Cloudflare Inc.: 10-K Risk Factor Changes

We generally recognize revenue from customers ratably over the term of their subscription, which in the case of our contracted customers typically range from one to three years and in the case of our pay-as-you-go customers is typically monthly. In addition, our subscription agreements with certain of our largest customers are structured on a "pool of funds" model in which the customer commits to spend at least a specified amount on our products during the subscription period. These “pool of funds” arrangements do not require the customer to subscribe for specific products or spend any specific amounts during any month, quarter or, if applicable, year of the subscription period, but the funds must be utilized during the subscription period under the terms of these subscription agreements. Consequently, any increase or decline in new sales or renewals to these customers in any one period may not be immediately reflected in our revenue for that period. Any such change, however, may affect our revenue in future periods. Accordingly, the effect of downturns or upturns in new sales and potential changes in our rate of renewals may not be fully reflected in our results of operations until future periods. We may also be unable to reduce our cost structure in line with a significant deterioration in sales or renewals. Our subscription model also makes it difficult for us to rapidly increase our revenue through additional sales in any period, as it is difficult to predict when revenue from new customers will be recognized over the applicable subscription term. By contrast, a significant majority of our costs are expensed as incurred, which occurs as soon as a customer starts using our network and products. As a result, an increase in customers could result in our recognition of more costs than revenue in the earlier portion of the subscription term. We may not attain sufficient revenue to maintain positive cash flow from operations or achieve profitability in any given period.

We generally recognize revenue from customers ratably over the term of their subscription, which in the case of our contracted customers typically range from one to three years and in the case of our pay-as-you-go customers is typically monthly. Consequently, any increase or decline in new sales or renewals to these customers in any one period may not be immediately reflected in our revenue for that period. Any such change, however, may affect our revenue in future periods. Accordingly, the effect of downturns or upturns in new sales and potential changes in our rate of renewals may not be fully reflected in our results of operations until future periods. We may also be unable to 33 33 33 Table of contents Table of contents reduce our cost structure in line with a significant deterioration in sales or renewals. Our subscription model also makes it difficult for us to rapidly increase our revenue through additional sales in any period, as revenue from new customers must be recognized over the applicable subscription term. By contrast, a significant majority of our costs are expensed as incurred, which occurs as soon as a customer starts using our network and products. As a result, an increase in customers could result in our recognition of more costs than revenue in the earlier portion of the subscription term. We may not attain sufficient revenue to maintain positive cash flow from operations or achieve profitability in any given period.

We rely on a limited number of suppliers for several components of the equipment we use to operate our network and provide products to our customers. Our reliance on these suppliers exposes us to risks, including reduced control over production costs, increased prices due to tariffs, and constraints based on the then-current availability, terms, and pricing of these components. For example, we generally rely on a limited number of suppliers for the servers that we use in our network and we ordinarily purchase these components on a purchase-order basis, without any long-term contracts guaranteeing supply. We may also be subject to price increases from these suppliers should they be negatively impacted by tariffs or other regulations. While the network equipment and servers we purchase generally are commodity equipment and we believe an alternative supply source or location for servers on substantially similar terms could be identified quickly, our business could be adversely affected until those efforts are completed. In addition, the technology equipment industry has experienced component shortages and delivery delays in the past, and we may experience shortages or delays, including as a result of natural disasters, increased demand in the industry, military conflicts and geopolitical tensions, labor strikes, or other related conditions, or our suppliers lacking sufficient rights to supply the components in all jurisdictions in which we have co-location facilities that support our global network. For example, during 2021 and continuing through the first quarter of 2022, a global shortage of CPUs, RAM, SSDs, and other electronics resulted in supply constraints for a number of electronics firms, including manufacturers of servers. This global shortage disrupted and increased the cost, and other shortages or similar supply constraints in the future may disrupt or increase the cost, of some of our expected purchases of network equipment and servers. If our supply of certain components is disrupted or delayed or becomes more expensive, there can be no assurance that additional supplies or components can serve as adequate replacements for the existing components or that supplies will be available on terms that are favorable to us, if at all. Any disruption or delay or additional costs in the supply of our hardware components may delay the opening of new co-location facilities, limit capacity expansion or replacement of defective or obsolete equipment at existing co-location facilities, cause other constraints on our operations that could damage our customer relationships, or otherwise adversely impact our business, financial condition, or results of operations.

We rely on a limited number of suppliers for several components of the equipment we use to operate our network and provide products to our customers. Our reliance on these suppliers exposes us to risks, including reduced control over production costs and constraints based on the then current availability, terms, and pricing of these components. For example, we generally rely on a limited number of suppliers for the servers that we use in our network and we ordinarily purchase these components on a purchase-order basis, without any long-term contracts guaranteeing supply. While the network equipment and servers we purchase generally are commodity equipment and we believe an alternative supply source for servers on substantially similar terms could be identified quickly, our business could be adversely affected until those efforts are completed. In addition, the technology equipment industry has experienced component shortages and delivery delays in the past, and we may experience shortages or delays, including as a result of natural disasters, increased demand in the industry, or our suppliers lacking sufficient rights to supply the components in all jurisdictions in which we have co-location facilities that support our global network. For example, during 2021 and continuing through the first quarter of 2022, a global shortage of CPUs, RAM, SSDs, and other electronics resulted in supply constraints for a number of electronics firms, including manufacturers of servers. This global shortage disrupted, and other shortages or similar supply constraints in the future may disrupt, some of our expected purchases of network equipment and servers. If our supply of certain components is disrupted or delayed, there can be no assurance that additional supplies or components can serve as adequate replacements for the existing components or that supplies will be available on terms that are favorable to us, if at all. Any disruption or delay in the supply of our hardware components may delay the opening of new co-location facilities, limit capacity expansion or replacement of defective or obsolete equipment at existing co-location facilities, or cause other constraints on our operations that could damage our customer relationships.

We receive, store, use, and otherwise process personal information and other information relating to individuals. There are numerous federal, state, local, and international laws and regulations regarding privacy, data protection, information security, and the storing, sharing, use, processing, transfer, disclosure, and protection of personal information and other content, the scope of which are changing, subject to differing interpretations, and may be inconsistent among jurisdictions, or conflict with other rules. Not only is the number of data protection laws rising globally and within the United States, but existing laws and regulations are evolving. Together, this legislative framework may result in ever-increasing regulatory and public scrutiny and escalating levels of enforcement and sanctions. For example, the EU’s General Data Protection Regulation (GDPR) imposes stringent data protection requirements and provides for penalties for noncompliance of up to the greater of €20 million or four percent of worldwide annual revenues. In addition, the GDPR and the data protection laws of numerous other jurisdictions such as Japan, China, South Korea, and the United Kingdom prohibit cross-border data transfers unless certain contractual and other conditions are met. This requires us to incur substantial costs and engage in additional contract negotiations with some of our customers and vendors to ensure the conditions established by these data protection regulations are met. Some countries are also considering or have enacted legislation and/or certification schemes requiring local storage and processing of data, or other sovereignty-oriented requirements, that could increase the cost and complexity of delivering our services. In addition, the interpretation of existing privacy, data protection, and information security laws and regulations by governmental entities and the courts may change significantly over time in a manner that can have a significantly adverse impact on both our business and our customers’ businesses. 50 50 50 Table of contents Table of contents This is especially true regarding the cross-border transfer of data. For example, in July 2023, the European Commission adopted an adequacy decision for the new EU-U.S. Data Privacy Framework, which generally allows the free flow of EU personal data to the United States for participating entities. While this framework currently serves as a means for cloud service providers like our company to freely transfer EU personal data to the United States, it may be subject to future legal challenges, suspension, amendment, repeal, or limitations to its scope by the European Commission, and some customers and vendors may be unwilling to rely on this framework due to these and other uncertainties. In addition, in January 2023, the European Data Protection Board issued its 2022 Coordinated Enforcement Action on the use of cloud-based services by the public sector, in which it expressed concerns that EU public sector entities may not be able to use U.S.-based cloud service providers consistently with GDPR due to their concerns about the ability of U.S. government agencies to access EU personal data. More recently, the European Data Protection Supervisor’s finding in March 2024 that the European Commission’s use of Microsoft 365 violates the GDPR in part due to EU personal data being transferred to countries that have not been determined by the EU to provide adequate level of protection suggests that EU regulators are continuing to subject data transfers outside the EU to careful scrutiny. In addition, the United States has enacted the Protecting Americans' Data from Foreign Adversaries Act (PADFA), and the U.S. Department of Justice recently released a final rule implementing President Biden’s February 2024 Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern”, both of which restrict the transfer of certain types of data to named jurisdictions or covered entities. The shift to the new Trump administration, however, may result in uncertainty around the implementation of such regulations. We may incur substantial costs and an investment of resources to further understand the impact these new regulations will have on our and our customers’ business. We also expect that there will continue to be new, and amendments to existing, laws, regulations, and industry standards concerning privacy, data protection, and information security proposed and enacted in the United States and various individual U.S. states. In the United States, various federal laws and regulations already apply to the collection, processing, disclosure and security of certain types of data, including the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, the Health Insurance Portability and Accountability Act of 1996, and the Gramm-Leach-Bliley Act. In addition, there are also a number of recently enacted or proposed U.S. federal and state privacy and data protection bills in Congress and state legislatures across the country. Obligations relating to privacy, data protection, and information security also are increasing in complexity outside the U.S. For example, the EU has revised its Cybersecurity Directive (NIS2), which, among other things, obligates companies to adopt or update policies and procedures on issues such as incident handling and supply chain security, implementing certain administrative measures, and requires top management’s involvement in cybersecurity risk-management measures, with top management potentially held liable for non-compliance. NIS2 provides for significant penalties for noncompliance, requiring EU member states to provide for a maximum fine level of at least €10,000,000 or 2% of annual turnover, whichever is greater. In addition, the EU’s Digital Operational Resiliency Act became effective in January 2025. This law aims to establish a universal framework for managing and mitigating information and communication technology risk that will apply to entities in the financial sector and their third-party cloud service providers. Whether as a result of these developments or otherwise, we may continue to see more findings from regulators around the world against cloud service providers relating to cross-border personal data transfers, and may find it necessary or appropriate to modify our policies and practices to address any such findings or other legislative developments relating to cross-border personal data transfers. Implementing any new guidance from applicable regulatory authorities and otherwise responding to or addressing developments relating to cross-border personal data transfers may result in substantial costs, require changes to our policies and business practices, require us to engage in additional contractual negotiations, limit our ability to provide certain products in certain jurisdictions, limit our ability to provide certain products to certain customers, or materially adversely affect our business and operating results. More generally, as obligations regarding privacy, data protection, and information security increase in complexity, we may be required to incur substantial costs to adapt our policies and business practices as well as engage in additional contractual negotiations. Any failure or perceived failure by us to comply with our privacy policies, our privacy-related obligations to customers or other third parties, applicable laws or regulations, or any of our other legal obligations relating to privacy, data protection, or information security may result in governmental investigations or enforcement actions, litigation, claims, or public statements against us by consumer advocacy groups or others and could result in significant liability or cause our customers to lose trust in us, which could cause them to cease or reduce use of our 51 51 51 Table of contents Table of contents products and otherwise have an adverse effect on our reputation and business. Furthermore, the costs of compliance with, and other burdens imposed by, the laws, regulations, and policies that are applicable to the businesses of our customers may limit the adoption and use of, and reduce the overall demand for, our products. Additionally, if third parties we work with, such as sub-processors, vendors, or developers, violate applicable laws or regulations, contractual obligations, or our policies—or if it is perceived that such violations have occurred—such actual or perceived violations may also have an adverse effect on our business. Further, any significant change to applicable laws, regulations, or industry practices regarding the collection, use, retention, security, disclosure, or other processing of users’ content, or regarding the manner in which the express or implied consent of users for the collection, use, retention, disclosure, or other processing of such content is obtained, could increase our costs and require us to modify our network, products, and features, possibly in a material manner, which we may be unable to complete, and may limit our ability to store and process customer data or develop new products and features.

We receive, store, use, and otherwise process personal information and other information relating to individuals. There are numerous federal, state, local, and international laws and regulations regarding privacy, data protection, information security, and the storing, sharing, use, processing, transfer, disclosure, and protection of personal information and other content, the scope of which are changing, subject to differing interpretations, and may be inconsistent among jurisdictions, or conflict with other rules. Not only is the number of data protection laws rising 49 49 49 Table of contents Table of contents globally and within the United States, but existing laws and regulations are evolving. Together, this legislative framework may result in ever-increasing regulatory and public scrutiny and escalating levels of enforcement and sanctions. For example, the EU’s General Data Protection Regulation (GDPR) imposes stringent data protection requirements and provides for penalties for noncompliance of up to the greater of €20 million or four percent of worldwide annual revenues. In addition, the GDPR and the data protection laws of a number of other jurisdictions such as Japan, China, and South Korea, prohibit cross-border data transfers unless certain contractual and other conditions are met. This requires us to incur substantial costs and engage in additional contract negotiations with some of our customers and vendors to ensure the conditions established by these data protection regulations are met. Some countries are also considering or have enacted legislation and/or certification schemes requiring local storage and processing of data, or other sovereignty-oriented requirements, that could increase the cost and complexity of delivering our services. For example, the European Union Agency for Cybersecurity’s draft version of the European Cybersecurity Certification Scheme for Cloud Services would require EU data sovereignty for companies seeking to obtain the highest certification level. In addition, the interpretation of existing privacy, data protection, and information security laws and regulations by governmental entities and the courts may change significantly over time in a manner that can have a significantly adverse impact on both our business and our customers’ businesses. For example, in July 2020, the Court of Justice of the European Union (CJEU) in the "Schrems II" case invalidated the U.S.-EU Privacy Shield that was widely used by us and other companies to allow for the lawful transfer of personal data of European Economic Area (EEA) residents to the United States for processing under the GDPR and placed additional requirements on the use of the EU Standard Contractual Clauses (EU SCCs) as a mechanism for transferring EEA personal data to the United States. We incurred substantial costs and needed to engage in additional contract negotiations with some of our customers and vendors in connection with updated EU SCCs and the United Kingdom addendum to the EU SCCs or other appropriate contractual provisions that we sought to put in place with our customers and vendors. In July 2023, the European Commission adopted an adequacy decision for the new EU-U.S. Data Privacy Framework, which is designed to address the concerns raised in the Schrems II case. However, the European Commission’s adequacy decision regarding this framework will be subject to future reviews and may be subject to suspension, amendment, repeal, or limitations to its scope by the European Commission. While this new framework may serve as a means for cloud service providers like our company to freely transfer EU personal data to the United States, many aspects of this new framework remain uncertain. It has already been subject to legal challenge, and some customers and vendors are unwilling to rely on the new framework due to this uncertainty. In addition, in January 2023, the European Data Protection Board issued its 2022 Coordinated Enforcement Action on the use of cloud-based services by the public sector, in which it expressed concerns that EU public sector entities may not be able to use U.S.-based cloud service providers consistently with GDPR due to their concerns about the ability of U.S. government agencies to access EU personal data. Whether as a result of this or otherwise, we may continue to see more findings from privacy regulators around the world against cloud service providers relating to cross-border personal data transfers, and may find it necessary or appropriate to modify our policies and practices to address any such findings or other legislative developments relating to cross-border personal data transfers. Implementing any new guidance from applicable regulatory authorities and otherwise responding to or addressing developments relating to cross-border personal data transfers may result in substantial costs, require changes to our policies and business practices, require us to engage in additional contractual negotiations, limit our ability to provide certain products in certain jurisdictions, limit our ability to provide certain products to certain customers, or materially adversely affect our business and operating results. Meanwhile, the United Kingdom's data protection legislation is substantially consistent with the GDPR, and the UK has adopted an extension to the EU-U.S. Data Privacy Framework, but it remains to be seen how data transfers to and from the United Kingdom will be regulated and enforced in the longer term. To the extent future United Kingdom data protection requirements diverge significantly from the GDPR, they may result in substantial costs, require changes to our business practices, limit our ability to provide certain products in certain jurisdictions, limit our ability to provide certain products to certain customers, or materially adversely affect our business and operating results. We also expect that there will continue to be new, and amendments to existing, laws, regulations, and industry standards concerning privacy, data protection, and information security proposed and enacted in the United States and various individual U.S. states. In the United States, various federal laws and regulations already apply to the 50 50 50 Table of contents Table of contents collection, processing, disclosure and security of certain types of data, including the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, the Health Insurance Portability and Accountability Act of 1996, and the Gramm-Leach-Bliley Act. In addition, there are also a number of recently enacted or proposed U.S. federal and state privacy and data protection bills in Congress and state legislatures across the country. We are also subject to the terms of our privacy policies and contractual obligations to third parties related to privacy, data protection, and information security. We strive to comply with applicable laws, regulations, policies, and other legal obligations relating to privacy, data protection, and information security to the extent possible. However, the regulatory framework for privacy and data protection worldwide is evolving rapidly, and it is possible that these or other actual or alleged obligations may be interpreted and applied in a manner that is inconsistent from one jurisdiction to another and may conflict with other rules or our practices. As data protection compliance complexity grows, we may be required to incur substantial costs to adapt our policies and business practices as well as engage in additional contractual negotiations. Any failure or perceived failure by us to comply with our privacy policies, our privacy-related obligations to customers or other third parties, applicable laws or regulations, or any of our other legal obligations relating to privacy, data protection, or information security may result in governmental investigations or enforcement actions, litigation, claims, or public statements against us by consumer advocacy groups or others and could result in significant liability or cause our customers to lose trust in us, which could cause them to cease or reduce use of our products and otherwise have an adverse effect on our reputation and business. Furthermore, the costs of compliance with, and other burdens imposed by, the laws, regulations, and policies that are applicable to the businesses of our customers may limit the adoption and use of, and reduce the overall demand for, our products. Additionally, if third parties we work with, such as sub-processors, vendors, or developers, violate applicable laws or regulations, contractual obligations, or our policies—or if it is perceived that such violations have occurred—such actual or perceived violations may also have an adverse effect on our business. Further, any significant change to applicable laws, regulations, or industry practices regarding the collection, use, retention, security, disclosure, or other processing of users’ content, or regarding the manner in which the express or implied consent of users for the collection, use, retention, disclosure, or other processing of such content is obtained, could increase our costs and require us to modify our network, products, and features, possibly in a material manner, which we may be unable to complete, and may limit our ability to store and process customer data or develop new products and features.

In August 2021, we issued $1,293.8 million in aggregate principal amount of the 2026 Notes and, as of December 31, 2024, the remaining aggregate principal amount was $1,293.8 million. In addition, in May 2024, we entered into a senior secured credit agreement with a $400 million Revolving Credit Facility. Our ability to make scheduled payments of the principal of, or to refinance our indebtedness, including the 2026 Notes and any borrowings under our Revolving Credit Facility, depends on our future performance, which is subject to economic, financial, competitive, and other factors beyond our control. Our business may not generate cash flow from operations in the future sufficient to service our debt and make necessary capital expenditures. If we are unable to generate such cash flow, we may be required to adopt one or more alternatives, such as selling assets, restructuring debt, or obtaining additional debt financing or equity capital on terms that may be onerous or highly dilutive. Our ability to refinance any future indebtedness will depend on the capital markets and our financial condition at such time. We may not be able to engage in any of these activities or engage in these activities on desirable terms, which could result in a default on our debt obligations. In addition, the credit agreement for our Revolving Credit Facility contains restrictive covenants that limit us, and any of our future debt agreements may contain restrictive covenants that may limit or prohibit us, in each case from adopting any of these alternatives. Our failure to comply with these covenants could result in an event of default which, if not cured or waived, could result in the acceleration of our debt. In addition, our indebtedness, combined with our other financial obligations and contractual commitments, could have other important consequences. For example, it could: •make us more vulnerable to adverse changes in general U.S. and worldwide economic, industry, and competitive conditions and adverse changes in government regulation; •limit our flexibility in planning for, or reacting to, changes in our business and our industry; •place us at a disadvantage compared to our competitors who have less debt; •limit our ability to borrow additional amounts to fund acquisitions, for working capital, and for other general corporate purposes; and •make an acquisition of our company less attractive or more difficult. Any of these factors could harm our business, results of operations, and financial condition. In addition, if we incur additional indebtedness, the risks related to our business and our ability to service or repay our indebtedness would increase.

In August 2021, we issued $1,293.8 million in aggregate principal amount of the 2026 Notes. As of December 31, 2023, the remaining aggregate principal amount was $1,293.8 million of the 2026 Notes. Our ability to make scheduled payments of the principal of, or to refinance our indebtedness, including the 2026 Notes, depends on our future performance, which is subject to economic, financial, competitive, and other factors beyond our control. Our business may not generate cash flow from operations in the future sufficient to service our debt and make necessary capital expenditures. If we are unable to generate such cash flow, we may be required to adopt one or more alternatives, such as selling assets, restructuring debt, or obtaining additional debt financing or equity capital on terms that may be onerous or highly dilutive. Our ability to refinance any future indebtedness will depend on the capital markets and our financial condition at such time. We may not be able to engage in any of these activities or engage in these activities on desirable terms, which could result in a default on our debt obligations. In addition, any of our future debt agreements may contain restrictive covenants that may prohibit us from adopting any of these alternatives. Our failure to comply with these covenants could result in an event of default which, if not cured or waived, could result in the acceleration of our debt. In addition, our indebtedness, combined with our other financial obligations and contractual commitments, could have other important consequences. For example, it could: •make us more vulnerable to adverse changes in general U.S. and worldwide economic, industry, and competitive conditions and adverse changes in government regulation; •limit our flexibility in planning for, or reacting to, changes in our business and our industry; •place us at a disadvantage compared to our competitors who have less debt; •limit our ability to borrow additional amounts to fund acquisitions, for working capital, and for other general corporate purposes; and •make an acquisition of our company less attractive or more difficult. Any of these factors could harm our business, results of operations, and financial condition. In addition, if we incur additional indebtedness, the risks related to our business and our ability to service or repay our indebtedness would increase.

Substantially all of our sales contracts are denominated in U.S. dollars and, therefore, substantially all of our revenue is not subject to foreign currency risk. However, a strengthening of the U.S. dollar has increased and may continue to increase the real cost of our products to our customers outside of the United States, which could reduce demand for our products or cause us to discount our products, which could adversely affect our financial condition and results of operations. As our international operations expand, an increasing portion of our operating expenses is incurred outside the United States and is denominated in foreign currencies, such as the British Pound, Euro, and Singapore Dollar. In addition, in the future we may begin to generally allow customers in some countries outside the United States to pay us for our products in the currencies of those countries. Accordingly, our revenue and operating expenses may be increasingly subject to fluctuations due to changes in foreign currency exchange rates. As we continue to expand our international operations, we may become more exposed to foreign currency risk or remeasurement risk. 56 56 56 Table of contents Table of contents In the second quarter of 2024, we initiated a foreign exchange hedging program that uses derivative instruments to lessen the effects of currency fluctuations on certain of our non-U.S. dollar denominated currency exposures. However, our hedging instruments may not successfully mitigate losses caused by currency fluctuations, and our hedging positions may be partial or may not exist at all in the future. In addition, the use of hedging instruments may bring additional risks if we are unable to arrange effective hedges with such instruments or if we are unable to forecast hedged exposures precisely. While we have in the past, and may in the future, choose to enter into additional transactions to hedge portions of our foreign exchange exposures, it is impossible to predict or eliminate the effects of foreign exchange rate exposure, and if we become more exposed to currency fluctuations and are not able to successfully hedge against the risks associated with currency fluctuations, our results of operations could be materially and adversely affected.

Substantially all of our sales contracts are denominated in U.S. dollars and, therefore, substantially all of our revenue is not subject to foreign currency risk. However, a strengthening of the U.S. dollar has increased and may continue to increase the real cost of our products to our customers outside of the United States, which could reduce demand for our products or cause us to discount our products, which could adversely affect our financial condition and results of operations. As our international operations expand, an increasing portion of our operating expenses is incurred outside the United States and is denominated in foreign currencies, such as the British Pound, Euro, and Singapore Dollar. In addition, in the future we may begin to generally allow customers in some countries outside the United States to pay us for our products in the currencies of those countries. Accordingly, our revenue and operating expenses may be increasingly subject to fluctuations due to changes in foreign currency exchange rates. As we continue to expand our international operations, we may become more exposed to foreign currency risk or remeasurement risk. If we become more exposed to currency fluctuations and are not able to successfully hedge against the risks associated with currency fluctuations, our results of operations could be materially and adversely affected.

A significant part of our business strategy is to focus on long-term growth and to reinvest our cash flow from operations into our business, including the expansion of our global network, the development of new products and features, the expansion of our global workforce, and the potential acquisition of complementary businesses. As a result, our profitability may be lower than it would be if our strategy were to maximize short-term profitability. Significant expenditures on sales and marketing efforts, and expenditures on growing our network and expanding our research and development and portfolio of products, each of which we intend to continue to invest in, may not ultimately grow our business or cause long-term profitability. If we are ultimately unable to achieve or improve profitability at the level or during the time frame anticipated by industry or financial analysts and our stockholders, our stock price may decline. 30 30 30 Table of contents Table of contents

A significant part of our business strategy is to focus on long-term growth and to reinvest our cash flow from operations into our business, including the expansion of our global network, the development of new products and features, the expansion of our global workforce, and the potential acquisition of complementary businesses. For example, in the year ended December 31, 2023, we increased our operating expenses to $1,175.2 million as compared to $943.8 million and $637.0 million in the years ended December 31, 2022 and 2021, respectively. In the year ended December 31, 2023 we decreased our net loss to $183.9 million as compared to $193.4 million and $260.3 million in the years ended December 31, 2022 and 2021, respectively. As a result, we may continue to operate at a loss or our profitability may be lower than it would be if our strategy were to maximize short-term profitability. Significant expenditures on sales and marketing efforts, and expenditures on growing our network and expanding our research and development and portfolio of products, each of which we intend to continue to invest in, may not ultimately grow our business or cause long-term profitability. If we are ultimately unable to achieve or improve profitability at the level or during the time frame anticipated by industry or financial analysts and our stockholders, our stock price may decline.

Our operations and financial performance depend in part on worldwide economic conditions and the impact these conditions have on levels of spending on products and solutions for network security, performance, and reliability. Our business depends on the overall demand for these products and on the economic health and general willingness of our current and prospective customers to purchase our products. The United States, Europe, and the United Kingdom have recently experienced historically high levels of inflation. Although inflation levels have decreased from such high levels in the United States, the United Kingdom, and Eurozone, the U.S. Federal Reserve, the European Central Bank, and the Bank of England have in the past raised, and may in the future raise or maintain, high interest rates and may implement fiscal policy interventions. Even if these interventions lower inflation, they may also reduce economic growth rates, create a recession, and result in other similar or unexpected effects. Downturns in economic conditions — including inflation, rising interest rates, reductions in business confidence and activity, the curtailment of government or corporate spending, volatile financial markets, the actual or perceived failure or financial difficulties of financial institutions, supply chain disruptions or increased equipment costs due to current or potential future tariffs, and reduced demand for products and services across a variety of industries — have in the past and may in the future affect our business and our current and prospective customers and their industries adversely. For example, during an economic downturn, our current and prospective customers may suffer from reduced operating budgets. Some of our paying customers may view a subscription to our products as a discretionary purchase and may reduce their discretionary spending on our products or reduce or cut their budget to otherwise expand their subscriptions to our products. Moreover, our competitors may respond to market conditions by lowering prices and attempting to lure away our customers. Further, the sales cycle for new and existing customers of our technology and services could lengthen in the future as a result of challenging macroeconomic conditions, resulting in a potentially longer delay between increasing operating expenses and the generation of corresponding revenue, if any. For example, potentially as a result of these various macroeconomic impacts on our customers, we periodically have experienced lengthening of the average sales cycles for certain types of customers and sales, slowdowns in our pipeline of potential new 20 20 20 Table of contents Table of contents customers and in the rate of converting sales pipeline opportunities into new sales, increases in average days sales outstanding, higher levels of churn in our paying customer base (which is when any of our paying customers cease to be a paying customer for any reason, including any pay-as-you-go customer converting to a free subscription plan), and lengthening of the timing of payment from some of our customers, all of which may have contributed to a slowdown in our revenue growth from prior periods (including with respect to new customers). We may also experience increases in new and existing customers requesting concessions in terms of payment amounts and/or timing and earlier or additional termination rights in the future as the challenging macroeconomic conditions continue or worsen. We continue to monitor economic conditions to assess possible implications to our business and to take appropriate actions in an effort to mitigate the adverse consequences of uncertainty or negative trends. However, there can be no assurances that initiatives we undertake will be sufficient or successful. If there is an economic downturn that affects our current and prospective customers, or if we are unable to address and mitigate the risks associated with any of the foregoing, our business, results of operations and financial condition could be adversely affected. The conflicts in the Middle East and Ukraine and other areas of geopolitical tension around the world or any worsening or expansion of those conflicts or tensions, other geopolitical events such as elections and other governmental changes, and any related challenging macroeconomic conditions globally and in various countries in which we and our customers operate may materially adversely affect our customers, vendors, and partners, and the duration and extent to which these factors may impact our future business and operations, results of operations, financial condition, and cash flows remain uncertain. The conflicts in the Middle East and Ukraine and other areas of geopolitical tension around the world or any worsening or expansion of those conflicts or geopolitical tensions, other geopolitical events such as elections and other governmental changes, and any related challenging macroeconomic conditions globally and in various countries in which we and our customers operate, could decrease the spending of our existing and potential new customers, adversely affect demand for our products, cause one or more of our customers, vendors, and partners to file for bankruptcy protection or go out of business, cause one or more of our customers to fail to renew, terminate, or seek to renegotiate their contracts with us, cause one or more of our suppliers to increase prices as a result of current or potential future tariffs or other factors, affect the ability of our sales team to travel to potential customers, impact expected spending from existing and potential new customers, and negatively impact collections of accounts receivable, all of which could adversely affect our business, results of operations, and financial condition. Any of the negative impacts of the conflicts in the Middle East and Ukraine and other areas of geopolitical tension around the world or any worsening or expansion of those conflicts or geopolitical tensions, other geopolitical events such as elections and other governmental changes, and any related challenging macroeconomic conditions globally and in various countries in which we and our customers operate, may have a material adverse effect on our business and operations, results of operations, financial condition, and cash flows. Any of these negative impacts, alone or in combination with others, also could exacerbate many of the other risk factors discussed in this Part I, Item 1A “Risk Factors” of this Annual Report on Form 10-K, including volatility in the trading prices of our Class A common stock. The full extent to which these factors will negatively affect our business and operations, results of operations, financial condition, and cash flows will depend on future developments that are highly uncertain and cannot be predicted, including the scope, severity, and duration of the conflicts in the Middle East and Ukraine, other areas of geopolitical tension around the world, and any economic downturns and the actions taken by governmental authorities and other third parties in response.

Our operations and financial performance depend in part on worldwide economic conditions and the impact these conditions have on levels of spending on products and solutions for network security, performance, and reliability. Our business depends on the overall demand for these products and on the economic health and general willingness of our current and prospective customers to purchase our products. The United States, Europe, and the United Kingdom have recently experienced historically high levels of inflation. Although inflation levels have begun to decrease in the United States, the United Kingdom, and Eurozone, the U.S. Federal Reserve, the European Central Bank, and the Bank of England have raised, and may continue to raise or maintain, high interest rates and may implement fiscal policy interventions. Even if these interventions lower inflation, they may also reduce economic growth rates, create a recession, and result in other similar or unexpected effects. For example, the decrease in values of government-issued securities resulting from higher interest rates may have played a significant role in the failures of Silicon Valley Bank and Signature Bank during the first quarter of 2023, the circumstances resulting in the UBS takeover of Credit Suisse during the second quarter of 2023, and generalized uncertainty confronting a number of other financial institutions. Downturns in economic conditions — including inflation, rising interest rates, reductions in business confidence and activity, the curtailment of government or corporate spending, volatile financial markets, the actual or perceived failure or financial difficulties of additional financial institutions, ongoing supply chain disruptions, and reduced demand for products and services across a variety of industries — have in the past and may in the future affect our business and our current and prospective customers and their industries adversely. For example, during an economic downturn, our current and prospective customers may suffer from reduced operating budgets. Some of our paying customers may view a subscription to our products as a discretionary purchase and may reduce their discretionary spending on our products or reduce or cut their budget to otherwise expand their subscriptions to our products. Moreover, our competitors may respond to market conditions by lowering prices and attempting to lure away our customers. Further, the sales cycle for new customers of our technology and services could lengthen in the future as a result of challenging macroeconomic conditions, resulting in a potentially longer delay between increasing operating expenses and the generation of corresponding revenue, if any. For example, potentially as a result of these various macroeconomic impacts on our customers, since the first half of 2022, we periodically have experienced lengthening of the average sales cycles for certain types of customers and sales, slowdowns in our pipeline of potential new customers and in the rate of converting sales pipeline opportunities into new sales, increases in average days sales outstanding, higher levels of churn in our paying customer base (which is when any of our paying customers cease to be a paying customer for any reason, including any pay-as-you-go customer converting to a free subscription plan), and lengthening of the timing of payment from some of our customers, all of which may have contributed to a slowdown in our revenue growth over that period (including with respect to new customers). We may also experience increases in new and existing customers requesting concessions in terms of payment amounts and/or timing and earlier or additional termination rights in the future as the challenging macroeconomic conditions continue or worsen. We continue to monitor economic conditions to assess possible implications to our business and to take appropriate actions in an effort to mitigate the adverse consequences of uncertainty or negative trends. However, there can be no assurances that initiatives we undertake will be sufficient or successful. If there is an economic downturn that affects our current and prospective customers, or if we are unable to address and mitigate the risks associated with any of the foregoing, our business, results of operations and financial condition could be adversely affected.