Fortinet Inc.: 10-K Risk Factor Changes

Our business depends on the overall demand for information technology and on the economic health of our current and prospective customers. In addition, the purchase of our products is often discretionary and may involve a significant commitment of capital and other resources. Weak global and regional economic conditions and spending environments, based on a downturn in the economy, a possible recession and the effects of ongoing or increased inflation or possible stagflation in certain geographies, tariffs or other trade disruptions, changing interest rates, geopolitical instability and uncertainty, a reduction in information technology spending regardless of macroeconomic conditions, the effects of epidemics and pandemics and the impact of the war in Ukraine could have a material adverse impacts on our financial condition and results of operations and our business, including resulting in longer sales cycles, lower prices for our products and services, increased component costs, higher default rates among our channel partners, reduced unit sales, lower prices and slower or declining growth. These can negatively impact our business by putting downward pressure on growth if we are unable to achieve the increases in 14 14 14 Table of Contents Table of Contents product prices necessary to appropriately offset the additional costs in a manner sufficient to maintain margins. Any of these impacts may materially and adversely affect our business, financial condition, results of operations and liquidity. The existence of inflation in certain economies has resulted in, and may continue to result in, changing interest rates and capital costs, increased component or shipping costs, increased costs of labor, weakening exchange rates and other similar effects. Although we take measures to mitigate risks such as those associated with inflation, the mitigating measures may not be effective or their impact may not offset the increased cost of inflation in a timely manner. Inflation, an economic downturn, a recession and any other economic challenges may also adversely impact spending patterns by our distributors, resellers and end-customers.

Our business depends on the overall demand for information technology and on the economic health of our current and prospective customers. In addition, the purchase of our products is often discretionary and may involve a significant commitment of capital and other resources. Weak global and regional economic conditions and spending environments, based on a downturn in the economy, a possible recession and the effects of ongoing or increased inflation or possible stagflation in certain geographies, increasing or decreasing interest rates, geopolitical instability and uncertainty, a reduction in information technology spending regardless of macroeconomic conditions, the effects of epidemics and pandemics and the impact of the war in Ukraine and the Israel-Hamas war each could have a material adverse impacts on our financial condition and results of operations and our business, including resulting in longer sales cycles, lower prices for our products and services, increased component costs, higher default rates among our channel partners, reduced unit sales, lower prices and slower or declining growth. These can negatively impact our business by putting downward pressure on growth if we are unable to achieve the increases in product prices necessary to appropriately offset the additional costs in a manner sufficient to maintain margins. Any of these impacts may materially and adversely affect our business, financial condition, results of operations and liquidity. The existence of inflation in certain economies has resulted in, and may continue to result in, increasing or decreasing interest rates and capital costs, increased component or shipping costs, increased costs of labor, weakening exchange rates and other similar effects. Although we take measures to mitigate risks such as those associated with inflation, the mitigating measures may not be effective or their impact may not offset the increased cost of inflation in a timely manner. Inflation, an economic downturn, a recession and any other economic challenges may also adversely impact spending patterns by our distributors, resellers and end-customers.

There is an evolving focus from certain investors, employees, customers and other stakeholders concerning corporate responsibility, specifically related to ESG matters. Some investors may use these non-financial performance factors to guide their investment strategies and, in some cases, may choose not to invest in us if they believe our policies and actions relating to corporate responsibility are inadequate. The growing investor demand for measurement of non-financial performance is addressed by third-party providers of sustainability assessment and ratings on companies. The criteria by which our corporate responsibility practices are assessed may change due to the constant evolution of the global sustainability landscape, which could result in greater expectations of us and cause us to undertake costly initiatives to satisfy such new criteria. For example, under the EU’s Corporate Sustainability Reporting Directive, we will be required to make certain disclosures in 2026 relating to our ESG impacts, risks, and opportunities for 2025. If we elect not to or are unable to satisfy such new criteria, investors may conclude that our policies and/or actions with respect to corporate social responsibility are inadequate and we may be subject to fines from regulatory authorities. We may face reputational damage in the event that we do not meet the ESG standards set by various constituencies. Furthermore, in the event that we communicate certain initiatives and goals regarding ESG matters, we could fail, or be perceived to fail, in our achievement of such initiatives or goals, or we could be criticized for the scope, target and timelines of such initiatives or goals. If we fail to satisfy the expectations of investors, customers, employees, and other stakeholders or our initiatives are not executed as planned, our reputation and business, operating results and financial condition could be adversely impacted. In addition, the SEC adopted a rule that requires climate disclosures in periodic and other filings with the SEC covering fiscal years beginning in 2025, which rule has been stayed pending the completion of a judicial review. To comply with this SEC rule, if such rule goes into effect in its current form, we will be required to establish additional internal controls, engage additional consultants and incur additional costs related to evaluating, managing and reporting on our environmental impact and climate-related risks and opportunities. If we fail to implement sufficient oversight or accurately capture and disclose on environmental matters, our reputation, business, operating results and financial condition may be materially adversely affected.

There is an increasing focus from certain investors, employees, customers and other stakeholders concerning corporate responsibility, specifically related to ESG matters. Some investors may use these non-financial performance factors to guide their investment strategies and, in some cases, may choose not to invest in us if they believe our policies and actions relating to corporate responsibility are inadequate. The growing investor demand for measurement of non-financial performance is addressed by third-party providers of sustainability assessment and ratings on companies. The criteria by which our corporate 37 37 37 Table of Contents Table of Contents responsibility practices are assessed may change due to the constant evolution of the sustainability landscape, which could result in greater expectations of us and cause us to undertake costly initiatives to satisfy such new criteria. For example, in 2023, California passed three separate climate bills governing disclosure of greenhouse gas emissions data, climate-related financials risks and details around emissions-related claims and carbon offsets. If we elect not to or are unable to satisfy such new criteria, investors may conclude that our policies and/or actions with respect to corporate social responsibility are inadequate and we may be subject to fines from regulatory authorities. We may face reputational damage in the event that we do not meet the ESG standards set by various constituencies. Furthermore, in the event that we communicate certain initiatives and goals regarding ESG matters, such as our commitment to target Net-Zero on Scope 1 and Scope 2 emissions resulting from our owned facilities worldwide by 2030 or our commitment to the Paris Agreement via the Science Based Targets Initiative, we could fail, or be perceived to fail, in our achievement of such initiatives or goals, or we could be criticized for the scope, target and timelines of such initiatives or goals. If we fail to satisfy the expectations of investors, customers, employees, and other stakeholders or our initiatives are not executed as planned, our reputation and business, operating results and financial condition could be adversely impacted. In addition, the SEC has also proposed a draft rule that requires climate disclosures in financial filings. To the extent the SEC proposal becomes effective for our company, we will be required to establish additional internal controls, engage additional consultants and incur additional costs related to evaluating, managing and reporting on our environmental impact and climate-related risks and opportunities. If we fail to implement sufficient oversight or accurately capture and disclose on environmental matters, our reputation, business, operating results and financial condition may be materially adversely affected.

Our FortiGuard and other security subscriptions and FortiCare technical support services revenue has historically accounted for a significant percentage of our total revenue. Revenue from the sale of new, or from the renewal of existing, FortiGuard and other security subscriptions and FortiCare technical support service contracts may decline and fluctuate as a result of a number of factors, including fluctuations and changes in the mix of our sales from secure networking, unified SASE and security operations between products and services, end-customers’ level of satisfaction with our products and services, the prices of our products and services, the prices of products and services offered by our competitors, reductions in our customers’ spending levels and the timing of revenue recognition with respect to such sales. If our sales of new, or renewals of existing, FortiGuard and other security subscriptions and FortiCare technical support service contracts decline, our revenue and revenue growth may decrease and our business could suffer. In addition, in the event significant customers require payment terms for 18 18 18 Table of Contents Table of Contents FortiGuard and other security subscriptions and FortiCare technical support services in arrears or for shorter periods of time than annually, such as monthly or quarterly, this may negatively impact our billings and revenue. Furthermore, we recognize FortiGuard and other security subscriptions and FortiCare technical support services revenue ratably over the term of the service period, which is typically from one to five years. As a result, much of the FortiGuard and other security subscriptions and FortiCare technical support services revenue we report each quarter is the recognition of deferred revenue from FortiGuard and other security subscriptions and FortiCare technical support service contracts entered into during previous quarters or years. Consequently, a decline in new or renewed FortiGuard and other security subscriptions and FortiCare technical support service contracts in any one quarter will not be fully reflected in revenue in that quarter but will negatively affect our revenue in future quarters. Accordingly, the effect of significant downturns in sales of new, or renewals of existing, FortiGuard and other security subscriptions and FortiCare technical support services is not reflected in full in our statements of income until future periods. Our FortiGuard and other security subscriptions and FortiCare technical support services revenue also makes it difficult for us to rapidly increase our revenue through additional service sales in any period, as revenue from new and renewal support services contracts must be recognized over the applicable service term.

Our FortiGuard and other security subscription and FortiCare technical support services revenue has historically accounted for a significant percentage of our total revenue. Revenue from the sale of new, or from the renewal of existing, FortiGuard and other security subscription and FortiCare technical support service contracts may decline and fluctuate as a result of a number of factors, including fluctuations in purchases of secure networking, unified SASE and security operations, changes in the sales mix between products and services, end-customers’ level of satisfaction with our products and services, the prices of our products and services, the prices of products and services offered by our competitors, reductions in our customers’ spending levels and the timing of revenue recognition with respect to these arrangements. If our sales of new, or renewals of existing, FortiGuard and other security subscription and FortiCare technical support service contracts decline, our revenue and revenue growth may decline and our business could suffer. In addition, in the event significant customers require payment 15 15 15 Table of Contents Table of Contents terms for FortiGuard and other security subscription and FortiCare technical support services in arrears or for shorter periods of time than annually, such as monthly or quarterly, this may negatively impact our billings and revenue. Furthermore, we recognize FortiGuard and other security subscription and FortiCare technical support services revenue ratably over the term of the service period, which is typically from one to five years. As a result, much of the FortiGuard and other security subscription and FortiCare technical support services revenue we report each quarter is the recognition of deferred revenue from FortiGuard and other security subscription and FortiCare technical support services contracts entered into during previous quarters or years. Consequently, a decline in new or renewed FortiGuard and other security subscription and FortiCare technical support services contracts in any one quarter will not be fully reflected in revenue in that quarter but will negatively affect our revenue in future quarters. Accordingly, the effect of significant downturns in sales of new, or renewals of existing, FortiGuard and other security subscriptions and FortiCare technical support services is not reflected in full in our statements of income until future periods. Our FortiGuard and other security subscription and FortiCare technical support services revenue also makes it difficult for us to rapidly increase our revenue through additional service sales in any period, as revenue from new and renewal support services contracts must be recognized over the applicable service term.

In order to remain competitive, we may seek to acquire additional businesses, products, technologies or IP, such as patents, and to make equity investments in businesses coupled with strategic alliances. For any possible future acquisitions or investments, we may not be successful in negotiating the terms of the acquisition or investment or financing the acquisition or investment. For both our prior and future acquisitions, we may not be successful in effectively integrating the acquired business, product, technology, IP or sales force into our existing business and operations, and the acquisitions may negatively impact our financial results. We may have difficulty incorporating acquired technologies, IP or products with our existing 37 37 37 Table of Contents Table of Contents product lines, integrating reporting systems and procedures, and maintaining uniform standards, controls, development practices, procedures and policies. For example, we may experience difficulties integrating an acquired company’s ERP or CRM systems, SaaS delivery systems, sales support, cyber risk management and compliance and other processes and systems, with our current systems and processes. We may also find that the personnel of the companies we acquire do not adequately adhere to our corporate policies and it may take time to bring them in line with our policies and standards. If we are unable to do so efficiently or effectively, our reputation and business, operating results and financial condition could be adversely impacted. The results of certain businesses that we invest in are, or may in the future, be reflected in our operating results, and we depend on these companies to provide us financial information in a timely manner in order to meet our financial reporting requirements. We may experience difficulty in timely obtaining financial information from the companies in which we have invested in order to meet our financial reporting requirements. Further, we are required to record goodwill and intangible assets that are subject to impairment testing on a regular basis and potential periodic impairment charges, which may adversely affect our financial condition and results of operations. Our due diligence for acquisitions and investments may fail to identify all of the problems, liabilities or other shortcomings or challenges of an acquired business, product or technology, including issues with IP, product quality or product architecture, regulatory compliance practices, environmental and sustainability compliance practices, revenue recognition or other accounting practices or employee or customer issues. We also may not accurately forecast the financial impact of an acquisition or an investment and alliance. In addition, any acquisitions and significant investments we are able to complete may be dilutive to revenue growth and earnings and may not result in any synergies or other benefits we had expected to achieve, which could negatively impact our operating results and result in impairment charges that could be substantial. We may have to pay cash, incur debt or issue equity securities to pay for any acquisition, each of which could affect our financial condition or the value of our capital stock and could result in dilution to our stockholders. Acquisitions or investments during a quarter may result in increased operating expenses and adversely affect our cash flows or our results of operations for that period and future periods compared to the results that we have previously forecasted or achieved. Further, completing a potential acquisition or investment and alliance and integrating acquired businesses, products, technologies or IP are challenging to do successfully and could significantly divert management time and resources.

In order to remain competitive, we may seek to acquire additional businesses, products, technologies or IP, such as patents, and to make equity investments in businesses coupled with strategic alliances. For any possible future acquisitions or investments, we may not be successful in negotiating the terms of the acquisition or investment or financing the acquisition or investment. For both our prior and future acquisitions, we may not be successful in effectively integrating the acquired business, product, technology, IP or sales force into our existing business and operations, and the acquisitions may negatively impact our financial results. We may have difficulty incorporating acquired technologies, IP or products with our existing product lines, integrating reporting systems and procedures, and maintaining uniform standards, controls, procedures and policies. For example, we may experience difficulties integrating an acquired company’s ERP or CRM systems, sales support and other processes and systems, with our current systems and processes. The results of certain businesses that we invest in, such as Linksys, are, or may in the future, be reflected in our operating results, and we depend on these companies to provide us financial information in a timely manner in order to meet our financial reporting requirements. We may experience difficulty in timely obtaining financial information from the companies in which we have invested in order to meet our financial reporting requirements. Our due diligence for acquisitions and investments may fail to identify all of the problems, liabilities or other shortcomings or challenges of an acquired business, product or technology, including issues with IP, product quality or product architecture, regulatory compliance practices, environmental and sustainability compliance practices, revenue recognition or other accounting practices or employee or customer issues. We also may not accurately forecast the financial impact of an acquisition or an investment and alliance. In addition, any acquisitions and significant investments we are able to complete may be dilutive to revenue growth and earnings and may not result in any synergies or other benefits we had expected to achieve, which could negatively impact our operating results and result in impairment charges that could be substantial. We may have to pay cash, incur debt or issue equity securities to pay for any acquisition, each of which could affect our financial condition or the value of our capital stock and could result in dilution to our stockholders. Acquisitions or investments during a quarter may result in increased operating expenses and adversely affect our cash flows or our results of operations for that period and future periods compared to the results that we have previously forecasted or achieved. Further, completing a potential acquisition or investment and alliance and integrating acquired businesses, products, technologies or IP are challenging to do successfully and could significantly divert management time and resources. Linksys sells predominantly into the consumer Wi-Fi market, and its sales have declined since our investment. Because we are accounting for our Linksys investment using the equity method of accounting, we are required to assess the investment for other-than-temporary impairment (“OTTI”) when events or circumstances suggest that the carrying amount of the investment may be impaired. We have analyzed whether there should be an OTTI of the value of our investment in Linksys and during the three months ended December 31, 2022 we recorded an OTTI charge of $22.2 million. In evaluating OTTI, we considered factors such as Linksys’ financial results and operating history, our ability and intent to hold the investment until its fair value recovers, the implied revenue valuation multiples compared to guideline public companies, Linksys’ ability to achieve milestones and any notable operational and strategic changes. We intend to continue to analyze our investment in Linksys to determine whether any further impairment is appropriate. If any further decline in fair value is determined to be other-than-temporary, we will adjust the carrying value of the investment to its fair value and record the impairment expense in our consolidated statements of income. The cost basis of the investment is not adjusted for subsequent recoveries in fair value. We may experience additional volatility to our statements of operations due to the underlying operating results of Linksys or impairments of our Linksys investment. This volatility could be material to our results in any given quarter and may cause our stock price to decline.

Our FortiGuard and other security subscription services may falsely detect, report and act on viruses or other threats that do not actually exist. This risk is heightened by the inclusion of heuristics, ML or AI features in our products, which attempt to identify viruses and other threats not based on any known signatures but based on characteristics or anomalies that may indicate that a particular item is a threat. With these features in our products, the risk of falsely identifying viruses and other threats significantly increases. These false positives, while typical in the industry, may impair the perceived reliability of our products and may therefore adversely impact market acceptance of our products. Also, our FortiGuard and other security subscription services may falsely identify emails or programs as unwanted spam or potentially unwanted programs, or alternatively fail to properly identify unwanted emails or programs, particularly as spam emails or spyware are often designed to circumvent anti-spam or spyware products. Parties whose emails or programs are blocked by our products may seek redress against us for labeling them as spammers or spyware, or for interfering with their business. In addition, false identification of emails or programs as unwanted spam or potentially unwanted programs may reduce the adoption of our products. If our system restricts important files or applications based on falsely identifying them as malware or some other item that should be restricted, this could adversely affect end-customers’ systems and cause material system failures. In addition, our threat researchers periodically identify vulnerabilities in various third-party products, and, if these identifications are perceived to be incorrect or are in fact incorrect, this could harm our business. Any such false identification or perceived false identification of important files, applications or vulnerabilities could result in negative publicity, loss of end-customers and sales, increased costs to remedy any problem and costly litigation.

Our FortiGuard and other security subscription services may falsely detect, report and act on viruses or other threats that do not actually exist. This risk is heightened by the inclusion of a “heuristics” feature in our products, which attempts to identify viruses and other threats not based on any known signatures but based on characteristics or anomalies that may indicate that a particular item is a threat. When our end-customers enable the heuristics feature in our products, the risk of falsely identifying viruses and other threats significantly increases. These false positives, while typical in the industry, may impair the perceived reliability of our products and may therefore adversely impact market acceptance of our products. Also, our FortiGuard and other security subscription services may falsely identify emails or programs as unwanted spam or potentially unwanted programs, or alternatively fail to properly identify unwanted emails or programs, particularly as spam emails or spyware are often designed to circumvent anti-spam or spyware products. Parties whose emails or programs are blocked by our products may seek redress against us for labeling them as spammers or spyware, or for interfering with their business. In addition, false identification of emails or programs as unwanted spam or potentially unwanted programs may reduce the adoption of our products. If our system restricts important files or applications based on falsely identifying them as malware or some other item that should be restricted, this could adversely affect end-customers’ systems and cause material system failures. In addition, our threat researchers periodically identify vulnerabilities in various third-party products, and, if these identifications are perceived to be incorrect or are in fact incorrect, this could harm our business. Any such false identification or perceived false identification of important files, applications or vulnerabilities could result in negative publicity, loss of end-customers and sales, increased costs to remedy any problem and costly litigation. 28 28 28 Table of Contents Table of Contents

Our products and services are complex, and they have contained and may contain defects, errors or vulnerabilities that are not detected until after their commercial release and deployment by our customers. Defects, errors or vulnerabilities may impede or block network traffic, cause our products or services to be vulnerable to electronic break-ins, cause them to fail to help secure our customers or cause our products or services to allow unauthorized access to our customers’ networks, or an unintended disruption to our customers’ operations. Additionally, any perception that our products have vulnerabilities, whether or not accurate, and any actual vulnerabilities may harm our operational results and reputation, more significantly as compared to other companies in other industries. Following a review in accordance with our publicly available Product Security Incident Response Team policy, our Product Security Incident Response Team publicly posts on our FortiGuard Labs website known product vulnerabilities, including critical vulnerabilities, and methods for customers to mitigate the risk of vulnerabilities. For example, we recently discovered, and subsequently released to customers an advisory update and patch for, a critical vulnerability in our FortiManager product. We are subject to various risks due to the FortiManager vulnerability, including reputational harm, adverse impacts to customer relationships, potential litigation, and additional regulatory scrutiny, which could negatively impact our business, operating results and financial condition. There can be no assurance that posts on our FortiGuard Labs website, including with respect to the recently announced FortiManager vulnerability, will be sufficiently timely, accurate or complete or that those customers will see such posts or take steps to mitigate the risk of vulnerabilities, and certain customers may be negatively impacted. Our products are also susceptible to errors, defects, logic flaws, vulnerabilities and inserted vulnerabilities that may arise in, or be included in our products in, different stages of our supply chain, manufacturing and shipment processes, and a threat actor’s exploitation of these weaknesses may be difficult to anticipate, prevent, and detect. If we are unable to maintain an effective supply chain security risk management and products security program or we inadvertently release a product or an update to a product with a defect in it, then the security and integrity of our products and the updates to those products that our customers receive could be exploited by third parties or insiders, or our solutions or updates thereto could cause an unintended disruption to our customers’ operations. Different customers deploy and use our products in different ways, and certain deployments and usages may subject our products to adverse conditions that may negatively impact the effectiveness and useful lifetime of our products. Further, customers may choose not to apply patches in a timely manner for business or operational reasons, or may neglect to upgrade at all and may run unpatched or unsupported devices against our guidance and industry best practice. Such lack of action to remediate known product vulnerabilities in the customer environment could negatively impact their own security posture, increasing the likelihood of exploitation and negatively impacting our reputation. Our networks and products, including cloud-based technology, could be targeted by attacks specifically designed to disrupt our business and harm our operational results and reputation. We cannot ensure that our products will prevent all adverse security events or not cause disruptions to our customers’ operations. Because the techniques used by malicious adversaries to access or sabotage networks change frequently and generally are not recognized until launched against a target, we may be unable to anticipate these techniques. In addition, defects or errors in our FortiGuard and other security subscriptions or FortiCare updates or our Fortinet appliances and operating systems could result in a failure of our FortiGuard and other security subscription services to effectively or correctly update end-customers’ Fortinet appliances and cloud-based products and thereby leave customers vulnerable to attacks or to disruptions in operations. Furthermore, our solutions may also fail to detect or prevent viruses, worms, ransomware attacks or similar threats due to a number of reasons such as the evolving nature of such threats and the continual emergence of new threats that we may fail to anticipate or add to our FortiGuard databases in time to protect our end-customers’ networks. Our data centers and networks and those of our hosting vendors and cloud service providers may also experience technical failures and downtime, and may fail to distribute appropriate updates, or fail to meet the increased requirements of our customer base. Any such technical failure, downtime or failures in general may temporarily or permanently expose our end-customers’ networks, leaving their networks unprotected against the latest security threats. An actual, possible or perceived security incident or infection of the network of one of our end-customers or a disruption to their operations, regardless of whether the incident is attributable to the failure of our products or services to prevent or detect the security incident or be the cause of such disruption, or any actual or perceived security risk in our supply chain, could adversely affect the market’s perception of our security products and services, cause customers and customer 25 25 25 Table of Contents Table of Contents prospects not to buy from us and, in some instances, subject us to potential liability that is not contractually limited. We may not be able to correct any security flaws or vulnerabilities promptly, or at all. Our products may also be misused or misconfigured by end-customers or third parties who obtain access to our products. For example, our products could be used to censor private access to certain information on the internet. Such use of our products for censorship could result in negative press coverage and negatively affect our reputation, even if we take reasonable measures to prevent any improper shipment of our products or if our products are provided by an unauthorized third party. Any actual, possible or perceived defects, errors or vulnerabilities, including critical vulnerabilities, in our products, or misuse of our products, could result in: •the expenditure of significant financial and product development resources in efforts to analyze, correct, eliminate or work around errors or defects or to address and eliminate vulnerabilities; •the loss of existing or potential end-customers or channel partners; •delayed or lost revenue; •delay or failure to attain market acceptance; •negative publicity and harm to our reputation; and •disclosure requirements, litigation, regulatory inquiries or investigations that may be costly and harm our reputation and, in some instances, subject us to potential liability that is not contractually limited. If our internal enterprise IT networks, on which we conduct internal business and interface externally, our operational networks, through which we connect to customers, vendors and partners systems and provide services, or our research and development networks, our back-end labs and cloud stacks hosted in our data centers or PoPs, colocation vendors or public cloud providers, through which we research, develop and host products and services, are compromised, public perception of our products and services may be harmed, our customers may be breached and harmed, we may become subject to liability, and our business, operating results and stock price may be adversely impacted. Our success depends on the market’s confidence in our ability to provide effective network security protection. Despite our efforts and processes to prevent breaches of our internal networks, systems and websites, whether in our owned data centers, cloud providers or colocations, we are still vulnerable to computer viruses, break-ins, phishing attacks, ransomware attacks, attempts to overload our servers with denial-of-service, vulnerabilities in vendor hardware and software that we leverage, advanced persistent threats from sophisticated actors and other cyber-attacks and similar disruptions from unauthorized access to our internal networks, systems or websites, whether in our owned data centers, cloud providers or colocations. Our security measures may also be breached due to employee error, malfeasance or otherwise, which breaches may be more difficult to detect than outsider threats, and the existing programs and trainings we have in place to prevent such insider threats may not be effective or sufficient. Third parties may also attempt to fraudulently induce our employees to transfer funds or disclose information in order to gain access to our networks and confidential information. Third parties may also send our customers or others malware or malicious emails that falsely indicate that we are the source, potentially causing lost confidence in us and reputational harm. We cannot guarantee that the measures we have taken to protect our networks, systems and websites, whether in our owned data centers, cloud providers or colocations, will provide adequate security. Moreover, because we provide network security products, we may be a more attractive target for attacks by computer hackers and any security breaches and other security incidents involving us may result in more harm to our reputation and brand than companies that do not sell network security solutions. Hackers and malicious parties may be able to develop and deploy viruses, worms, ransomware and other malicious software programs that attack our products and customers, that impersonate our update servers in an effort to access customer networks and negatively impact customers, or otherwise exploit any security vulnerabilities of our products, or attempt to fraudulently induce our employees, customers or others to disclose passwords or other sensitive information or unwittingly provide access to our internal networks, systems or data. Moreover, the threat landscape continues to evolve as a result of new technologies, including AI, and malicious parties may use AI to help attack our solutions, systems, and our customers. For example, from time to time, we have discovered that unauthorized parties have targeted us using sophisticated techniques, including by stealing technical data and attempting to steal private encryption keys, in an effort to both impersonate our products and threat intelligence update services and possibly attempt other attack methodologies. Using these techniques, these unauthorized parties have tried, and may in the future try, to gain access to certain of our and our customers’ systems. For example, recently, an individual gained unauthorized access to a limited number of files stored on our instance of a third-party cloud-based shared file drive, which included limited data related to a small percentage of our customers. We do not currently believe that this incident was material as a result of our assessment of various factors, including, but not limited to, because (i) our operations, products, and services have not been impacted, and (ii) we have identified no evidence of additional access to any other of our resources. As a result, we have not experienced, and do not currently believe that the incident is reasonably likely to have a material impact to our financial condition, operating results or business. However, we remain subject to various 26 26 26 Table of Contents Table of Contents risks due to the incident and its impact, including reputational harm, adverse impacts to customer relationships, potential litigation, and additional regulatory scrutiny. We have also, for example, discovered that unauthorized parties have targeted vulnerabilities, including critical vulnerabilities, in our product software and infrastructure in an effort to gain entry into our customers’ networks. In addition, in general threat actors use dark web forums to sell organizations’ stolen credentials. If threat actors sell valid credentials used by our customers to access our services, it is possible that unauthorized third parties may use such stolen credentials to try to gain access to our services. These and other hacking efforts against us and our customers may be ongoing and may happen in the future. Although we take numerous measures and implement multiple layers of security to protect our networks, we cannot guarantee that our security products, processes and services will secure against all threats. Further, we cannot be sure that third parties have not been, or will not in the future be, successful in improperly accessing our systems and our customers’ systems, which could negatively impact us and our customers. An actual breach could significantly harm us and our customers, and an actual or perceived breach, or any other actual or perceived data security incident, threat or vulnerability, that involves our supply chains, networks, systems or websites and/or our customers’ supply chains, networks, systems or websites could adversely affect the market perception of our products and services and investor confidence in our company. Any breach of our networks, systems or websites could impair our ability to operate our business, including our ability to provide FortiGuard and other security subscriptions and FortiCare technical support services to our end-customers, lead to interruptions or system slowdowns, cause loss of critical data or lead to the unauthorized disclosure or use of confidential, proprietary or sensitive information. We could also be subject to liability and litigation and reputational harm and our channel partners and end-customers may be harmed, lose confidence in us and decrease or cease using our products and services. Any breach of our internal networks, systems or websites could have an adverse effect on our business, operating results and stock price. In addition, there has been a general increase in phishing attempts and spam emails as well as social engineering attempts from hackers, and many of our employees continue to work remotely which may pose additional data security risks in the event remote work environments are not as secure as office environments. Any security incident could negatively impact our reputation and results of operations.

Our products and services are complex, and they have contained and may contain defects, errors or vulnerabilities that are not detected until after their commercial release and deployment by our customers. Defects, errors or vulnerabilities may impede or block network traffic, cause our products or services to be vulnerable to electronic break-ins, cause them to fail to help secure our customers or cause our products or services to allow unauthorized access to our customers’ networks. Following a review in accordance with our publicly available Product Security Incident Response Team policy, our Product Security Incident Response Team publicly posts on our FortiGuard Labs website known product vulnerabilities, including critical vulnerabilities, and methods for customers to mitigate the risk of vulnerabilities. There can be no assurance, however, that such posts will be sufficiently timely, accurate or complete or that those customers will take steps to mitigate the risk of vulnerabilities, and certain customers may be negatively impacted. Additionally, any perception that our products have vulnerabilities, whether or not accurate, and any actual vulnerabilities may harm our operational results and reputation, more significantly as compared to certain other companies in other industries because we are a security company. Our products are also susceptible to errors, defects, logic flaws, vulnerabilities and inserted vulnerabilities that may arise in, or be included in our products in, different stages of our supply chain, manufacturing and shipment processes, and a threat actor’s exploitation of these weaknesses may be difficult to anticipate, prevent, and detect. If we are unable to maintain an effective supply chain security risk management and products security program, then the security and integrity of our products and the updates to those products that our customers receive could be exploited by third parties or insiders. Different customers deploy and use our products in different ways, and certain deployments and usages may subject our products to adverse conditions that may negatively impact the effectiveness and useful lifetime of our products. Our networks and products, including cloud-based technology, could be targeted by attacks specifically designed to disrupt our business and harm our operational results and reputation. We cannot ensure that our products will prevent all adverse security events. Because the techniques used by malicious adversaries to access or sabotage networks change frequently and generally are not recognized until launched against a target, we may be unable to anticipate these techniques. In addition, defects or errors in our FortiGuard and other security subscription or FortiCare updates or our Fortinet appliances and operating systems could result in a failure of our FortiGuard and other security subscription services to effectively or correctly update end-customers’ Fortinet appliances and cloud-based products and thereby leave customers vulnerable to attacks. Furthermore, our solutions may also fail to detect or prevent viruses, worms, ransomware attacks or similar threats due to a number of reasons such as the evolving nature of such threats and the continual emergence of new threats that we may fail to anticipate or add to our FortiGuard databases in time to protect our end-customers’ networks. Our data centers and networks and those of our hosting vendors and cloud service providers may also experience technical failures and downtime, and may fail to distribute appropriate updates, or fail to meet the increased requirements of our customer base. Any such technical failure, downtime or failures in general may temporarily or permanently expose our end-customers’ networks, leaving their networks unprotected against the latest security threats. An actual, possible or perceived security incident or infection of the network of one of our end-customers, regardless of whether the incident is attributable to the failure of our products or services to prevent or detect the security incident, or any actual or perceived security risk in our supply chain, could adversely affect the market’s perception of our security products and services, cause customers and customer prospects not to buy from us and, in some instances, subject us to potential liability that is not contractually limited. We may not be able to correct any security flaws or vulnerabilities promptly, or at all. Our products may also be misused or misconfigured by end-customers or third parties who obtain access to our products. For example, our products could be used to censor private access to certain information on the internet. Such use of our products for censorship could result in negative press coverage and negatively affect our reputation, even if we take reasonable measures to prevent any improper shipment of our products or if our products are provided by an unauthorized third party. Any actual, possible or perceived defects, errors or vulnerabilities in our products, or misuse of our products, could result in: •the expenditure of significant financial and product development resources in efforts to analyze, correct, eliminate or work around errors or defects or to address and eliminate vulnerabilities; •the loss of existing or potential end-customers or channel partners; •delayed or lost revenue; 27 27 27 Table of Contents Table of Contents •delay or failure to attain market acceptance; •negative publicity and harm to our reputation; and •disclosure requirements, litigation, regulatory inquiries or investigations that may be costly and harm our reputation and, in some instances, subject us to potential liability that is not contractually limited.

Economic uncertainty in various global markets caused by political instability and conflict, such as the war in Ukraine has resulted, and may continue to result in weakened demand for our products and services and difficulty in forecasting our financial results and managing inventory levels. Political developments impacting government spending and international trade, including potential government shutdowns and trade disputes and tariffs may negatively impact markets and cause weaker macroeconomic conditions. The effects of these events may continue due to potential U.S. government shutdowns and the transition in administrations, and the United States’ ongoing trade disputes with Russia, China and other countries. The continuing effect of any or all of these events could adversely impact demand for our products, harm our operations and weaken our financial results.

Economic uncertainty in various global markets caused by political instability and conflict, such as the war in Ukraine and the Israel-Hamas war, and economic challenges caused by the economic downturn, any resulting recession, inflation or rise in interest rates has resulted, and may continue to result, in weakened demand for our products and services and difficulty in forecasting our financial results and managing inventory levels. Political developments impacting government spending and international trade, including potential government shutdowns and trade disputes and tariffs may negatively impact markets and cause weaker macroeconomic conditions. The effects of these events may continue due to potential U.S. government shutdowns and the transition in administrations, and the United States’ ongoing trade disputes with Russia, China and other countries. The continuing effect of any or all of these events could adversely impact demand for our products, harm our operations and weaken our financial results. In addition, the U.S. capital markets have experienced and continue to experience extreme volatility and disruption. Inflation rates in the United States significantly increased in 2022 resulting in federal action to increase interest rates, adversely affecting capital markets activity. Further deterioration of the macroeconomic environment and regulatory action may adversely affect our business, operating results and financial condition. Moreover, there has been recent turmoil in the global banking system. For example, in March 2023, Silicon Valley Bank (“SVB”) was put into receivership by the Federal Deposit Insurance Corporation and subsequently sold. Other banks at risk of failure have been subsequently sold, including First Republic Bank in May 2023, and there is concern that more banks could be at risk of the same fate. Although we only had an immaterial amount of our cash directly at SVB, there is no guarantee that the federal government would guarantee all depositors as they did with SVB depositors in the event of further bank closures. Continued instability in the global banking system may negatively impact us or our customers, including our customers’ ability to pay for our platform, and adversely impact our business and financial condition. Moreover, events such as the closure of SVB, in addition to global macroeconomic conditions discussed above, may cause further turbulence and uncertainty in the capital markets and economy. 42 42 42 Table of Contents Table of Contents