks, compliance requirements, or integration costs from the acquired technology or company;
•impairment of our investments or the possibility our investees will be unable to obtain future funding on favorable terms or at all; and
•potential unknown liabilities or disputes associated with the acquired businesses.
In addition, the amount or form of consideration we pay for acquisitions could adversely affect our financial condition or stock price. For example, if we finance an acquisition by issuing equity or convertible debt securities or loans, our existing shareholders may be diluted, or we could face constraints related to the terms of those securities or indebtedness.
Risks Related to the Operation of Our Business
Actual or perceived cybersecurity events experienced by us or our third-party service providers may create the perception that our platform is not secure, and we may lose customers or incur significant liabilities.
In the ordinary course of our business, we store, transmit, generate, and process our and our customers’ confidential, proprietary and sensitive data. As our business expands across the globe, the number of employees, contractors, vendors and other third parties remotely accessing our systems continues to grow. Our growing business operations increase our exposure to cyberattacks by a range of actors, who have used and will continue to use assorted tactics, techniques, and procedures, including malicious code, ransomware, social engineering, business email compromises, supply chain attacks, denial of service attacks and similar internet-enabled, fraudulent activity, and the frequency of those attacks have become more common. Our growing business operations increase our exposure to cyberattacks by a range of actors, who have used and will continue to use assorted tactics, techniques, and 18Table of Contentsprocedures, including malicious code, ransomware, social engineering, business email compromises, supply chain attacks, denial of service attacks and similar internet-enabled, fraudulent activity. Further, during times of war and other major conflicts, we and our third-party providers may be vulnerable to a heightened risk of geopolitically motivated attacks, including cyberattacks, that could materially disrupt our systems and operations, supply chain and ability to provide our services.
Cybersecurity threats are not limited to actors operating in the systems we control directly. Our increasing reliance on third-party providers and public cloud infrastructure introduces new cybersecurity risks to our business operations. Third-party security incidents have occurred in the past and are likely to continue, as we rely on third-party service providers and technologies to operate business systems in a variety of contexts. Supply chain attacks have also increased in frequency and severity. We cannot guarantee that our third-party service providers or our supply chain infrastructure have not been compromised or that they do not contain exploitable defects or bugs that could result in a breach of or disruption to our platform, systems and network or the systems and networks of third parties that support us and our business. While we have a vendor security review process, we cannot guarantee that our third-party service providers or our supply chain infrastructure have not been compromised or that they do not contain exploitable defects or bugs that could result in a breach of or disruption to our platform, systems and network or the systems and networks of third parties that support us and our business. Our ability to monitor the data security measures of our third-party providers is limited, and we necessarily depend in part on our providers to have in place and maintain adequate security measures to protect against unauthorized access, cyberattacks and the mishandling of data. Further, employee error or malfeasance in configuring, maintaining and using these services could impact our ability to monitor and secure them effectively.
We have identified vulnerabilities in our products and services in the past and expect to continue to do so in the future. We cannot be certain that we will be able to identify all vulnerabilities or address the vulnerabilities of which we become aware. There have been delays and may continue to be delays in developing patches that can be effectively deployed to address vulnerabilities. Further, there have been delays and may continue to be delays in developing patches that can be effectively deployed to address vulnerabilities. Further, security researchers and other individuals have in the past actively searched for, published and/or exploited actual and potential vulnerabilities in our products or services and will likely continue to do so in the future. Also, certain persons, including researchers, have in the past not abided by, and may in the future not abide by, our responsible disclosure program, which has resulted in, and could in the future result in the compromise of our systems or our or our customers’ data. Moreover, the incorporation of third-party or open-source software code into our or our customers’ systems increases the risk of exploitation of vulnerabilities. Moreover, the incorporation of third-party or open-source software code into our or our customers’ systems increases the risk of exploitation of vulnerabilities, such as the vulnerability in the Java logging library known as “log4j” that affected our industry. We also have inherited and may in the future inherit additional security risks from acquiring or partnering with other companies.
In most instances, our customers are responsible for administering access to the data held in their particular instance for their employees and service providers. While our software is delivered with certain preset configurations, we
20
understand that our customers require flexibility to configure the Now Platform to their specific business needs. We work closely with our customers to help them evaluate their security configurations, including providing guidance to align configuration settings with their business needs. Yet, in configuring our platform, both our employees and customers have made errors in the past and may do so again in the future. We are aware that, on occasion, both our customers and ServiceNow have configured certain settings on our platform, or retained preset configurations, in ways that may not align with preferred or recommended security levels, which can result in, and has resulted in, information being made more widely accessible than intended. We are aware that, on occasion, our customers and ServiceNow have configured certain settings on our platform, or retained preset configurations, in a manner not aligned with their preferred security levels, which can result in, and has resulted in, information being made more widely accessible than intended. Such misconfigurations can be, and have been, identified publicly, increasing the risk of data being exposed unintentionally. In certain cases, customers may misconfigure their systems and claim that they were not properly informed of the risks to their configuration.
Our data security system and data governance framework, designed to protect our and our customers’ information and prevent data loss, may not be effective at preventing material breaches caused by intentional or unintentional actions or inactions by employees, contractors or third parties. While we have security measures and a data governance framework in place designed to protect our and our customers’ information and prevent data loss, these measures may not be effective at preventing material breaches caused by intentional or unintentional actions or inactions by employees, contractors or third parties. Techniques used to sabotage or to obtain unauthorized access to systems are constantly evolving and may go undetected until a successful attack occurs. Moreover, we have experienced security incidents, which may reoccur in the future, that resulted in unauthorized access to, loss, or inadvertent disclosure of confidential, proprietary and sensitive information. We have observed attempts by third parties to induce or deceive our employees, contractors or users to fraudulently obtain access to our or our customers’ data or assets. In addition, our employees have fallen victim to phishing attacks in the past and are likely to again in the future. Further, despite our security measures, employees, contractors and other individuals (some of whom are supported by nation states) have gained, and in the future may gain, access to our systems to search for and exploit actual or potential vulnerabilities in our products or services or inflict other harms, such as deploying malware or stealing data. The success of any release depends on a number of factors, including our ability to manage the risks associated with actual or perceived quality or other defects or deficiencies, delays in the timing of releases or the adoption of releases by customers, and other complications that may arise during the early stages of introducing our products.
An actual or perceived security breach or compromise can have a material effect on ServiceNow’s operations, finances and reputation.An actual or perceived security breach can have a material effect on ServiceNow’s operations, finances and reputation. The adverse consequences can include accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to data; disruptions to our services; diversion of funds; litigation; indemnification and other contractual obligations; regulatory investigations; government fines and penalties; reputational damage; negative publicity; business and operational interruptions; loss of sales, customers, and partners; mitigation and remediation expenses; and other material costs and liabilities. In addition, the assessment and response to security incidents, as well as implementation of appropriate safeguards to protect against future incidents, can lead to material economic and operational consequences. These consequences can result regardless of whether the incident is suffered by us, affects our third-party service providers or stems from customers’ action or inaction. Moreover, even if a breach is unrelated to our security programs or practices, it could still cause us reputational harm and require us to undertake significant efforts to assess and respond to the breach, including further protecting our customers from their own vulnerabilities. There can be no assurance that any limitations of liability provisions in our subscription agreements, terms of use or other agreements would be enforceable or adequate or would otherwise protect us from any such liabilities or damages with respect to any particular claim. In addition, while we maintain insurance coverage to cover potential financial losses, we cannot be certain that such coverage will continue to be available on acceptable terms or in sufficient amounts to cover potential financial losses from a security incident or that an insurer will not deny coverage as to any future claim. In addition, while we maintain insurance coverage, we cannot be certain that such coverage will continue to be available on acceptable terms or 19Table of Contentsin sufficient amounts to cover potential losses from a security incident or that an insurer will not deny coverage as to any future claim.
We may lose key members of our management team or qualified employees or may not be able to attract and retain the employees we need.
There is increasingly intense competition for talent in the technology industry. Our success depends substantially upon the continued services of our management team, particularly our chief executive officer, chief operating officer and the other members of our executive staff. From time to time in the ordinary course of business, there have been and may continue to be changes in our management team. While we seek to manage these transitions carefully, such changes may result in a loss of institutional knowledge and negatively affect our business.
In the highly competitive technology industry, we face ongoing challenges in attracting and retaining top talent across various roles, such as product development and engineering (particularly with AI and machine learning backgrounds), sales, operations and cybersecurity. These key individual contributors are critical to our success, can command very significant compensation in the market and are actively recruited by our key competitors. These key individual contributors are critical to our success and can command very significant compensation in the market. Our ability to achieve significant revenue growth may depend on our success in recruiting, training and retaining sufficient qualified personnel to support our growth. We have faced and may continue to face difficulties attracting, hiring and retaining highly-skilled, qualified personnel and may not be able to fill positions in desired geographic areas or at all. Further, as we continue to grow and expand our workforce globally, we may face operational and workplace culture challenges that could negatively impact our ability to maintain the effectiveness of our business execution and the beneficial aspects of our corporate culture. While our work model, where a substantial portion of our employees work partially or fully remote, increased our access to talent, we may not be able to take advantage of a broader talent pool if our competitors offer the same work model or if we continue to rely on our primary operating locations for talent. We are continually evaluating and, as appropriate, enhancing the attractiveness of our compensation packages and benefit programs. As a result, we have experienced and may continue to
21
experience increased costs that may not be offset by either improved productivity or higher sales, potentially resulting in a reduction in our profitability. In addition, we grant equity awards to our employees and sustained declines in our stock price or lower stock price performance relative to our competitors reduces the retention value of such awards, which can impact the competitiveness of our compensation. Many of our employees, including all of our executive officers, are employed “at-will” and may terminate their employment with us at any time. If we fail to attract qualified, new personnel or fail to retain and motivate our current personnel, our business and future growth prospects could be adversely affected.
Delays in the release of, or actual or perceived defects in, our products may slow the adoption of our latest technologies, reduce our ability to efficiently provide services, decrease customer satisfaction, and adversely impact future product sales.
We must successfully continue to release new products and updates to existing products. The success of any release depends on a number of factors, including our ability to manage the risks associated with actual or perceived quality or other defects or deficiencies, delays in the timing of releases or the adoption of releases by customers, and other complications that may arise during the early stages of introducing our products. If releases are delayed or if customers perceive that our releases contain bugs or other defects or are difficult to implement, customer adoption of our new products or updates may be adversely impacted, customer satisfaction may decrease, our ability to efficiently provide our services may be reduced, and our growth prospects may be harmed.
Disruptions or defects in our services could damage our customers’ businesses, subject us to substantial liability and harm our business.
Our business depends on our platform to be available without disruption. From time to time, we have experienced and expect to continue to experience defects, disruptions, outages and other performance and quality problems with our platform. New defects may be detected in the future and may arise from our increasing use of the public cloud. For example, we provide regular updates to our services, which can contain undetected defects. Defects may also be introduced by our use of third-party software, including open-source software. Disruptions may result from errors we make in developing, delivering, configuring or hosting our services, or designing, installing, expanding or maintaining our cloud infrastructure. Disruptions in service can also result from incidents outside of our control, including third-party incidents or denial of service or ransomware attacks, among others. Disruptions in service can also result from incidents that are outside of our control, including denial of service or ransomware attacks. We currently serve our customers primarily using equipment managed by us and co-located in third-party data centers operated by several different providers located around the world, and we serve certain of our customers using data center facilities operated by public cloud service providers. We currently serve our customers primarily using equipment managed by us and co-located in third-party data centers operated by several different providers located around the world, and we serve certain of our customers that are primarily in highly regulated markets, using data center facilities operated by public cloud service providers. These data centers are vulnerable to damage or interruption from earthquakes, hurricanes, floods, fires, power failures and similar events. These data centers are vulnerable to damage or interruption from earthquakes, hurricanes, floods, fires, energy grid constraints resulting in power loss and similar events. They may also be subject to break-ins, sabotage, intentional acts of vandalism and similar misconduct, equipment failure and adverse events caused by operator error or negligence. In addition, an increased use of the public cloud increases our vulnerability to cyberattacks. Despite precautions taken at these centers, problems at these centers have occurred, resulting in interruptions in our services. Despite precautions taken at these centers, problems at these centers have occurred, resulting 20Table of Contentsin interruptions in our services. Such problems could occur again and result in similar or lengthier service interruptions and the loss of customer data. In addition, our customers may use our services in ways that cause disruptions in service for other customers. In addition to data center providers, we also have a large ecosystem of vendors and service providers that we use for our products. If there is a compromise to data, supply chain issue or other incident with our critical service providers, it may impact our ability to provide our services and reduce our productivity. Our customers use our services to manage important aspects of their businesses, and our reputation and business will be adversely affected if our customers and potential customers believe our services are unreliable. Disruptions or defects in our services may reduce our revenues, cause us to issue credits or pay penalties, subject us to claims and litigation, cause our customers to delay payment or terminate or fail to renew their subscriptions, and adversely affect our ability to attract new customers. Similarly, customers may have unique requirements for system resiliency and performance depending on their business models and customers in highly regulated markets may have more demanding requirements that we may not be able to, or may not choose to, meet. The occurrence of payment delays, service credit, warranty or termination for material breach or other claims against us could result in an increase in our bad debt expense, an increase in collection cycles, an increase to our service level credit accruals, other increased expenses or risks of litigation. We may not have insurance sufficient to compensate us for potentially significant losses that may result from claims arising from disruptions to our services.
Delays in improving our information systems and processes could interfere with our ability to support our existing and growing customer and employee base as we scale.
We rely on our information systems and those of third parties to operate and scale our business. As the information we rely on for our business evolves, including as a result of implementing AI technologies, our information systems, including their infrastructure needs, network capacity and computing power, may need to expand. We have made and continue to make investments to improve our information systems to support the needs of our growing customer and employee base, increase productivity, develop and enhance our services, expand into new geographic areas, and scale with
22
our overall growth. Such improvements are often complex, costly, and time consuming. If implementation of these improvements is delayed, or if we encounter unforeseen problems when migrating away from our existing systems and processes, our operations and our ability to manage our business could be negatively impacted. This might lead to disruptions to our operations, loss of customers, loss of revenue, or damage to our reputation, all of which could harm our business plan to successfully scale our operations and enhance productivity.
We may not be able to protect or enforce our intellectual property rights.
Our success depends significantly on our ability to protect our proprietary technology and our brand under patent, copyright, trademark, trade secret and other IP protections in the U.S. and other jurisdictions. The IP protection we have for our technology may be insufficient, and any IP acquired in the future may not provide competitive advantages or other value. The IP protection we have for our technology may not provide sufficient protection, and any IP acquired in the future may not provide 21Table of Contentscompetitive advantages or other value. In addition, our IP may be contested, circumvented, found unenforceable or invalidated, and we may not be able to prevent third parties from infringing upon them. Further, legal standards relating to the validity, enforceability and scope of protection of IP rights vary.
Despite our efforts to protect our proprietary rights, policing unauthorized use of our IP and technology is difficult, and we may be required to spend significant resources to monitor and protect our IP rights. Unauthorized parties may attempt to copy or obtain and use, or may have copied or obtained and used, our technology to develop products and services that provide features and functionality similar to ours. Our competitors could also independently develop services equivalent to ours, and our IP rights may not be broad enough for us to prevent competitors from utilizing their developments to compete with us. Reverse engineering, unauthorized copying or other misappropriation of our proprietary technology could enable third parties to benefit from our technology without paying us for it. We may initiate claims or litigation against third parties for infringement or misappropriation of our proprietary rights or to establish the validity of our proprietary rights. We have initiated and, in the future, may initiate claims or litigation against third parties for infringement or misappropriation of our proprietary rights or to establish the validity of our proprietary rights. However, we may be adversely affected if we are unable to prevent third parties from infringing upon or misappropriating our IP rights or are required to incur substantial costs defending our IP rights.
Third parties may challenge or invalidate our IP rights through administrative proceedings, litigation or allowing contractual rights to expire. There is considerable patent and other IP development activity and claims and related litigation regarding patent and IP rights in our industry.There is considerable patent and other IP development activity and claims and related litigation regarding patent and IP rights in our industry. Our competitors, other third parties, including practicing entities and non-practicing entities, own large numbers of patents, copyrights, trademarks and trade secrets, which they may use and have used to assert claims of infringement, misappropriation or other violations of IP rights against us. Moreover, the patent portfolios of many of our competitors and other third parties may be larger than ours. This disparity may increase the risk that our competitors or other third parties may sue us for patent infringement and may limit our ability to counterclaim for patent infringement or settle through patent cross-licenses. We have recorded material charges for legal settlements of such claims in the past. Further, upon expiration of any agreements that allow us to use third-party IP, we may be unable to renew such agreements on favorable terms, if at all, in which case we may face IP litigation or may need to cease offering or to modify our products and services to remove such components. In addition, our subscription agreements generally require us to defend our customers against claims that our technology infringes the intellectual property rights of third parties.
Any claim or litigation, whether or not resolved in our favor, could result in significant expense to us, divert the efforts of our personnel and may result in counterclaims against us. If claims are successfully asserted against us and we are found to be infringing upon, misappropriating or otherwise violating the IP rights of others, we could be required to pay substantial damages and/or make substantial ongoing royalty payments; comply with an injunction and cease offering or modify our products and services; comply with other unfavorable terms, including settlement terms; and indemnify our customers and business partners, obtain costly licenses on their behalf, and/or refund fees or other payments previously paid to us. Further, the mere existence of any lawsuit, or any interim or final outcomes, and the public statements related to it (or absence of such statements) by the press, analysts and litigants could be unsettling to our customers and prospective customers. The mere existence of any lawsuit, or any interim or final outcomes, and the public statements related to it (or absence of such statements) by the press, analysts and litigants could be unsettling to our customers and prospective customers. This could adversely impact our customer satisfaction and related renewal rates, cause us to lose potential sales, and could also be unsettling to investors or prospective investors and cause a substantial decline in our stock price.
Effective patent, trademark, copyright and trade secret protection may not be available in every country in which we offer services. Effective patent, trademark, copyright and trade secret protection may not be available in every country in which we offer services. The laws of some foreign countries may not offer effective protection for, or be as protective of, IP rights as those in the U.S., and mechanisms for enforcement of IP rights or available remedies may be inadequate, ineffective or scarce. Additionally, the IP ownership and license rights of new technologies and the use of outputs therefrom, such as AI, which we are increasingly building into our product offerings, have not been fully addressed by U.S. courts interpreting current and new laws or regulations, and the use or adoption of such technologies in our products and services may expose us to potential intellectual property claims; breach of a data license, software license, or website terms of service allegations; claimed violations of privacy rights; and other tort claims. If such laws or regulations require increased transparency, it may impair protection of our trade secrets or other IP.
23
Our use of open-source software could harm our ability to sell our products and services and subject us to possible litigation.
Our products incorporate software licensed to us by third-party authors under open-source licenses, and we expect to continue to incorporate open-source software into our products and services in the future. We monitor our use of open-source software to avoid subjecting our products and services to adverse licensing conditions. We monitor our use of open-source software in an effort to avoid subjecting our products and services to adverse licensing conditions. However, there can be no assurance that our efforts have been or will be successful. There is little or no legal precedent governing the interpretation of the terms of open-source licenses, and therefore the potential impact of these terms on our business is uncertain and enforcement of these terms may result in unanticipated obligations regarding our products and services. For example, depending on which open-source license governs certain open-source software included within our products and services, we may be subjected to conditions requiring us to offer our products and services to users at no cost; make available the source code for modifications and derivative works based upon, incorporating or using such open-source software; and license such modifications or derivative works under the terms of the particular open-source license. Moreover, if an author or other third party that distributes such open-source software were to allege that we had not complied with the conditions of one or more of these licenses, we could be required to incur significant legal costs defending ourselves against such allegations, be subject to significant damages or be enjoined from distributing our products and services.
Various factors, including our customers’ business, integration, migration, compliance and security requirements, or errors by us, our partners, or our customers, may cause implementations of our products to be delayed, inefficient or otherwise unsuccessful.
Our business depends upon the successful implementation of our products by our customers either through us or our partners. Further, our customers’ business, integration, migration, compliance and security requirements, or errors by us, our partners, or our customers, or other factors may cause implementations to be delayed, inefficient or otherwise unsuccessful. As a result of these and other risks, we or our customers may incur significant implementation costs in connection with the purchase, implementation and enablement of our products. Some customer implementations may take longer than planned, delay our ability to sell additional products or fail to meet our customers’ expectations, resulting in customers canceling or failing to renew their subscriptions before our products have been fully implemented. Some customers may lack the internal resources to manage a digital transformation such as our offering and, as a consequence, may be unable to see the benefits of our products. Unsuccessful, lengthy, or costly implementations and integrations could result in claims from customers, reputational harm, and opportunities for competitors to displace our products.
Our failure or perceived failure to achieve our ESG goals or maintain ESG practices that meet evolving stakeholder expectations could adversely affect us.
Our ability to achieve published environmental, social, and governance (“ESG”) initiatives, goals and commitments is subject to numerous factors both within and outside of our control. Our failure or perceived failure to achieve our ESG goals or maintain ESG practices that meet evolving stakeholder expectations or regulatory requirements could harm our reputation, adversely impact our ability to attract and retain employees or customers and expose us to increased scrutiny from the investment community, regulatory authorities and others or subject us to liability. Our failure or perceived failure to achieve some or all of our ESG goals or maintain ESG practices that meet evolving stakeholder expectations or regulatory requirements could harm our reputation, adversely impact our ability to attract and retain employees or customers and expose us to increased scrutiny from the investment community, regulatory authorities and others or subject us to liability. Our reputation also may be harmed by the perceptions that our customers, employees and other stakeholders have about our action or inaction on ESG issues. Damage to our reputation and loss of brand equity may reduce demand for our products and services. Damage to our reputation and loss of brand equity may reduce demand for our products and services and thus have an adverse effect on our future financial results or stock price.
We may face natural disasters, including climate change, and other events beyond our control.
Natural disasters or other catastrophic events may damage or disrupt our operations, international commerce and the global economy, and thus could have a negative effect on our business. Our business operations are subject to interruption by natural disasters, flooding, fire, extreme heat, power shortages, pandemics, terrorism, political unrest, telecommunications failure, vandalism, cyberattacks, geopolitical instability, war, the effects of climate change and other events beyond our control. Our business operations are subject to interruption by natural disasters, flooding, fire, extreme heat, power shortages, pandemics such as COVID-19, terrorism, political unrest, telecommunications failure, vandalism, cyberattacks, geopolitical instability, war, the effects of climate change and other events beyond our control. While we maintain crisis management and disaster response plans, such planning may not account for all possible events and the occurrence of such events could make it difficult or impossible for us to deliver our services to our customers, could decrease demand for our services, and could cause us to incur substantial expense. Our insurance may not be sufficient to cover losses or additional expenses we may sustain. In the event of major natural disasters or catastrophic events, our backup systems could fail, customer data could be lost, and resumption of operations could require significant time. Although we have backup systems in place, in the event of major natural disasters or catastrophic events, customer data could be lost, and resumption of operations could require significant time.
We may be subject to increased costs, regulations, reporting requirements, standards or expectations regarding climate change-driven impacts on our business. While we seek to mitigate our business risks associated with climate change by establishing robust environmental programs as part of our ESG strategy, certain of those risks are inherent wherever business is conducted. While we seek to mitigate our business risks associated with climate change by establishing robust environmental programs as part of our ESG strategy and partnering with organizations that are focused on mitigating their own climate-related risks, certain of those risks are inherent wherever business is conducted. Any of our primary locations may be vulnerable to the adverse effects of climate change. For example, our California headquarters have experienced, and may continue to experience, climate-related events at an
24
increasing frequency and severity, including drought, water scarcity, heat waves, wildfires and air quality impacts and power shutoffs associated with wildfires. Changing market dynamics, global policy developments and increasing frequency and impact of extreme weather events on critical infrastructure in the U.S. and elsewhere have the potential to disrupt our business, the business of our customers and third-party suppliers and may cause us to experience higher attrition, losses and additional costs to maintain or resume operations.
Risks Related to the Financial Performance or Financial Position of Our Business
Because we generally recognize revenues from our subscription service over the subscription term, a decrease in new subscriptions or renewals may not be immediately reflected in our operating results.
We generally recognize revenues from customers ratably over the terms of their subscriptions. Net new annual contract value from new subscriptions and expansion contracts entered into during a period can generally be expected to generate revenues for the duration of the subscription term. As a result, a significant portion of the revenues we report in each period are derived from the recognition of deferred revenues relating to subscriptions entered into during previous periods. Consequently, a decrease in new or renewed subscriptions, expansion contracts in any single reporting period will have a limited impact on our revenues for that period, but they will negatively affect our operating results in future periods. Our subscription model also makes it difficult for us to rapidly increase our revenues through additional sales in any period, as revenues from new customers are generally recognized over the applicable subscription term. Also, our ability to adjust our cost structure in the event of a decrease in new or renewed subscriptions may be limited.
As our business grows, we expect our revenue growth rate to decline over the long term.
You should not rely on our prior revenue growth rate as an indication of our future revenue growth rate.You should not rely on our prior revenue growth as an indication of our future revenue growth. While we have experienced significant revenue growth in prior periods, we expect the growth rate to decline over the long term due to increasing competition, a decrease in the growth rate of our overall market or other reasons. While we have experienced significant revenue growth in prior periods, we expect it to decline over the long term due to increasing competition, a decrease in the growth rate of our overall market or other reasons. We also expect our costs to increase in future periods as we continue to invest in our strategic priorities, which may not result in a corresponding increase in revenues or growth in our business. We also expect our costs to increase in 23Table of Contentsfuture periods as we continue to invest in our strategic priorities, which may not result in increased revenues or growth in our business.
Changes in our effective tax rate or disallowance of our tax positions may adversely affect our business.
We are subject to income taxes in the U.S. and various foreign jurisdictions. We believe that our provision for income taxes is reasonable, but the ultimate tax outcome may differ from the amounts recorded in our consolidated financial statements and may materially affect our financial results in the period or periods in which such outcome is determined. Our effective tax rate could be adversely affected by changes in statutory tax rates, changes in the mix of earnings and losses in countries with differing statutory tax rates, certain non-deductible expenses, the valuation of deferred tax assets and liabilities and the effects of acquisitions. Increases in our effective tax rate would reduce our profitability or in some cases increase our losses.
Additionally, our future effective tax rate could be impacted by changes in accounting principles or changes in federal, state or international tax laws or tax rulings and these changes may have a retroactive effect.Additionally, our future effective tax rate could be impacted by changes in accounting principles or changes in federal, state or international tax laws or tax rulings. The U.S. Department of Treasury has broad authority to issue regulations and interpretative guidance that may significantly impact how we will comply with the law, which could affect our results of operations in the period issued. Many countries are actively considering or have proposed or enacted changes to their tax laws based on the model rules adopted by the Organisation for Economic Co-operation and Development (“OECD”) defining a 15% global minimum tax (commonly referred to as Pillar 2). Many countries are actively considering or have proposed or enacted changes to their tax laws based on the model rules adopted by The Organization for Economic Cooperation and Development defining a 15% global minimum tax (commonly referred to as Pillar 2) that could increase our tax obligations in countries where we do business or cause us to change the way we operate our business. Pillar 2 rules are at varying stages of adoption across jurisdictions where we operate. The timeline to implement these rules and the specific rules vary by jurisdiction. The adoption of Pillar 2 rules may affect our effective tax rate and current tax obligations and liabilities. While we do not currently anticipate Pillar 2 rules to have a material impact on our consolidated financial statements, we are monitoring developments from the OECD, governmental bodies, such as the EU, and intergovernmental economic organizations, to evaluate the impact of changing global tax laws. Global tax developments applicable to multinational businesses and increased scrutiny under tax examinations, as well as changes in federal, state or international tax laws or rulings that may increase our worldwide effective tax rate, could have a material impact on our business. Global tax developments applicable to multinational businesses and increased scrutiny under tax examinations could have a material impact on our business and negatively affect our financial results.
In addition, we may be subject to income tax audits by tax jurisdictions throughout the world, many of which have not established clear guidance on the tax treatment of cloud computing companies. Although we believe our income tax liabilities are reasonably estimated and accounted for in accordance with applicable laws and principles, an adverse resolution of one or more uncertain tax positions in any period could have a material impact on our results of operations for that period. Further, many of our most important intangible assets are held outside the U.S. and are subject to inter-company agreements regarding the development and distribution of those assets to other jurisdictions with potential challenge under permanent establishment or transfer pricing principles. While we believe that our position is appropriate
25
and well founded, if our position were successfully challenged by taxing authorities in other jurisdictions, we may become subject to significant tax liabilities.
We may be adversely affected by our debt service obligations.
Our ability to make payments on, repay or refinance the 2030 Notes in the future will depend on our future performance which is subject to a variety of risks and uncertainties, many of which are beyond our control. If we decide to refinance the 2030 Notes, we may be required to do so on different or less favorable terms or we may be unable to refinance the 2030 Notes at all, both of which may adversely affect our financial condition. Maintenance of our indebtedness, contractual restrictions, and additional issuances of indebtedness could:
•cause us to dedicate a substantial portion of our cash flows towards debt service obligations and principal repayments;
•increase our vulnerability to adverse changes in general economic, industry and competitive conditions;
•limit our flexibility in planning for, or reacting to, changes in our business and our industry;
•impair our ability to obtain future financing for working capital, capital expenditures, acquisitions, general corporate or other purposes; and
•due to limitations within the debt instruments, restrict our ability to grant liens on property, enter into certain mergers, dispose of all or substantially all of our or our subsidiaries’ assets, taken as a whole, materially change our business or incur subsidiary indebtedness, subject to customary exceptions.
We are required to comply with the covenants set forth in the indentures governing the 2030 Notes. Our ability to comply with these covenants may be affected by events beyond our control. If we breach any of the covenants and do not obtain a waiver from the note holders or lenders, then, subject to applicable cure periods, any outstanding indebtedness may be declared immediately due and payable. In addition, changes by any rating agency to our credit rating may negatively impact the value and liquidity of our securities. Downgrades in our credit ratings could restrict our ability to obtain additional financing in the future and could affect the terms of any such financing.
Risks Related to General Economic and Political Conditions
Our industry and business may be harmed by global economic and political conditions.
We operate globally and as a result, our business, revenues and profitability are impacted by global macroeconomic and political conditions. The success of our activities is affected by general economic and market conditions, including, among others, inflation, interest rates, tax rates, foreign exchange rates, economic downturns, recession, economic uncertainty, political instability, warfare, changes in laws, trade barriers, supply chain disruptions and economic and trade sanctions. The U.S. capital markets experienced and continue to experience extreme volatility and disruption. Furthermore, inflation rates in the U.S. and other key markets have recently increased to levels not seen in decades resulting in federal action to increase interest rates, affecting capital markets. Such economic volatility could adversely affect our business, financial condition, results of operations and cash flows, and future market disruptions could negatively impact us. These unfavorable economic conditions could increase our operating costs and, because our typical contracts with customers lock in our price for a few years, our profitability could be negatively affected. Geopolitical destabilization and warfare have impacted and may continue to impact global currency exchange rates, commodity prices, energy markets, trade and movement of resources, which may adversely affect the buying power of our customers, our access to and cost of resources from our suppliers, and ability to operate or grow our business. In addition, from time to time, the U.S. and other key international economies have been impacted and may continue to be impacted by geopolitical and economic instability, high levels of credit defaults, international trade disputes, changes in demand for various goods and services, high levels of persistent unemployment, wage and income stagnation, restricted credit, poor liquidity, reduced corporate profitability, volatility in credit, equity and foreign exchange markets, inflation, bankruptcies, international trade agreements, export controls, economic and trade sanctions, health crises and overall economic uncertainty. These conditions can arise suddenly and affect the rate of digital transformation spending and could adversely affect our customers’ or prospective customers’ ability or willingness to purchase our services, delay purchasing decisions, reduce the value or duration of their subscriptions, or affect renewal rates.
We may be harmed by foreign currency exchange rate fluctuations.
We conduct significant transactions, including revenue transactions and intercompany transactions, in currencies other than the U.S. Dollar or the functional operating currency of the transactional entities. In addition, our international subsidiaries maintain significant net assets that are denominated in the functional operating currencies of these entities. Accordingly, changes in the value of currencies relative to the U.S. Dollar have impacted and may continue to impact our consolidated revenues and operating results due to transactional and translational remeasurement that is reflected in our earnings. It is particularly difficult to forecast any impact from exchange rate movements. Unanticipated currency
26
fluctuations have adversely affected and could continue to adversely affect our financial results or cause our results to differ from investor expectations or our own guidance in any future periods. Volatility in foreign currency exchange rates and global financial markets is expected to continue due to political and economic uncertainty globally. Volatility in exchange rates and global financial markets is expected to continue due to political and economic uncertainty globally.
We use derivative instruments, such as foreign currency forward contracts, to hedge exposures that certain of our balance sheet and income statement items have to changes in foreign currency exchange rates.We use derivative instruments, such as foreign currency forwards, to hedge exposures that certain of our balance sheet items have to changes in foreign currency rates. These hedging contracts have reduced and may continue to reduce, but they have not and cannot entirely eliminate, the impact of adverse foreign currency exchange rate movements. To the extent that the counterparties of our hedging contracts fail to perform or fulfill their obligations, we may not receive the anticipated benefit of those arrangements. Further, unanticipated changes in foreign currency exchange rates may result in poorer overall financial performance than if we had not engaged in any hedging transactions, as the hedging instrument we use may not be aligned with the exposures being hedged. Further, unanticipated changes in currency exchange rates may result in poorer overall financial performance than if we had not engaged in any such hedging transactions as we may not be able to establish a perfect correlation between such hedging instruments and the exposures being hedged.
Risks Related to Ownership of Our Common Stock
Our stock price is likely to continue to be volatile.
Our stock price is likely to continue to be volatile and subject to wide fluctuations. In addition, technology companies in general have highly volatile stock prices, and the volatility in stock price and trading volume of securities is often unrelated or disproportionate to the financial performance of the companies issuing the securities. Factors affecting our stock price, some of which are beyond our control, include, among other factors:
•changes in the estimates of our operating results, revenue growth, or changes in recommendations by securities analysts;
•changes in the average contract term of our customer agreements, timing of renewals and renewal rates;
•our ability to meet our financial guidance or financial performance expectations of the securities analysts or investors;
•announcements of new products, services or technologies, new applications or enhancements to services, strategic alliances, acquisitions, or other significant events by us or by our competitors;
•fluctuations in company valuations, such as high-growth or cloud companies, perceived to be comparable to us;
•changes to our management team;
•trading activity by directors, executive officers and significant shareholders, or the market’s perception that large shareholders intend to sell their shares;
•the inclusion, exclusion, or removal of our stock from any major trading indices;
•the size of our market float;
•the trading volume of our common stock, including sales following the exercise of outstanding options or vesting of equity awards;
•our issuance or repurchase of shares of our common stock;
•changes in laws or regulations impacting the delivery of our services;
•significant litigation or regulatory actions;
•the amount and timing of customer payments, payment defaults, operating costs and capital expenditures
•the amount and timing of equity awards and the related financial statement expenses;
•the impact of new accounting pronouncements;
•the inability to conclude that our internal controls over financial reporting are effective;
•our ability to accurately estimate the total addressable market for our products and services; and
•overall performance of the equity markets.
Following periods of volatility in the market price of a company’s securities, securities class action litigation has often been brought against that company. Securities litigation could result in substantial costs and divert management’s attention and resources from our business.
Provisions in our governing documents or Delaware law might discourage, delay or prevent a change of control or changes in our management and, therefore, depress our stock price.Provisions in our governing documents, Delaware law or 2030 Notes might discourage, delay or prevent a change of control or changes in our management and, therefore, depress our stock price.
Our certificate of incorporation and bylaws contain provisions that could depress our stock price by acting to discourage, delay or prevent a change in control or changes in our management that our shareholders may deem advantageous. These provisions, among other things:
•permit our board to establish the number of directors;
•require super-majority voting to amend certain provisions in our certificate of incorporation and bylaws;
•authorize issuance of “blank check” preferred stock that our board could use to implement a shareholder rights plan;
•prohibit shareholder action by written consent, which requires all shareholder actions to be taken at a meeting;
•permit our board to make, alter or repeal our bylaws; and
27
•require advance notice for shareholders to submit director nominations or other business at annual shareholders meetings (although our bylaws permit shareholders proxy access).
Further, Section 203 of the Delaware General Corporation Law may discourage, delay or prevent a change in control of our company. Section 203 imposes certain restrictions on merger, business combinations and other transactions between us and certain shareholders.
28
| ITEM 1B. | UNRESOLVED STAFF COMMENTS | ||||
None.
29
ITEM 1C. | CYBERSECURITY | ||||
Risk Management and Strategy
Collaboration
Our cybersecurity risks are identified and addressed through a comprehensive, cross-functional approach. Key security, risk, and compliance stakeholders meet regularly to develop strategies for preserving the confidentiality, integrity and availability of Company and customer information, identifying, preventing and mitigating cybersecurity threats, and effectively responding to cybersecurity incidents. We maintain controls and procedures that are designed to ensure prompt escalation of certain cybersecurity incidents so that decisions regarding public disclosure and reporting of such incidents can be made by management and the Board in a timely manner.
Risk Assessment
At least annually, we conduct a cybersecurity risk assessment that takes into account information from internal stakeholders, known information security vulnerabilities, and information from external sources (e.g., reported security incidents that have impacted other companies, industry trends, and evaluations by third parties and consultants). The results of the assessment are used to drive alignment on, and prioritization of, initiatives to enhance our security controls, make recommendations to improve processes, and inform a broader enterprise-level risk assessment that is presented to our Board , Audit Committee and members of management.
Technical Safeguards
We regularly assess and deploy technical safeguards designed to protect our information systems from cybersecurity threats. Such safeguards are regularly evaluated and improved based on vulnerability assessments, cybersecurity threat intelligence and incident response experience.
Incident Response and Recovery Planning
We have established comprehensive incident response and recovery plans and continue to regularly test and evaluate the effectiveness of those plans. Our incident response and recovery plans address — and guide our employees, management and the Board on — our response to a cybersecurity incident.
30
Education and Awareness
Our policies require each of our employees to contribute to our data security efforts. We regularly remind employees of the importance of handling and protecting customer and employee data, including through annual privacy and security training to enhance employee awareness of how to detect and respond to cybersecurity threats.
External Assessments
Governance
Board Oversight
Management’s Role
The following individuals have primary responsibility for assessing and managing cybersecurity risks:
•Chief customer officer (“CCO”), who oversees the digital transformation, digital technology and security functions
•Chief digital information officer (“CDIO”), who oversees enterprise-wide digital transformation
•Chief information security officer (“CISO”), who oversees the security function and reports to the CCO
•Chief technology officer (“CTO”), who oversees product engineering and advanced technologies
Our CCO has served in various roles in information technology and information security for over 20 years, including serving as our Chief Information Officer (“CIO”) and either the Chief Technology Officer or CIO of three other public companies. He holds an undergraduate degree in computer engineering. Our CDIO has served in various roles in information technology for over 20 years, including serving as our Senior Vice President of Digital Technology Experience and in similar senior roles at two other public companies. Our CIO has served in various roles in information technology and information security for over 20 years, including serving as the Chief Information Officer or Chief Technology Officer of three other public companies. Our CISO has served in various roles in information technology
31
32
Recently Filed
Click on a ticker to see risk factors
| Ticker * | File Date |
|---|---|
| PYPL | 10 hours ago |
| HMMR | 10 hours ago |
| OTIS | 10 hours ago |
| PEAK | 11 hours ago |
| SLAB | 12 hours ago |
| DOW | 19 hours ago |
| BKR | 20 hours ago |
| PEP | 1 day, 9 hours ago |
| FCFS | 1 day, 10 hours ago |
| RTX | 1 day, 10 hours ago |
| KREF | 1 day, 10 hours ago |
| BA | 1 day, 13 hours ago |
| GE | 1 day, 21 hours ago |
| JVA | 4 days, 10 hours ago |
| ISRG | 4 days, 10 hours ago |
| INTC | 4 days, 10 hours ago |
| CMCSA | 4 days, 11 hours ago |
| TMUS | 4 days, 11 hours ago |
| SKKY | 4 days, 11 hours ago |
| X | 4 days, 15 hours ago |
| CHTR | 4 days, 20 hours ago |
| NOC | 5 days, 11 hours ago |
| NOBH | 5 days, 12 hours ago |
| SIRI | 5 days, 18 hours ago |
| NOW | 6 days, 5 hours ago |
| TSLA | 6 days, 6 hours ago |
| META | 6 days, 7 hours ago |
| CCS | 6 days, 7 hours ago |
| BRID | 6 days, 10 hours ago |
| FLUX | 6 days, 10 hours ago |
| SVBL | 6 days, 10 hours ago |
| PBSV | 6 days, 10 hours ago |
| URI | 6 days, 11 hours ago |
| MXL | 6 days, 11 hours ago |
| LEVI | 6 days, 11 hours ago |
| OCEL | 6 days, 11 hours ago |
| FREVS | 6 days, 18 hours ago |
| CODA | 6 days, 20 hours ago |
| JEF | 1 week ago |
| NRIX | 1 week ago |
| LMT | 1 week ago |
| CRGH | 1 week ago |
| GM | 1 week ago |
| CNXC | 1 week ago |
| CCL | 1 week, 1 day ago |
| MULN | 1 week, 4 days ago |
| KBH | 1 week, 4 days ago |
| SNX | 1 week, 4 days ago |
| LEN | 1 week, 5 days ago |
| MKC | 1 week, 5 days ago |
