EPAM Systems Inc.: 10-K Risk Factor Changes

A substantial portion of our customers are concentrated in five specific industry verticals: Financial Services; Software & Hi-Tech; Business Information & Media; Travel & Consumer; and Life Sciences & Healthcare. Our business growth largely depends on continued demand for our services from customers in these five industry verticals and other industries that we target or may target in the future, and also depends on trends in these industries to outsource the type of services we provide. A downturn in any of our targeted industries, a slowdown or reversal of the trend to outsource IT services in any of these industries or the introduction of regulations that restrict or discourage companies from outsourcing could result in a decrease in the demand for our services and could have a material adverse effect on our business, financial condition and results of operations. Some of our customers in the Software & Hi-Tech industry vertical have experienced lay-offs, depressed stock prices, higher borrowing costs, and lower consumer spending on technology products and services which has resulted in reduced spending on our and other outsourced services. Other developments in the industries in which we operate may increase the demand for lower cost or lower quality IT services and decrease the demand for our services or increase the pressure our customers put on us to reduce pricing. We may not be able to successfully anticipate and prepare for any such changes, which could adversely affect our results of operations. Furthermore, developments in the industries we serve could shift customer demand to new services, solutions or technology. If our customers demand new services, solutions or technologies, we may be less competitive in these new areas or may need to make significant investments to meet that demand. Additionally, as we expand into serving new industry verticals, our solutions and technology may be used by, or generally affect, a broader base of customers and end users, which may expose us to new business and operational risks.

A substantial portion of our customers are concentrated in five specific industry verticals: Financial Services; Software & Hi-Tech; Business Information & Media; Travel & Consumer; and Life Sciences & Healthcare. Our business growth largely depends on continued demand for our services from customers in these five industry verticals and other industries that we target or may target in the future, and also depends on trends in these industries to outsource the type of services we provide. A downturn in any of our targeted industries, a slowdown or reversal of the trend to outsource IT services in any of these industries or the introduction of regulations that restrict or discourage companies from outsourcing could result in a decrease in the demand for our services and could have a material adverse effect on our business, financial condition and results of operations. Our customers in the Financial Services industry vertical that depend on the steady functioning of the global capital and credit markets may be particularly susceptible to the adverse effects of a threatened or actual U.S. sovereign debt default, which could cause those customers to reduce spending on our services. Other developments in the industries in which we operate may increase the demand for lower cost or lower quality IT services and decrease the demand for our services or increase the pressure our customers put on us to reduce pricing. We may not be able to successfully anticipate and prepare for any such changes, which could adversely affect our results of operations. Furthermore, developments in the industries we serve could shift customer demand to new services, solutions or technology. If our customers demand new services, solutions or technologies, we may be less competitive in these new areas or may need to make significant investments to meet that demand. Additionally, as we expand into serving new industry verticals, our solutions and technology may be used by, or generally affect, a broader base of customers and end users, which may expose us to new business and operational risks. 16 16 16 16 16 16 Table of Contents Table of Contents Table of Contents

Wages for technology professionals in the emerging markets where we have significant operations and delivery centers are lower than comparable wages in more developed countries. However, wages in general, and in the technology industry in emerging markets in particular, have increased at a faster rate than in the past, which will make us less competitive if we are not able to increase the efficiency and productivity of our people. If we increase operations and hiring in more developed economies, our compensation expenses will increase because of the higher wages demanded in those markets. Wage inflation, whether driven by competition for talent, ordinary course pay increases, or broader market forces, all increase our cost of providing services and reduce our profitability when we are not able to pass those costs on to our customers or adjust prices when justified by market demand. We expect to continue granting equity-based awards under our stock incentive plans and paying other stock-based compensation. There are significant expenses associated with issuing stock-based compensation under our equity incentive plans, but if we reduce the amount or value of equity award grants, we may not be able to attract and retain key personnel. Conversely, if we grant more or higher value equity awards to attract and retain key personnel, our equity compensation expenses could materially adversely affect our results of operations. Regulations restricting equity compensation, volatility in our stock, and dilution to our stockholders diminishes our use and the value of equity-based awards and puts us at a competitive disadvantage or causes us to reconsider our compensation practices.

Wages for technology professionals in the emerging markets where we have significant operations and delivery centers are lower than comparable wages in more developed countries. However, wages in general, and in the technology industry in these countries in particular, have increased at a faster rate than in the past, which may make us less competitive unless we are able to increase the efficiency and productivity of our people. If we increase operations and hiring in more developed economies, our compensation expenses will increase because of the higher wages demanded by technology professionals in those markets. Wage inflation, whether driven by competition for talent, ordinary course pay increases, or broader market forces, may also increase our cost of providing services and reduce our profitability if we are not able to pass those costs on to our customers or adjust prices when justified by market demand. We expect to continue our practice of granting equity-based awards under our stock incentive plans and paying other stock-based compensation. The expenses associated with stock-based compensation may make issuing equity awards under our equity incentive plans less attractive to us, but if we reduce the amount or value of equity award grants, we may not be able to attract and retain key personnel. Conversely, if we grant more or higher value equity awards to attract and retain key personnel, the equity compensation expenses could materially adversely affect our results of operations. New regulations, volatility in our stock, and dilution to our stockholders could diminish our use and the value of our equity-based awards. This could put us at a competitive disadvantage or cause us to reconsider our compensation practices. 12 12 12 12 12 12 Table of Contents Table of Contents Table of Contents

We enter into foreign currency forward contracts with a number of counterparties. As a result, we are subject to the risk that the counterparty to one or more of these contracts defaults on its performance under the contract. During an economic downturn, the counterparty’s financial condition may deteriorate rapidly and with little notice and we may be unable to take action to protect our exposure. In the event of a counterparty default, we could incur significant losses, which may harm our business and financial condition. In the event that one or more of our counterparties becomes insolvent or files for bankruptcy, our ability to eventually recover any losses suffered as a result of that counterparty’s default may be limited by the liquidity of the counterparty. 23 23 23 23 23 23 Table of Contents Table of Contents Table of Contents

We enter into foreign currency forward contracts with a number of counterparties. As a result, we are subject to the risk that the counterparty to one or more of these contracts defaults on its performance under the contract. During an economic downturn, the counterparty’s financial condition may deteriorate rapidly and with little notice and we may be unable to take action to protect our exposure. In the event of a counterparty default, we could incur significant losses, which may harm our business and financial condition. In the event that one or more of our counterparties becomes insolvent or files for bankruptcy, our ability to eventually recover any losses suffered as a result of that counterparty’s default may be limited by the liquidity of the counterparty.

Our success largely depends on our ability to use and develop our technology, tools, code, methodologies, products, and services without infringing the intellectual property rights, including patents, copyrights, trade secrets and trademarks, of third parties. We may be unaware of intellectual property rights relating to our products or services that may give rise to potential infringement claims against us, including the extensive litigation related to ownership of intellectual property rights associated with the images and text used to train generative AI software. Authors and other copyright holders seek to hold developers of generative AI software liable for using their copyrighted materials without permission and may seek to hold us or our customers liable for contributing to the infringement of their copyrighted materials. If those intellectual property rights are relevant to our service offerings, we may need to license those rights on commercially reasonable terms in order to continue to use the applicable technology. There may also be technologies licensed to and relied on by us that if subject to infringement or misappropriation claims by third parties, may become unavailable to us if such third parties obtain an injunction to prevent us from delivering our services or using technology involving the allegedly infringing intellectual property. If we are unable to license technologies needed for our business, we typically indemnify customers who purchase our products, services and solutions against potential infringement of third-party intellectual property rights, which subjects us to the risk and cost of defending the underlying infringement claims. These claims require us to initiate or defend litigation, which may be costly and protracted, on behalf of our customers, regardless of the merits of these claims, and our indemnification obligations are often not subject to liability limits or exclusion of consequential, indirect or punitive damages. Intellectual property litigation could also divert our management’s attention from our business and existing or potential customers could defer or limit their purchase or use of our software product development services or solutions until we resolve such litigation. If any of these claims succeed, we may be forced to pay damages on behalf of our customers, redesign or cease offering our allegedly infringing products, services, or solutions, or obtain licenses for the intellectual property that such services or solutions allegedly infringe. If we cannot obtain all necessary licenses on commercially reasonable terms, our customers may be forced to stop using our services or solutions. In addition, the existence and ownership of intellectual property rights created by generative AI technologies is currently subject to judicial and legislative review, and many jurisdictions do not recognize the existence of any protectable intellectual property rights in materials created by generative AI. If we are unable to meet our customers’ expectations relating to the ownership of the intellectual property underlying software deliverables, we may face legal liability. We believe AI software developers occasionally indemnify their licensees against intellectual property claims, but we think it is unlikely such indemnification obligations would cover our potential damages, if any. Any of these actions, regardless of the outcome of licensing negotiations, litigation, or merits of the claim, could damage our reputation and materially adversely affect our business, financial condition and results of operations. 20 20 20 20 20 20 Table of Contents Table of Contents Table of Contents

Our success largely depends on our ability to use and develop our technology, tools, code, methodologies, products, and services without infringing the intellectual property rights, including patents, copyrights, trade secrets and trademarks, of third parties. We may be unaware of intellectual property rights relating to our products or services that may give rise to potential infringement claims against us. If those intellectual property rights are potentially relevant to our service offerings, we may need to license those rights in order to continue to use the applicable technology, but the holders of those intellectual property rights may be unwilling to license those rights to us on commercially acceptable terms, if at all. There may also be technologies licensed to and relied on by us that if subject to infringement or misappropriation claims by third parties, may become unavailable to us if such third parties obtain an injunction to prevent us from delivering our services or using technology involving the allegedly infringing intellectual property. We typically indemnify customers who purchase our products, services and solutions against potential infringement of third-party intellectual property rights, which subjects us to the risk and cost of defending the underlying infringement claims. These claims may require us to initiate or defend protracted and costly litigation on behalf of our customers, regardless of the merits of these claims, and our indemnification obligations are often not subject to liability limits or exclusion of consequential, indirect or punitive damages. Intellectual property litigation could also divert our management’s attention from our business and existing or potential customers could defer or limit their purchase or use of our software product development services or solutions until we resolve such litigation. If any of these claims succeed, we may be forced to pay damages on behalf of our customers, redesign or cease offering our allegedly infringing products, services, or solutions, or obtain licenses for the intellectual property that such services or solutions allegedly infringe. If we cannot obtain all necessary licenses on commercially reasonable terms, our customers may be forced to stop using our services or solutions. Any of these actions, regardless of the outcome of litigation or merits of the claim, could damage our reputation and materially adversely affect our business, financial condition and results of operations.

We have significant operations in emerging market economies in Eastern Europe, Latin and South America, India, and certain other Asian countries, all of which are more vulnerable to market and economic volatility than larger and more developed markets and present risks to our business and operations. A majority of our revenues are generated in North America and Western Europe. However, most of our personnel and delivery centers are located in lower cost locations, including emerging markets. This exposes us to foreign exchange risks relating to revenues, compensation, purchases, capital expenditures, receivables and other balance-sheet items. As we continue to leverage and expand our global delivery model into other emerging markets, a larger portion of our revenues and incurred expenses may be in currencies other than U.S. dollars. Currency exchange volatility caused by economic instability or other factors could materially impact our results. See “Item 7A. Quantitative and Qualitative Disclosures About Market Risk.” 13 13 13 13 13 13 Table of Contents Table of Contents Table of Contents The economies of certain emerging market countries where we operate have experienced periods of considerable instability and have been subject to abrupt downturns. We have cash in banks in countries such as Belarus, Ukraine, Kazakhstan, Georgia, Armenia and Uzbekistan, where the banking sector generally does not meet the banking standards of more developed markets, bank deposits made by corporate entities are not insured, and the banking system remains subject to instability and changes in regulations that complicate business transactions. Some of the countries where we operate have sanctioned certain of the banks that we use in the emerging market economies where we also have operations, which has delayed our intercompany payments and could delay or prevent payments to vendors or receipts from customers. Further elongation or escalation of the military conflict in Ukraine could contribute to a banking crisis in Ukraine, Belarus, or the region. A banking crisis, or the bankruptcy or insolvency of banks that receive or hold our funds may result in the loss of our deposits or adversely affect our liquidity and our ability to complete banking transactions in that region. In addition, some countries where we operate may impose regulatory or practical restrictions on the movement of cash and the exchange of foreign currencies within their banking systems, which would limit our ability to use cash across our global operations and increase our exposure to currency fluctuations. Emerging market vulnerability, and especially its impact on currency exchange volatility and banking systems, could have a material adverse effect on our business, financial condition and results of operations.

Our significant operations in emerging market economies in Eastern Europe, Latin and South America, India, and certain other Asian countries are vulnerable to market and economic volatility to a greater extent than more developed markets, which presents risks to our business and operations. A majority of our revenues are generated in North America and Western Europe. However, most of our personnel and delivery centers are located in lower cost locations, including emerging markets. This exposes us to foreign exchange risks relating to revenues, compensation, purchases, capital expenditures, receivables and other balance-sheet items. As we continue to leverage and expand our global delivery model into other emerging markets, a larger portion of our revenues and incurred expenses may be in currencies other than U.S. dollars. Currency exchange volatility caused by economic instability or other factors could materially impact our results. See “Item 7A. Quantitative and Qualitative Disclosures About Market Risk.” The economies of certain emerging market countries where we operate have experienced periods of considerable instability and have been subject to abrupt downturns. We have cash in banks in countries such as Belarus, Russia, Ukraine, Kazakhstan, Georgia, Armenia and Uzbekistan, where the banking sector generally does not meet the banking standards of more developed markets, bank deposits made by corporate entities are not insured, and the banking system remains subject to instability and changes in regulations that complicate business transactions. Russia’s invasion of Ukraine and the resulting sanctions and counter-sanctions against Russia have increased the difficulty in accessing cash held in Russian banks, severely limited our ability to move funds out of Russia, and prolonged or escalating military conflict and further sanctions or counter-sanctions could contribute to a banking crisis in these countries and in Belarus. A banking crisis, or the bankruptcy or insolvency of banks that receive or hold our funds may result in the loss of our deposits or adversely affect our liquidity and our ability to complete banking transactions in that region. In addition, some countries where we operate may impose regulatory or practical restrictions on the movement of cash and the exchange of foreign currencies within their banking systems, which would limit our ability to use cash across our global operations and increase our exposure to currency fluctuations. Emerging market vulnerability, and especially its impact on currency exchange volatility and banking systems, could have a material adverse effect on our business, financial condition and results of operations.

EPAM is subject to the GDPR, the substantially similar U.K. GDPR, the privacy laws of California and other U.S. states, and the privacy laws of the countries where we operate, each of which imposes significant restrictions and requirements relating to the processing of personal data and can include significant financial penalties for non-compliance. These and other state, national and international data protection laws that are or will soon be effective are more burdensome than historical privacy standards, especially in the United States. California’s privacy laws, the U.K. GDPR, and GDPR each established complex legal obligations that organizations must follow with respect to the processing of personal data, including a prohibition on the transfer of personal information to third parties or to other countries, and the imposition of additional notification, security and other control measures. Recent developments in privacy regulations, including the new EU-U.S. Trans-Atlantic Data Privacy Framework, that are designed to secure the transfer of data from the EU to the United States have created significant regulatory uncertainty for businesses transferring data globally. This uncertainty results in increased compliance costs, as well as the risk of regulatory enforcement actions, which can result in significant financial penalties, private lawsuits, reputational damage, blockage of international data transfers, disruption to business, and loss of customers. Enforcement actions taken by data protection authorities, as well as audits, investigations, or lawsuits by one or more individuals, organizations, or foreign government agencies often result in penalties and fines for non-compliance or claims against us seeking damages as a result of a breach of these regulations. The burden of compliance with additional data protection requirements results in significant additional costs, complexity and risk in our services and customers attempt to shift the risks resulting from the implementation of data privacy legislation to us. We are required to establish processes and change certain operations in relation to the processing of personal data as a result of privacy laws, which involves substantial expense and distraction from other aspects of our business. 22 22 22 22 22 22 Table of Contents Table of Contents Table of Contents

EPAM is subject to the GDPR, the substantially similar U.K. GDPR, the privacy laws of California and other U.S. states, and the privacy laws of the countries where we operate, each of which imposes significant restrictions and requirements relating to the processing of personal data. These and other state, national and international data protection laws that are or will soon be effective are more burdensome than historical privacy standards, especially in the United States. California’s privacy laws, the U.K. GDPR, and GDPR each established complex legal obligations that organizations must follow with respect to the processing of personal data, including a prohibition on the transfer of personal information to third parties or to other countries, and the imposition of additional notification, security and other control measures. Enforcement actions taken by data protection authorities, as well as audits or investigations by one or more individuals, organizations, or foreign government agencies could result in penalties and fines for non-compliance or direct claims against us in the event of any loss or damage as a result of a breach of these regulations. The burden of compliance with additional data protection requirements may result in significant additional costs, complexity and risk in our services and customers may seek to shift the potential risks resulting from the implementation of data privacy legislation to us. We are required to establish processes and change certain operations in relation to the processing of personal data as a result of privacy laws, which may involve substantial expense and distraction from other aspects of our business.

To defend against information security threats internally, at our third-party providers, and on our customers’ systems, we must continuously engineer or purchase more secure products and services, enhance security and reliability features, improve deployment and compliance with software updates, assess and develop mitigation strategies and technologies to help secure information, hire information security specialists, and maintain a security infrastructure that protects our network, products, and services, and the software we build for our customers. Some of our customers seek additional assurances for the protection of their sensitive information, including personally identifiable information, and attempt to hold us liable, through contractual indemnification clauses or directly, for any losses or damages in the event that their sensitive information is disclosed. At times, to achieve commercial objectives, we agree to greater liability exposure to such customers. In addition, government regulators have sought and may continue to seek to impose fines, penalties, and other civil or criminal consequences for real or suspected security breaches and perceived inadequate information security. Our customers, particularly those in the Financial Services and Life Sciences & Healthcare industry verticals, may have enhanced or particular security requirements which we must address in our engineering and development services. Other parties, such as our customers’ customers, who have a private right of action, will seek damages for any information security or privacy breach on an individual or collective basis, and our customers have in the past, and may in the future, request to be indemnified against such claims. We must also educate our employees, contractors, and customers about the need to effectively use security measures. The cost of information security measures, either to protect our information or the information of our customers, and the cost of complying with privacy and information security disclosure regulations, reduces our profitability. Actual or perceived security vulnerabilities in our software and services, even if those vulnerabilities are the result of hardware or software developed by third parties, harm our reputation and lead customers to use our competitors, reduce or delay future purchases of our services, or seek compensation or damages.

To defend against information security threats internally, at our third-party providers, and on our customers’ systems, we must continuously engineer or purchase more secure products and services, enhance security and reliability features, improve deployment and compliance with software updates, assess and develop mitigation strategies and technologies to help secure information, hire information security specialists, and maintain a security infrastructure that protects our network, products, and services, and the software we build for our customers. We must also educate our employees, contractors, and customers about the need to effectively use security measures. Our customers, particularly those in the Financial Services and Life Sciences & Healthcare industry verticals, may have enhanced or particular security requirements which we must address in our engineering and development services. The cost of information security measures, either to protect our information or the information of our customers, could reduce our profitability. Actual or perceived security vulnerabilities in our software and services, even if those vulnerabilities are the result of hardware or software developed by third parties, could harm our reputation and lead customers to use our competitors, reduce or delay future purchases of our services, or to seek compensation or damages.

Our software development solutions involve a high degree of technological complexity, have unique specifications and could contain design defects or software errors that are difficult to detect or correct, including as a result of the introduction of new and emerging technologies such as AI. Errors or defects in design, execution, or quality inspections may result in the loss of current customers, revenues, market share, or customer data, a failure to attract new customers or achieve market acceptance and could divert development resources and increase support or service costs. We cannot provide assurance that, despite testing by our customers and us, errors will not be found in the software products we develop or the services we perform. Any such errors could result in disruptions to the proper functioning of the software we build, cause disruptions in our customers’ business, and allow unauthorized access to our or our customers’ proprietary information, resulting in claims for damages against us, litigation, and reputational harm that could materially adversely affect our business.

Our software development solutions involve a high degree of technological complexity, have unique specifications and could contain design defects or software errors that are difficult to detect or correct. Errors or defects may result in the loss of current customers, revenues, market share, or customer data, a failure to attract new customers or achieve market acceptance and could divert development resources and increase support or service costs. We cannot provide assurance that, despite testing by our customers and us, errors will not be found in the software products we develop or the services we perform. Any such errors could result in claims for damages against us, litigation, and reputational harm that could materially adversely affect our business. 21 21 21 21 21 21 Table of Contents Table of Contents Table of Contents

We have experienced uneven growth and expansion of our business over the past several years. Our growth and expansion has been both organic and through strategic acquisitions and investments and has resulted in part from managing larger and more complex projects for our customers, but consequently requires that we invest substantial amounts of cash in human capital and the infrastructure to support them, including training, administration, and facilities in existing and new geographies. Our growth has significantly slowed at times, particularly during 2023, due to waning customer demand, primarily due to uncertainty resulting from macroeconomic conditions following the COVID-19 pandemic. Rapid growth followed by decreased demand places significant strain on our management and our administrative, operational and financial infrastructure, and creates challenges, including: •recruiting, training and retaining sufficiently skilled professionals and management personnel and balancing headcount with customer requirements; •balancing an increase in the number of experienced personnel that have correspondingly higher billing rates due to promotions with hiring, training, and deploying less experienced personnel at the lower rates sought by customers; •planning and maintaining resource utilization rates consistently and efficiently using on-site, off-site and offshore staffing; •developing and maintaining close and effective relationships with potential and existing customers in a greater number of industries and locations; •controlling costs and minimizing cost overruns and project delays in our delivery operations and infrastructure; •effectively maintaining productivity levels and implementing process improvements across geographies and business units during periods of uneven customer demand; and •evolving our information security and our internal administrative, operational and financial infrastructure. If customers do not choose us for large and complex projects or we do not effectively manage those projects, our reputation may be damaged and our business and financial goals will not be realized. We need to generate business and revenues to support new investments and infrastructure projects. We have and will continue to invest in new lines of business, such as software development education, AI, and expanded consulting services. As we introduce new services, enter into new markets and new customer relationships, and take on increasingly large and complex projects, our business will face new risks and challenges. Expansion into direct-to-consumer offerings in the highly regulated education industry and joint venture relationships with our customers could result in increased liability, start-up, and compliance costs. If the challenges associated with expansion and new investments negatively impact our anticipated growth and margins, our business, prospects, financial condition and results of operations could be materially adversely affected.

We have grown rapidly and significantly expanded our businesses over the past several years, both organically and through strategic acquisitions and investments. Our growth has resulted in part from managing larger and more complex projects for our customers, but consequently requires that we invest substantial amounts of cash in human capital and the infrastructure to support them, including training, administration, and facilities in existing and new geographies. Our rapid growth places significant demands on our management and our administrative, operational and financial infrastructure, and creates challenges, including: •recruiting, training and retaining sufficiently skilled professionals and management personnel; •planning resource utilization rates on a consistent basis and efficiently using on-site, off-site and offshore staffing; •maintaining close and effective relationships with a larger number of customers in a greater number of industries and locations; •controlling costs and minimizing cost overruns and project delays in delivery center and infrastructure expansion; •effectively maintaining productivity levels and implementing process improvements across geographies and business units; and •evolving our information security and our internal administrative, operational and financial infrastructure. We intend to continue our expansion and pursue available opportunities for the foreseeable future. We have and will continue to invest in new lines of business, such as software development education and expanded consulting services. As we introduce new services, enter into new markets, and take on increasingly large and complex projects, our business may face new risks and challenges. If customers do not choose us for large and complex projects or we do not effectively manage those projects, our reputation may be damaged and our business and financial goals may not be realized. Direct-to-consumer offerings in the highly regulated education industry could result in increased liability and compliance costs. We need to generate business and revenues to support new investments and infrastructure projects. If the challenges associated with expansion negatively impact our anticipated growth and margins, our business, prospects, financial condition and results of operations could be materially adversely affected.

Expectations from our customers, investors, employees, and regulators regarding our environmental, social, and governance, or ESG, strategy and commitments continue to evolve. As investor policy and sentiment changes, and regulations and legislation related to ESG disclosure and climate change initiatives are adopted and implemented regionally and globally, our compliance obligations may not be completely aligned with investor support for ESG investments. Failure to invest in and comply with ESG initiatives and regulations could limit our access to certain markets, result in fines, or cause reputational harm. Changes in policy and laws may require disclosures and commitments that we are not able to meet, and regulations, treaties or initiatives in response to climate change could result in increased operational costs associated with environmental regulations and increased compliance and energy costs, each of which could harm our business and results of operations by increasing our expenses or requiring us to alter our operations. Our processes and controls may not always comply with evolving standards for identifying, measuring, and reporting ESG metrics, including ESG-related disclosures that may be required of public companies by the SEC or other regulatory bodies, and such standards may change over time, which could result in significant revisions to our current goals, reported progress in achieving such goals, or ability to achieve such goals in the future. Additionally, if we are unable to meet our ESG goals and objectives, we could also face scrutiny from certain constituencies related to the scope and nature of those goals or any revisions to those goals, and we may suffer reputational harm with investors, our customers, and current or potential employees.

Customer, investor, employee, and regulatory interest in environmental, social, and governance (“ESG”) strategy and commitments has grown and is expected to continue to grow. As investor policy, regulations, and legislation related to ESG disclosure and climate change initiatives are adopted and implemented regionally and globally, we may be required to comply or potentially face limited access to certain markets, fines, or reputational injury. Such policies and laws may require disclosures and commitments that we are not able to meet, and regulations, treaties or initiatives in response to climate change could result in increased operational costs associated with environmental regulations and increased compliance and energy costs, each of which could harm our business and results of operations by increasing our expenses or requiring us to alter our operations. Additionally, if we are unable to meet our ESG goals and objectives, we may suffer reputational harm with investors, our customers, and current or potential employees.

In the ordinary course of business, we collect, store, process, transmit, and view sensitive or confidential data, including intellectual property, proprietary business information and personally identifiable information belonging to us, our customers, our respective employees, and other end users. This information is stored in our data centers and networks or in the data centers and networks of third-party providers. Physical security and the secure storage, processing, maintenance and transmission of this information is critical to our operations and business strategy. Our internal technology infrastructure or the technology infrastructure of our third-party providers on which our information security depends may be subject to disruptions or may otherwise fail to operate properly or become disabled or damaged as a result of a number of factors, including events that are wholly or partially beyond our control and that could adversely affect our ability to provide services or keep our information secure. Such events include IT attacks or failures, threats to physical security, electrical or telecommunications outages, damaging weather or other acts of nature, or employee or contractor error or malfeasance. Our employees and contractors and our vendors, software and hardware suppliers, and other third parties in our information security supply chain, as well as sophisticated individual or collective groups of hackers, such as state-sponsored organizations, all pose threats to our information security. These individual, group, and organized actors have a variety of methods at their disposal, including deploying malicious software, exploiting vulnerabilities in hardware, software, or infrastructure, using social engineering or deceptive techniques to obtain information or gain access to our or our customers’ data, exploiting remote working connectivity and security susceptibilities, and executing coordinated attacks to compromise our services, disrupt our operations or gain access to our communications, networks and data centers. We have in the past experienced cybersecurity incidents and expect to continue to be the target of malicious attacks. Threats to information security evolve constantly and are increasingly sophisticated and complex, which makes detecting and successfully defending against them more difficult. Undetected vulnerabilities that persist in our network environment over long periods of time could spread within our networks or into the networks and systems of our other suppliers and customers. An attack may be viewed as immaterial or isolated at the time of its occurrence but later viewed as material or part of a larger and coordinated effort at a later date. We frequently update and improve our information security environment and assess and adopt new methods, devices, and technologies, but our policies and information security controls may not keep pace or be designed to detect emerging threats and our response to incidents may not be adequate, may fail to accurately assess the severity of an incident, may not be fast enough to prevent or limit harm, or may fail to sufficiently remediate an incident. Our ability to monitor our third-party suppliers’ information security systems is limited and we are not able to detect vulnerabilities in their systems until we are notified of the existence of those vulnerabilities. There have been and will continue to be attacks on our and third parties’ information security supply chains. We cannot guarantee that our information security supply chain has not been breached and does not contain exploitable defects, bugs, or vulnerabilities that could result in an incident, breach, or other disruption to our system or the systems of our customers or suppliers. Despite our multiple security measures, any breach of our facilities, network, or information security defenses compromises the information stored in those locations and allows the accessed information to be held for ransom, publicly disclosed, misappropriated, lost or stolen. Such a breach, misappropriation, or disruption, or the perception that we are vulnerable to a breach, could also disrupt our operations and the services we provide to customers, and any actual, alleged, or perceived breach of network or information security that we, our suppliers, our customers, or our industry suffer could damage our reputation, and cause a loss of confidence in our products and services, as well as require us to expend significant resources, which may not be covered by insurance, to protect against further breaches and to rectify problems caused by these events. Any such access, disclosure or other loss of information could result in legal claims or proceedings, liability under applicable laws, regulatory penalties or enforcement actions, and could adversely affect our business, revenues and competitive position. 21 21 21 21 21 21 Table of Contents Table of Contents Table of Contents

In the ordinary course of business, we collect, store, process, transmit, and view sensitive or confidential data, including intellectual property, proprietary business information and personally identifiable information belonging to us, our customers, our respective employees, and other end users. This information is stored in our data centers and networks or in the data centers and networks of third-party providers. Physical security and the secure storage, processing, maintenance and transmission of this information is critical to our operations and business strategy. Some of our customers seek additional assurances for the protection of their sensitive information, including personally identifiable information, and will seek greater liability in the event that their sensitive information is disclosed. At times, to achieve commercial objectives, we may agree to greater liability exposure to such customers. In addition, government regulators may impose fines, penalties, and other civil or criminal consequences for security breaches and inadequate information security. Other parties, such as our customers’ customers, may have a private right of action to seek damages for any information security breach on an individual or collective basis. Individuals, including employees, contractors and other third parties in our information security supply chain, as well as groups and larger, sophisticated collections of hackers, such as state-sponsored organizations, all pose threats to our information security. These individual, group, and organized actors have a variety of methods at their disposal, including deploying malicious software, exploiting vulnerabilities in hardware, software, or infrastructure, using social engineering or deceptive techniques, and executing coordinated attacks to compromise our services, disrupt our operations or gain access to our networks and data centers. 20 20 20 20 20 20 Table of Contents Table of Contents Table of Contents Threats to information security evolve constantly and are increasingly sophisticated and complex, which makes detecting and successfully defending against them more difficult. Undetected vulnerabilities may persist in our network environment over long periods of time and could come from or spread to the networks and systems of our suppliers and customers. We frequently update and improve our information security environment and assess and adopt new methods, devices, and technologies, but our policies and information security controls may not keep pace with emerging threats. We have in the past been subject to cyberattacks and expect to continue to be the target of malicious attacks. Despite our multiple security measures, any breach of our facilities, network, or information security defenses compromises the information stored in those locations and allows the accessed information to be held for ransom, publicly disclosed, misappropriated, lost or stolen. Such a breach, misappropriation, or disruption could also disrupt our operations and the services we provide to customers, damage our reputation, and cause a loss of confidence in our products and services, as well as require us to expend significant resources to protect against further breaches and to rectify problems caused by these events. Any such access, disclosure or other loss of information could result in legal claims or proceedings, liability under applicable laws, and regulatory penalties and could adversely affect our business, revenues and competitive position.