KLA Corporation: 10-K Risk Factor Changes

We maintain significant operations outside the United States, and existing and evolving trade restrictions imposed by the U.S. and other governments could significantly disrupt our global operations. The U.S. government has tightened export controls for commodities, software, and technology (collectively, “items”) destined to China over the past several years. These controls have included, for example, restrictions on exporting certain items to military end users and for military end uses, the addition of numerous entities to the U.S. Entity List (a list of parties that are generally ineligible to receive U.S.-regulated items without prior licensing from BIS), and the creation of new licensing requirements that apply to the export, re-export, and transfer of certain foreign-made items that are the direct product of U.S. origin technology or produced by a plant or major component of a plant that itself is the direct product of U.S. origin technology and which are destined to Huawei or its affiliates and other specified companies on the U.S. Entity List. In October 2022, BIS published the 2022 BIS Rules (the “2022 BIS Rules”) that introduce restrictions related to semiconductor, semiconductor manufacturing, supercomputer, and advanced computing items and end uses. These rules impose restrictions on our ability to sell, ship and support certain equipment and otherwise conduct business with certain counterparties, primarily including China-based companies involved in advanced semiconductor manufacturing. Further, the 2022 BIS Rules impose restrictions on the activities of U.S. persons with respect to certain items that are not subject to the Export Administration Regulations (“EAR”), which departs from BIS’ typical practice of controlling items that are subject to the EAR, and could further restrict our ability to conduct business in China. In October 2023, BIS issued the 2023 BIS Rules (the “2023 BIS Rules”) designed to update export controls on advanced computing semiconductors and semiconductor manufacturing equipment, as well as items that support supercomputing applications and end-uses, to certain D1, D4 and/or D5 countries in Supplement No. 1 of Part 740 of the U.S. Export Administration Regulations, including China. The 2023 BIS Rules adjust the parameters included in the 2022 BIS Rules that determine whether an advanced computing chip is restricted and impose new measures to address risks of circumvention of the controls established by the 2022 BIS Rules. The 2023 BIS Rules are very complex and, in January 2024, KLA, among other companies, submitted comments to BIS on the 2023 BIS Rules. BIS could revise or expand the 2023 BIS Rules in response to public comments. Likewise, BIS may issue guidance clarifying the scope of the rules. Such revisions, expansions or guidance could change the impact of the rules for our business. Commerce has also added, and may continue to add, China-based entities to the U.S. Entity List, imposing export restrictions to entities that could disrupt or prevent our product shipment, and further disrupt our revenue recognition and business operations, and our ability to support our customers in China. 16 16 16 Table of Contents Table of Contents These rules and regulations may significantly harm our business unless we are able to obtain required licenses. We will continue to apply for export licenses, when required, in an effort to avoid disruption to our and our customers’ operations, but there can be no assurance that export licenses applied for by either us or our customers, now or in the future, will be granted. To the extent BIS does issue licenses to us or to our customers, such licenses may have a short duration or require us to satisfy various conditions. If pending and future export license applications are not granted, or additional restrictions are imposed, or if regulators adopt new interpretations of existing regulations, the potential impact on us could be material by disrupting our supply chain and product shipment, impairing our ability to complete product development in a timely manner, or our ability to support existing customers of covered products or supply customers of covered products outside the impacted regions, and requiring us to transition certain operations out of one or more of the identified countries. Failure to obtain export licenses could also harm our RPO, requiring us to return substantial deposits received from customers in China for purchase orders, and/or further limiting our ability to meet our contractual obligations and sell our products or provide services to our customers in China. We may lose revenue in future periods related to anticipated sales to customers in China unless we are able to replace their orders with other customer orders for which either a license has been obtained or is not required. Our revenue from sales of products and provision of services to customers in China was 43%, 27% and 29% for fiscal years 2024, 2023 and 2022, respectively. Additionally, the Chinese government has adopted, and may further adopt, new regulations, in response to U.S. government actions, which could adversely affect our ability to do business in China. We have controls and procedures designed to maintain compliance with U.S. and other applicable export control laws and regulations; however, we cannot guarantee that such controls and procedures will be successful in preventing violations or allegations of violations, of increasingly complex and often conflicting regulations worldwide. The complexity and evolving nature of the rules and regulations, and the fact that Commerce or other relevant regulators might adopt interpretations of regulations that differ from those of the Company, increase our risk of non-compliance. Any violations by us of applicable export laws and regulations could result in significant civil and criminal penalties, including fines and criminal proceedings against the Company or responsible employees, a denial of export privileges, suspension or debarment. Our employees, customers, suppliers or other third parties with whom we work may also engage in conduct for which the Company might be held responsible. We could face significant compliance, litigation or settlement costs and diversion of management’s attention from our business as a result. Further, the Company may be subject to negative publicity or reputational harm, resulting in reduced demand for our products, employee attrition and other negative impact on our business, results of operations, financial condition and cash flows.

We maintain significant operations outside the United States, and existing and evolving trade restrictions imposed by the U.S. and other governments could significantly disrupt our global operations. The U.S. government has tightened export controls for commodities, software, and technology (collectively, “items”) destined to China over the past several years. These controls have included, for example, restrictions on exporting certain items to military end users and for military end uses, the addition of numerous entities to the U.S. Entity List (a list of parties that are generally ineligible to receive U.S.-regulated items without prior licensing from BIS), and the creation of new licensing requirements that apply to the export, re-export, and transfer of certain foreign-made items that are the direct product of U.S. origin technology or produced by a plant or major component of a plant that itself is the direct product of U.S. origin technology and which are destined to Huawei or its affiliates and other specified companies on the U.S. Entity List. In October 2022, BIS published the BIS Rules that introduce restrictions related to semiconductor, semiconductor manufacturing, supercomputer, and advanced computing items and end uses. These rules impose restrictions on our ability to sell, ship, and support certain equipment and otherwise conduct business with certain counterparties, primarily including China-based companies involved in advanced semiconductor manufacturing. Further, the BIS Rules impose new restrictions on the activities of U.S. persons with respect to certain items that are not subject to the Export Administration Regulations (“EAR”), which departs from BIS’ typical practice of controlling items that are subject to the EAR, and could further restrict our ability to conduct business in China. The BIS Rules are complex, and BIS could revise or expand them in response to public comments. Likewise, BIS may issue guidance clarifying the scope of the rules. Such revisions, expansions or guidance could change the impact of the rules for our business. These rules and regulations may significantly harm our business unless we are able to obtain required licenses. We are applying for export licenses, when required, in an effort to avoid disruption to our and our customers’ operations, but there can be no assurance that export licenses applied for by either us or our customers will be granted. To the extent BIS does issue licenses to us or to our customers, such licenses may have a short duration or require us to satisfy various conditions. If pending and future export license applications are not granted, or additional restrictions are imposed, or if regulators adopt new interpretations of existing regulations, the potential impact on us could be material by harming our RPO, requiring us to return substantial deposits received from customers in China for purchase orders, and/or further limiting our ability to meet our contractual obligations and sell our products or provide services to our customers in China. We may lose revenue in future periods related to anticipated sales to customers in China unless we are able to replace their orders with other customer orders for which either a license has been obtained or is not required. Our revenue from sales of products and provision of services to customers in China was 27%, 29% and 26% for fiscal years 2023, 2022 and 2021, respectively. Additionally, the Chinese government has adopted, and may further adopt, new regulations, in response to U.S. government actions, which could adversely affect our ability to do business in China. We have controls and procedures 16 16 16 Table of Contents Table of Contents designed to maintain compliance with U.S. and other applicable export control laws and regulations; however, we cannot guarantee that such controls and procedures will be successful in preventing violations or allegations of violations, of increasingly complex and often conflicting regulations worldwide. The complexity and evolving nature of the rules and regulations, and the fact that Commerce or other relevant regulators might adopt interpretations of regulations that differ from those of the Company, increases our risk of non-compliance. Any violations by us of applicable export laws and regulations could result in significant civil and criminal penalties, including fines and criminal proceedings against the Company or responsible employees, a denial of export privileges, suspension or debarment. Our employees, customers, suppliers or other third parties with whom we work may also engage in conduct for which the Company might be held responsible. We could face significant compliance, litigation or settlement costs and diversion of management’s attention from our business as a result. Further, the Company may be subject to negative publicity or reputational harm, resulting in reduced demand for our products, employee attrition and other negative impact on our business, results of operations, financial condition and cash flows.

The threat of terrorism targeted at, or acts of war in, the regions of the world in which we do business increases the uncertainty in our markets. Any act of terrorism or war that affects the economy or the industries we serve could adversely affect our business. Increased international political instability or geopolitical tensions in various parts of the world, disruption in air transportation and further enhanced security measures as a result of terrorist attacks may hinder our ability to do business and may increase our costs of operations. We maintain significant operations in Israel. Since the establishment of the State of Israel in 1948, a number of armed conflicts have taken place between Israel and its Arab neighbors, and a state of hostility varying in degree and intensity has led to security and economic challenges for Israel. In October 2023, war between Israel and Hamas began, which has resulted in significant military activity in the region. In addition, some of our employees in Israel are obligated to perform annual reserve duty in the Israel Defense Forces, and may be called to active military duty in emergency circumstances, including the war against Hamas. Following the war between Israel and Hamas, the Houthis launched a number of attacks on marine vessels traversing the Red Sea, which marine vessels were thought to either be in route towards Israel or to be partly owned by Israeli businessmen. The Red Sea is a vital maritime route for international trade and major shipping companies announced suspensions of operations following these attacks. Disruptions in shipping routes in the Red Sea could result in delays in shipping our products to customers, which could delay the timing of revenue recognition. We cannot assess the impact that emergency conditions in Israel may have on our business, operations, financial condition or results of operations, but it could be material. Instability in any region could directly impact our ability to operate our business (or our customers’ ability to operate their businesses), cause us to incur increased costs in transportation, make such transportation unreliable, increase our insurance costs, and cause international currency markets to fluctuate. Instability in any region could also have the same effects on our suppliers and their ability to timely deliver their products. Our insurance does not cover losses we suffer attributable to war. If international political instability and geopolitical tensions continue or increase in any region in which we do business, our business and results of operations could be harmed.

The threat of terrorism targeted at, or acts of war in, the regions of the world in which we do business increases the uncertainty in our markets. Any act of terrorism or war that affects the economy or the industries we serve could adversely affect our business. Increased international political instability or geopolitical tensions in various parts of the world, disruption in air transportation and further enhanced security measures as a result of terrorist attacks may hinder our ability to do business and may increase our costs of operations. We maintain significant operations in Israel. Since the establishment of the State of Israel in 1948, a number of armed conflicts have taken place between Israel and its Arab neighbors, and a state of hostility varying in degree and intensity has led to security and economic challenges for Israel. In addition, some of our employees in Israel are obligated to perform annual reserve duty in the Israel Defense Forces, and may be called to active military duty in emergency circumstances. We cannot assess the impact that emergency conditions in Israel in the future may have on our business, operations, financial condition or results of operations, but it could be material. Instability in any region could directly impact our ability to operate our business (or our customers’ ability to operate their businesses), cause us to incur increased costs in transportation, make such transportation unreliable, increase our insurance costs, and cause international currency markets to fluctuate. Instability in the region could also have the same effects on our suppliers and their ability to timely deliver their products. If international political instability and geopolitical tensions continue or increase in any region in which we do business, our business and results of operations could be harmed.

•We may not be able to keep pace with trends and technological changes in the industries in which we operate; •We have a highly concentrated customer base; •Prevailing local and global economic conditions may negatively affect the purchasing decisions of our customers; and •We are exposed to risks related to the use of AI by us and our competitors.

•We may not be able to keep pace with trends and technological changes in the industries in which we operate; •We have a highly concentrated customer base; and •Prevailing local and global economic conditions may negatively affect the purchasing decisions of our customers.

We earn profits in, and are therefore potentially subject to taxes in, the U.S. and numerous foreign jurisdictions, including Singapore and Israel, the countries in which we earn the majority of our non-U.S. profits. Due to economic, political or other conditions, tax rates in those jurisdictions may be subject to significant change. A number of factors may adversely impact our future effective tax rates, such as the jurisdictions in which our profits are determined to be earned and taxed; changes in the tax rates imposed by those jurisdictions; expiration of tax holidays in certain jurisdictions that are not renewed; the resolution of issues arising from tax audits with various tax authorities; changes in the valuation of our deferred tax assets and liabilities; adjustments to estimated taxes upon finalization of various tax returns; increases in expenses not deductible for tax purposes, including write-offs of acquired in-process research and development and impairment of goodwill in connection with acquisitions; changes in available tax credits; changes in stock-based compensation expense; changes in tax laws or the interpretation of such tax laws; changes in generally accepted accounting principles; and the repatriation of earnings from outside the U.S. for which we have not previously provided for U.S. taxes. A change in our effective tax rate can materially and adversely impact our results from operations. In addition, recent changes to U.S. tax laws will significantly impact how U.S. multinational corporations are taxed on foreign earnings. We have completed our accounting for the tax effects of the Tax Cuts and Jobs Act (the “Tax Act”), which 24 24 24 Table of Contents Table of Contents was enacted into law on December 22, 2017. The recent U.S. tax law changes are subject to future guidance from U.S. federal and state governments, such as the Treasury Department and/or the Internal Revenue Service. Any future guidance can change our tax liability. A significant portion of the income taxes due to the enactment of the Tax Act is payable by us over a period of eight years. As a result, our cash flows from operating activities will be adversely impacted until the tax liability is paid in full. The Tax Act also provides that a percentage of foreign earnings under the Global Intangible Low-Taxed Income (“GILTI”) regime is taxable in the U.S. and a percentage of U.S. earnings under the Foreign Derived Intangible Income (“FDII”) regime is not subject to tax in the U.S. For tax years beginning on January 1, 2026, the percentage of GILTI that is taxable in the U.S. increases from 50% to 62.5% and the percentage of FDII not subject to tax in the U.S. decreases from 37.5% to 21.875%. The change in GILTI and FDII percentages can have a material and adverse impact to our effective tax rate beginning in the quarter ending September 30, 2026. On August 16, 2022, the enactment of the Inflation Reduction Act (“IRA”) introduced a corporate alternative minimum tax (“CAMT”) that is effective for us beginning in the quarter ended September 30, 2023. The CAMT applies a 15% minimum income tax rate on certain large corporations. We are not expecting to have any effective tax rate impact from the CAMT but changes to U.S. tax laws or the interpretation of such tax laws may result in CAMT liability which can have a material and adverse impact to our future effective tax rates. Numerous countries are evaluating their existing tax laws due in part, to recommendations made by the Organization for Economic Co-operation and Development’s (“OECD”) Base Erosion and Profit Shifting (“BEPS”) project. The OECD continues to advance its work under the BEPS 2.0 initiative to develop the framework for Pillar Two - which aims to implement a global minimum tax of 15%. Many countries have enacted or drafted legislation using the Pillar Two framework to propose domestic tax laws requiring a minimum tax rate of 15% (“top-up tax”) on income earned in the respective countries. One country that has drafted Pillar Two legislation is Singapore, where KLA earns significant profits and currently benefits from tax incentives granted by the Singapore Economic Development Board. If enacted, the tax liability from top-up tax may have a material and adverse impact to our effective tax rate in the fiscal year when such law is effective.

We earn profits in, and are therefore potentially subject to taxes in, the U.S. and numerous foreign jurisdictions, including Singapore and Israel, the countries in which we earn the majority of our non-U.S. profits. Due to economic, political or other conditions, tax rates in those jurisdictions may be subject to significant change. A number of factors may adversely impact our future effective tax rates, such as the jurisdictions in which our profits are determined to be earned and taxed; changes in the tax rates imposed by those jurisdictions; expiration of tax holidays in certain jurisdictions that are not renewed; the resolution of issues arising from tax audits with various tax authorities; changes in the valuation of our deferred tax assets and liabilities; adjustments to estimated taxes upon finalization of various tax returns; increases in expenses not deductible for tax purposes, including write-offs of acquired in-process research and development and impairment of goodwill in connection with acquisitions; changes in available tax credits; changes in stock-based compensation expense; changes in tax laws or the interpretation of such tax laws; changes in generally accepted accounting principles; and the repatriation of earnings from outside the U.S. for which we have not previously provided for U.S. taxes. A change in our effective tax rate can materially and adversely impact our results from operations. In addition, recent changes to U.S. tax laws will significantly impact how U.S. multinational corporations are taxed on foreign earnings. We have completed our accounting for the tax effects of the Tax Cuts and Jobs Act (the “Tax Act”), which was enacted into law on December 22, 2017. However, the recent U.S. tax law changes are subject to future guidance from U.S. federal and state governments, such as the Treasury Department and/or the Internal Revenue Service. Any future guidance can change our tax liability. A significant portion of the income taxes due to the enactment of the Tax Act is payable by us over a period of eight years. As a result, our cash flows from operating activities will be adversely impacted until the tax liability is paid in full. Numerous countries are evaluating their existing tax laws due in part, to recommendations made by the Organization for Economic Co-operation and Development’s Base Erosion and Profit Shifting project.

Certain investors, capital providers, shareholder advocacy groups, other market participants, customers and other stakeholder groups have focused increasingly on companies’ ESG initiatives, including those regarding climate change, human rights and inclusion and diversity, among others. This has increased, and may in the future continue to increase, certain of our 18 18 18 Table of Contents Table of Contents compliance and disclosure costs, and may also result in further impacts on our business, financial condition or results of operations, including changes in demand for certain types of products. From time to time, we create and publish voluntary disclosures regarding ESG matters. Identification, assessment and disclosure of such matters is complex. Many of the statements in such voluntary disclosures are based on our expectations and assumptions, which may require substantial discretion and forecasts about costs and future circumstances. Additionally, expectations regarding companies’ management of ESG matters continues to evolve rapidly, in many instances due to factors that are out of our control. Although we have engaged, and expect to continue to engage, in certain voluntary ESG initiatives, to improve the ESG profile of our operations and product offerings, we cannot guarantee that such efforts will have the intended results, including whether we are able to measure and disclose related data of sufficient quality or timeliness or in accordance with particular methodological practices. For example, we have adopted certain GHG emissions reduction targets for Scope 1, 2 and 3 emissions. Although several of these goals have been validated by SBTi, our estimates concerning the timing and cost of implementing our goals are subject to risks and uncertainties, some of which are outside of our control. In addition, standards for calculating and disclosing emissions and other sustainability metrics continue to evolve, which can result in inconsistencies or other changes to data over time, revisions to our strategies and targets, or our ability to achieve them, subjecting us to additional scrutiny. For example, we have recently elected to align our emissions reporting with the SBTi methodology, which will result in certain changes to our emissions metrics from historical calculations; however, to the extent the SBTi methodology is ultimately deemed to be not in keeping with regulatory standards or best practices, we may be subject to additional scrutiny or costs. Standards for ESG metrics and reporting continue to evolve due to a variety of factors, and our disclosures may evolve as well; however, we cannot guarantee that our approach will align with any particular methodology or stakeholder expectations. Any failure, or perceived failure, to disclose in keeping with best practices, regulations, or other stakeholder expectations or to successfully achieve our voluntary goals, or the manner in which we achieve some or any portion of our goals, could adversely impact our reputation or, to the extent related to our sustainability-linked capital sources, financial condition and results of operations. Our ESG efforts have included, and may in the future include further adoption, or expansion, of certain ESG practices or policies, which may require us to expend additional resources to implement or to forego certain business opportunities to the extent others in our value chain do not meet pertinent requirements of such policies. By contrast, any failure, or perceived failure, to conform to such policies could have an adverse impact on our reputation and business activities. Our performance may be subject to greater scrutiny as a result of our announcement of any goals or policies and the publication of our performance against the same. Moreover, despite the voluntary nature of such efforts, we may receive increasing scrutiny and pressure from external sources, such as lenders, investors, proxy advisory firms, rating agencies or other investor advocacy groups, to adopt more transparent or aggressive climate or other ESG-related initiatives; however, we may not agree that such initiatives will be appropriate for our business, and we may not be able to implement such initiatives because of potential costs or technical or operational obstacles. Any unfavorable ESG ratings could lead to or increase any negative investor sentiment toward us, our customers or our industry, which could negatively impact our share price as well as our access to and cost of capital. To the extent ESG matters negatively impact our reputation, they may also impede our ability to compete as effectively to recruit or retain employees or customers, which may adversely affect our operations. Simultaneously, there are efforts by some stakeholders, including certain policymakers, to reduce companies’ efforts on certain environmental, social and sustainability-related matters, which could subject us to increased activism or litigation. In addition, we note that regulators, including the SEC, have adopted, or are considering adopting, regulations regarding ESG matters, including, but not limited to, climate change-related matters. To the extent we are subject to increased regulatory requirements, we could become subject to increased compliance-related costs and risks, including potential enforcement and litigation. Such ESG matters also impact at least certain of our suppliers and customers, which may compound or cause new impacts on our business, financial condition or results of operations.

Certain investors, capital providers, shareholder advocacy groups, other market participants, customers and other stakeholder groups have focused increasingly on companies’ ESG initiatives, including those regarding climate change, human rights and inclusion and diversity, among others. This may result in increased costs, changes in demand for certain types of products, enhanced compliance or disclosure obligations and costs, or other adverse impacts on our business, financial condition or results of operations. From time to time, we create and publish voluntary disclosures regarding ESG matters. Identification, assessment, and disclosure of such matters is complex. Many of the statements in such voluntary disclosures are based on our expectations and assumptions, which may require substantial discretion and forecasts about costs and future circumstances. Additionally, expectations regarding companies’ management of ESG matters continues to evolve rapidly, in many instances due to factors that are out of our control. In addition, organizations that provide information to investors on corporate governance and related matters have developed rating processes on evaluating companies on their approach to ESG matters. Such ratings are used by some investors to inform their investment and voting decisions. Unfavorable ESG ratings could lead to increased negative investor sentiment toward us, our customers, or our industry, which could negatively impact our share price as well as our access to and cost of capital. To the extent ESG matters negatively impact our reputation, it may also impede our ability to compete as effectively to recruit or retain employees, which may adversely affect our operations. Although we may participate in various voluntary frameworks and certification programs, or establish voluntary ESG initiatives, to improve the ESG profile of our operations and product offerings, we cannot guarantee that such efforts will have the intended results. For example, in August 2022, we announced new targets to reduce our Scope 1 and 2 emissions by 50% from our 2021 baseline to 2030 and achieve net zero Scope 1 and 2 emissions by 2050. Our estimates concerning the timing and cost of implementing this and other goals are subject to risks and uncertainties, some of which are outside of our control. Any failure, or perceived failure, to successfully achieve our voluntary goals, or the manner in which we achieve some or any portion of our goals, could adversely impact our reputation or, to the extent related to sustainability-linked capital sources, financial condition and results of operations. Our ESG efforts may also include the adoption, or expansion, of certain ESG practices or policies, which may require us to expend additional resources to implement or to forego certain business opportunities to the extent others in our value chain do not meet pertinent requirements of such policies. By contrast, any 18 18 18 Table of Contents Table of Contents failure, or perceived failure, to conform to such policies could have an adverse impact on our reputation and business activities. Our performance may be subject to greater scrutiny as a result of our announcement of any goals or policies and the publication of our performance against the same. Moreover, despite the voluntary nature of such efforts, we may receive pressure from external sources, such as lenders, investors or other groups, to adopt more aggressive climate or other ESG-related initiatives; however, we may not agree that such initiatives will be appropriate for our business, and we may not be able to implement such initiatives because of potential costs or technical or operational obstacles. In addition, we note that certain ESG matters are becoming less “voluntary” as regulators, including the SEC, begin proposing and adopting regulations regarding ESG matters, including, but not limited to, climate change-related matters. To the extent we are subject to increased regulatory requirements, we could become subject to increased compliance-related costs and risks, including potential enforcement and litigation. Such ESG matters may also impact our suppliers and customers, which may compound or cause new impacts on our business, financial condition or results of operations.

In the conduct of our business, we and certain of our third-party providers collect, use, transmit and store data on information systems and networks, including systems, software, hardware and networks owned and maintained by KLA and/or by third-party providers (collectively, “IT Systems”). This data includes confidential information, transactional information and IP belonging to us, our customers and our business partners, as well as personal information of individuals (collectively, “Confidential Information”). We also integrate and use third-party services and products, including software, in our IT Systems, and such third-party products, services and systems are beyond our control. We face numerous and evolving cybersecurity risks that threaten the confidentiality, integrity and availability of our IT Systems and Confidential Information, including from diverse threat actors, such as state-sponsored organizations, opportunistic hackers and hacktivists, as well as diverse attack vectors, such as computer viruses, bugs, ransomware and other malware, technological errors and known and unknown vulnerabilities in our software and systems and those of third parties, cyber-related security breaches and similar disruptions from unauthorized intrusions, tampering, misuse or criminal acts made directly against our systems or networks, or through our third-party providers or the supply chain, including social engineering, phishing, or other events or developments that we may be unable to anticipate or fail to mitigate, including, but not limited to, financial fraud, including check fraud, vulnerabilities or misconfigurations in our IT Systems. In addition, insider actors, malicious or otherwise, could misappropriate our Confidential Information, compromise our IT Systems, tamper with our products or otherwise cause disruptions to our business operations. Moreover, we have acquired and continue to acquire companies with cybersecurity vulnerabilities and/or unsophisticated security measures, which may expose us to significant cybersecurity, operational and financial risks. Remote and hybrid working arrangements at our company (and at many third-party providers) also increase cybersecurity risks due to the challenges associated with managing remote computing assets and security vulnerabilities that are present in many non-corporate and home networks. We and our third-party providers regularly experience cyber-attacks and events and on occasion incidents involving unauthorized access to systems and data and, although no such attacks, events or incidents have materially impacted our operations or financial results, there can be no assurance that such attacks, events or incidents will not be material to KLA in the future. Because the techniques used to obtain unauthorized access to our IT Systems change frequently and increasingly leverage technologies such as AI, cyber-attacks may not be recognized until launched against a target and are increasingly designed to circumvent controls, avoid detection and remove or obfuscate forensic artifacts. As such, we may be unable to anticipate these techniques, implement adequate preventative measures, or adequately identify, investigate and recover from cybersecurity incidents. There can also be no assurance that our cybersecurity risk management program and processes, including our policies, controls or procedures, will be fully implemented, complied with or effective in protecting our IT Systems and Confidential Information. We prioritize the remediation of identified security vulnerabilities based on known and anticipated risks, and we aim to patch vulnerabilities within reasonable timeframes. However, we are unable to comprehensively identify all vulnerabilities (particularly as related to third-party software and systems), apply patches or 20 20 20 Table of Contents Table of Contents confirm that mitigating measures are in place, or ensure that any patches will be applied by us or our third parties before exploitation by a threat actor. If attackers are able to exploit vulnerabilities before patches are installed or mitigating measures are implemented, significant compromises could impact our systems and data. AI may be used to generate cyberattacks as AI capabilities improve and are increasingly adopted. These attacks crafted with AI tools could directly attack our IT Systems with greater speed and/or efficiency than a human threat actor or create more effective phishing emails. In addition, the threat could be introduced from the result of us, our customers and business partners incorporating the output of an AI tool that includes a threat, such as introducing malicious code by incorporating AI generated source code. Any cybersecurity incident or occurrence could impact our business directly, or indirectly by impacting third parties in the supply chain, in many potential ways: disruptions to operations; misappropriation, corruption or theft of Confidential Information; misappropriation of funds and Company assets; reduced value of our investments in research, development and engineering; litigation (including class action lawsuits) with, or payment of damages to, third parties; reputational damage; costs to comply with regulatory inquiries or actions; data privacy issues; costs to rebuild our information systems and networks; and increased cybersecurity protection and remediation costs. Cybersecurity incidents affecting our customers could result in substantial delays in our ability to ship to those customers or install our products, which could result in delays in revenue recognition or the cancellation of orders, and cybersecurity incidents affecting our suppliers could result in substantial delays in our ability to obtain necessary components for our products from those suppliers, which could hamper our ability to ship our products to our customers and service them, harming our results of operations. For example, in February 2023, one of our suppliers experienced a ransomware event that caused delays in its manufacturing operations, resulting in its shipment delays to us for components we ordered, which in turn caused delays in some of our outbound shipments during the quarter. Similar events could cause disruptions in the future. We carry insurance that provides limited protection against the potential losses arising from a cybersecurity incident, but it will not likely cover all such losses, and the losses it does not cover may be significant.

In the conduct of our business, we collect, use, transmit and store data on information systems and networks, including systems and networks owned and maintained by KLA and/or by third-party providers. This data includes confidential information, transactional information and IP belonging to us, our customers and our business partners, as well as personally identifiable information of individuals. We also integrate and use third-party services and products, including software, in our systems, networks and operations. Despite network security and other measures, our, our customers’, suppliers’ and other third-party providers’ information systems and networks are susceptible to computer viruses, ransomware, cyber-related security breaches and similar disruptions from unauthorized intrusions, tampering, misuse or criminal acts made directly against our systems or networks, or through our third-party providers or the supply chain, including phishing, or other events or developments that we may be unable to anticipate or fail to mitigate, including, but not limited to, financial fraud, including check fraud, vulnerabilities or misconfigurations in information systems, networks, software or hardware. In addition, insider actors, malicious or otherwise, could misappropriate our, our customers’ or business partners’ data, tamper with our products or 19 19 19 Table of Contents Table of Contents otherwise cause disruptions to our business operations. We have experienced cyber-related attacks in the past, and expect to experience cyber-related attacks and incidents in the future. Our security measures may also be breached due to employee errors, malfeasance, or otherwise. Third parties may also attempt to influence employees, users, suppliers or customers to disclose sensitive information in order to gain access to our, our customers’ or business partners’ data. Because the techniques used to obtain unauthorized access to the information systems change frequently and increasingly leverage on technologies such as artificial intelligence (“AI”), may not be recognized until launched against a target and are increasingly designed to circumvent controls, avoid detection and remove or obfuscate forensic artifacts, we may be unable to anticipate these techniques, implement adequate preventative measures, or adequately identify, investigate and recover from cybersecurity incidents. AI may be used to generate cyberattacks as AI capabilities improve and are increasingly adopted. These attacks crafted with AI tools could directly attack information systems with greater speed and/or efficiency than a human threat actor or create more effective phishing emails. In addition, the threat could be introduced from the result of our customers and business partners incorporating the output of an AI tool that includes a threat, such as introducing malicious code by incorporating AI generated source code. Any cybersecurity incident or occurrence could impact our business directly, or indirectly by impacting third parties in the supply chain, in many potential ways: disruptions to operations; misappropriation, corruption or theft of confidential information, including IP and other critical data, of KLA, our customers or other business partners; misappropriation of funds and Company assets; reduced value of our investments in research, development and engineering; litigation with, or payment of damages to, third parties; reputational damage; costs to comply with regulatory inquiries or actions; data privacy issues; costs to rebuild our information systems and networks; and increased cybersecurity protection and remediation costs. Cybersecurity incidents affecting our customers could result in substantial delays in our ability to ship to those customers or install our products, which could result in delays in revenue recognition or the cancellation of orders, and cybersecurity incidents affecting our suppliers could result in substantial delays in our ability to obtain necessary components for our products from those suppliers, which could hamper our ability to ship our products to our customers, harming our results of operations. For example, in February 2023, one of our suppliers experienced a ransomware event that caused delays in its manufacturing operations, resulting in its shipment delays to us for components we ordered, which in turn caused delays in some of our outbound shipments during the quarter. Such events could cause disruptions in the future. We carry insurance that provides limited protection against the potential losses arising from a cybersecurity incident, but it will not likely cover all such losses, and the losses it does not cover may be significant.