Okta Inc.: 10-K Risk Factor Changes

Increasingly, companies, including Okta, are subject to a wide variety of attacks on their systems and networks on an ongoing basis. In addition to threats from traditional computer “hackers,” malicious code (such as malware, viruses, worms and ransomware), employee or contractor theft or misuse, password spraying, phishing and denial-of-service attacks, we and our third-party service providers now also face threats from sophisticated nation-state actors and organized crime groups who engage in attacks (including advanced persistent threat intrusions) that add to the risks to our systems (including those hosted on AWS’ or other cloud services providers’ systems), internal networks, our customers’ systems and the information that we and they store and process. For example, like other companies, we have experienced an increase in cybersecurity attacks and have had to expend increasing amounts of human and financial capital to respond. We expect that these cybersecurity attacks will continue and that the scope and sophistication of these efforts will increase in future periods. Despite significant efforts to create security barriers to such threats, it is virtually impossible for us to entirely mitigate these risks. As a well-known provider of identity and security solutions that form a part of our customers’ security software supply chain, we pose an attractive target for such attacks. The security measures we have integrated into our internal systems and platform, which are designed to detect unauthorized activity and prevent or minimize security breaches, may not function as expected and have not in the past been, and may not in the future be, sufficient to protect our internal networks and platform against certain attacks. In addition, techniques used to sabotage or to obtain unauthorized access to networks in which data is stored or through which data is transmitted change frequently, become more complex over time and generally are not recognized until launched against a target. As a result, we and our third-party service providers have in the past been, and may in the future be, unable to anticipate these techniques or implement adequate preventative measures quickly enough to prevent either an electronic intrusion into our systems or services or a compromise of customer data, employee data or other protected information. Our customers’ use of Okta to access business systems and store data concerning, among others, their employees, contractors, partners and customers is essential to their use of our platform, which stores, transmits and 29 29 29 processes customers’ proprietary information and users’ personal data. Okta has experienced and likely will in the future experience attacks targeting such customer data. When such breaches occur, as a result of third-party action, technology limitations, employee or contractor error, malfeasance or otherwise, and if the confidentiality, integrity or availability of our customers’ data or systems is disrupted, we could incur significant liability to our customers and to individuals or businesses whose information was being stored by our customers, and our platform may be perceived as less desirable, which could negatively affect our business and damage our reputation. Techniques used to obtain unauthorized access to, or to sabotage, systems change frequently and generally are not recognized until launched against a target. As a result, we, our third-party service providers and our customers have not in the past been, and may not in the future be, able to anticipate these techniques or to implement adequate preventive measures. Further, because we do not control our third-party service providers, or the processing of data by our third-party service providers, we cannot ensure the integrity or security of measures they take to protect customer information and prevent data loss. In addition, security breaches impacting our platform have in certain cases resulted in and could in the future result in a risk of loss or unauthorized disclosure or theft of this information, or the denial of access to this information, which, in turn, could lead to enforcement actions, litigation, regulatory or governmental audits, investigations and possible liability, and increased requests by individuals regarding their personal data. Security breaches could also damage our relationships with and ability to attract customers and partners, and trigger service availability, indemnification and other contractual obligations. For example, our customers have in the past published public criticisms of our security practices in connection with security incidents, and these postings harm our reputation and brand. Security incidents may also cause us to incur significant investigation, mitigation, remediation, notification and other expenses. Furthermore, as a well-known provider of identity and security solutions that form a part of our customers’ security software supply chain, any such breach, including a breach of our customers’ systems, could compromise systems secured by our products, creating system disruptions or slowdowns and exploiting security vulnerabilities of our or our customers’ systems, and the information stored on our or our customers’ systems could be accessed, publicly disclosed, altered, lost or stolen, which could subject us to liability and cause us financial harm. Our disclosures concerning security incidents also may become the subject of litigation, and our disclosures concerning the January 2022 compromise, for example, have become the subject of lawsuits, as discussed in Item 3, “Legal Proceedings” below. While we have taken a number of remediation steps, there is no guarantee that our preventative and mitigation actions with respect to this incident and others like it will fully eliminate the risk of a malicious compromise of our or our customers’ systems. We have experienced cybersecurity incidents resulting from our use of and oversight over third-party service providers and may experience such incidents in the future. These incidents have, in the past, and may, in the future, result from our configuration of such providers’ products or from cybersecurity attacks on such providers of the same type that could affect our own systems. While we have implemented security measures and configuration policies that seek to protect data stored with our third-party service providers, such measures and policies have not in the past been, and may not in the future be, sufficient to protect our data or our customers’ data. For example, the January 2022 compromise of one of our third-party service providers by a threat actor, even though not material and not a breach of our product or systems, nonetheless was widely publicized and focused attention on the security of our systems and the systems of our third-party service providers. In addition, in October 2023, a threat actor gained unauthorized access to and stole information from inside our customer support system, which was hosted by a third-party service provider. While we maintain cybersecurity insurance, our insurance may be insufficient to cover all liabilities incurred in these incidents, and any incidents may result in loss of, or increased costs of, our cybersecurity insurance. These breaches, or any perceived breach, of our systems, our customers’ systems, our service providers’ systems, or other systems or networks secured by our products, whether or not any such breach is due to a vulnerability in our platform, may also undermine confidence in our platform or our industry and result in damage to our reputation and brand, negative publicity, loss of ISVs and other channel partners, customers and sales, increased costs to remedy any problem, costly litigation and other liability. In addition, a breach of the security measures of one of our key ISVs or other channel partners or a security software supply chain attack even many levels removed could result in the exfiltration of confidential corporate information or other data that may provide additional avenues of attack. For example, an exploitation in an open source library that is imported and used in another framework that is used by a software product used by Okta could introduce an avenue of attack into the Okta service. If a high profile security breach occurs with respect to a comparable cloud technology provider, our customers and potential customers may lose trust in the security of the cloud business model generally, which could adversely impact our ability to retain existing customers or attract new ones, potentially causing a negative impact on our business. Any of these 30 30 30 negative outcomes could adversely impact market acceptance of our products and could harm our business, results of operations and financial condition. Third parties have induced and may continue to fraudulently induce employees, contractors, customers or our customers’ users into disclosing sensitive information such as user names, passwords or other information or otherwise compromise the security of our applications, internal networks, electronic systems and/or physical facilities in order to gain access to our data or our customers’ data, which could result in significant legal and financial exposure, a loss of confidence in the security of our platform, interruptions or malfunctions in our operations, account lockouts, and, ultimately, harm to our future business prospects and revenue. We may be required to expend significant capital and financial resources to protect against such threats or to alleviate problems caused by breaches in security.

Increasingly, companies, including Okta, are subject to a wide variety of attacks on their systems and networks on an ongoing basis. In addition to threats from traditional computer “hackers,” malicious code (such as malware, viruses, worms and ransomware), employee or contractor theft or misuse, password spraying, phishing and denial-of-service attacks, we and our third-party service providers now also face threats from sophisticated nation-state and nation-state-supported actors who engage in attacks (including advanced persistent threat intrusions) that add to the risks to our systems (including those hosted on AWS’ or other cloud services providers’ systems), internal networks, our customers’ systems and the information that they store and process. For example, like other companies, we have experienced numerous cybersecurity attacks and have had to expend increasing amounts of human and financial capital to respond. We expect that these cybersecurity attacks will continue and that the scope and sophistication of these efforts may increase in future periods. Despite significant efforts to create security barriers to such threats, it is virtually impossible for us to entirely mitigate these risks. As a well-known provider of identity and security solutions, we pose an attractive target for such attacks. The security measures we have integrated into our internal systems and platform, which are designed to detect unauthorized activity and prevent or minimize security breaches, may not function as expected or may not be sufficient to protect our internal networks and platform against certain attacks. In addition, techniques used to sabotage or to obtain unauthorized 29 29 29 access to networks in which data is stored or through which data is transmitted change frequently, become more complex over time and generally are not recognized until launched against a target. As a result, we and our third-party service providers may be unable to anticipate these techniques or implement adequate preventative measures quickly enough to prevent either an electronic intrusion into our systems or services or a compromise of customer data, employee data or other protected information. Our customers’ use of Okta to access business systems and store data concerning, among others, their employees, contractors, partners and customers is essential to their use of our platform, which stores, transmits and processes customers’ proprietary information and users’ personal data. Okta has experienced and likely will in the future experience attacks targeting such customer data. When such breaches occur, as a result of third-party action, technology limitations, employee or contractor error, malfeasance or otherwise, and if the confidentiality, integrity or availability of our customers’ data or systems is disrupted, we could incur significant liability to our customers and to individuals or businesses whose information was being stored by our customers, and our platform may be perceived as less desirable, which could negatively affect our business and damage our reputation. Because techniques used to obtain unauthorized access to, or to sabotage, systems change frequently and generally are not recognized until launched against a target, we, our third-party service providers and our customers may be unable to anticipate these techniques or to implement adequate preventive measures. Further, because we do not control our third-party service providers, or the processing of data by our third-party service providers, we cannot ensure the integrity or security of measures they take to protect customer information and prevent data loss. In addition, security breaches impacting our platform have in certain cases resulted in and could in the future result in a risk of loss or unauthorized disclosure of this information, or the denial of access to this information, which, in turn, could lead to enforcement actions, litigation, regulatory or governmental audits, investigations and possible liability, and increased requests by individuals regarding their personal data. Security breaches could also damage our relationships with and ability to attract customers and partners, and trigger service availability, indemnification and other contractual obligations. Security incidents may also cause us to incur significant investigation, mitigation, remediation, notification and other expenses. Furthermore, as a well-known provider of identity and security solutions, any such breach, including a breach of our customers’ systems, could compromise systems secured by our products, creating system disruptions or slowdowns and exploiting security vulnerabilities of our or our customers’ systems, and the information stored on our or our customers’ systems could be accessed, publicly disclosed, altered, lost or stolen, which could subject us to liability and cause us financial harm. For example, the January 2022 compromise of one of our third-party service providers by a threat actor, even though not material and not a breach of our product or systems, nonetheless was widely publicized and focused attention on the security of our systems and the systems of our third-party service providers. Our disclosures concerning security incidents also may become the subject of litigation, and our disclosures concerning the January 2022 compromise, for example, have become the subject of lawsuits, as discussed in Item 3, “Legal Proceedings” below. While we have taken a number of remediation steps, there is no guarantee that our preventative and mitigation actions with respect to this incident and others like it will fully eliminate the risk of a malicious compromise of our, our third-party service providers’ or our customers’ systems. While we maintain cybersecurity insurance, our insurance may be insufficient to cover all liabilities incurred in these incidents, and any incidents may result in loss of, or increased costs of, our cybersecurity insurance. These breaches, or any perceived breach, of our systems, our customers’ systems, or other systems or networks secured by our products, whether or not any such breach is due to a vulnerability in our platform, may also undermine confidence in our platform or our industry and result in damage to our reputation and brand, negative publicity, loss of ISVs and other channel partners, customers and sales, increased costs to remedy any problem, costly litigation and other liability. In addition, a breach of the security measures of one of our key ISVs or other channel partners could result in the exfiltration of confidential corporate information or other data that may provide additional avenues of attack, and if a high profile security breach occurs with respect to a comparable cloud technology provider, our customers and potential customers may lose trust in the security of the cloud business model generally, which could adversely impact our ability to retain existing customers or attract new ones, potentially causing a negative impact on our business. Any of these negative outcomes could adversely impact market acceptance of our products and could harm our business, results of operations and financial condition. Third parties have induced and may continue to fraudulently induce employees, contractors, customers or our customers’ users into disclosing sensitive information such as user names, passwords or other information or otherwise compromise the security of our applications, internal networks, electronic systems and/or physical facilities in order to gain access to our data or our customers’ data, which could result in significant legal and financial exposure, a loss of confidence in the security of our platform, interruptions or malfunctions in our 30 30 30 operations, account lock outs, and, ultimately, harm to our future business prospects and revenue. We may be required to expend significant capital and financial resources to protect against such threats or to alleviate problems caused by breaches in security.

We have experienced, and may continue to experience, rapid growth and organizational change, which has placed, and may continue to place, significant demands on our management and our operational and financial resources. For example, our headcount has grown from 5,030 employees as of January 31, 2022 to 5,908 employees as of January 31, 2024. In order to manage our growth and better align our organizational structure and resources with our business priorities, we may undertake restructuring plans from time to time. For example, during the first quarter of each of fiscal 2024 and fiscal 2025, we announced separate world-wide restructuring plans intended to reduce operating expenses and improve profitability that involved a reduction of our workforce by approximately 300 and 400 full-time employees, respectively. We may encounter challenges in the execution of these restructuring efforts, such as adverse impacts on employee morale or attrition beyond the intended reductions, and these challenges could impact our ability to execute on our business initiatives, which could cause our restructuring efforts to not be as effective as anticipated and harm our financial results. We have also experienced significant growth in the number of customers, users and logins and in the amount of data that our SaaS infrastructure supports. Finally, our organizational structure is becoming more complex as we improve our operational, financial and management controls as well as our reporting systems and procedures. We will require significant capital expenditures and the allocation of valuable management resources to grow and change in these areas without undermining our culture of rapid innovation, teamwork and attention to customer success, which has been central to our growth so far. If we fail to manage our anticipated growth and change in a manner that preserves the key aspects of our corporate culture, the quality of our platform may suffer, which could negatively affect our brand and reputation and harm our ability to retain and attract customers and employees. We have established international offices in the Americas, Asia-Pacific and Europe, and we plan to continue to expand our international operations in the future. Our expansion has placed, and our expected future growth will continue to place, a significant strain on our managerial, customer operations, research and development, marketing and sales, administrative, financial and other resources. If we are unable to manage our continued growth successfully, our business and results of operations could suffer. 19 19 19 In addition, as we expand our business, it is important that we continue to maintain a high level of customer service and satisfaction. As our customer base continues to grow, we will need to expand our account management, customer service and other personnel, and our network of independent software vendors (“ISVs”), system integrators and other channel partners, to provide personalized account management and customer service. If we are not able to continue to provide high levels of customer service, our reputation, as well as our business, results of operations and financial condition, could be harmed.

We have experienced, and may continue to experience, rapid growth and organizational change, which has placed, and may continue to place, significant demands on our management and our operational and financial resources. For example, our headcount has grown from 5,030 employees as of January 31, 2022 to 6,013 employees as of January 31, 2023. We have also experienced significant growth in the number of customers, users and logins and in the amount of data that our SaaS infrastructure supports. Finally, our organizational structure is becoming more complex as we improve our operational, financial and management controls as well as our reporting systems and procedures. We will require significant capital expenditures and the allocation of valuable management resources to grow and change in these areas without undermining our culture of rapid innovation, teamwork and attention to customer success, which has been central to our growth so far. If we fail to manage our anticipated growth and change in a manner that preserves the key aspects of our corporate culture, the quality of our platform may suffer, which could negatively affect our brand and reputation and harm our ability to retain and attract customers and employees. We have established international offices in the Americas, Asia-Pacific and Europe, and we plan to continue to expand our international operations in the future. Our expansion has placed, and our expected future growth will continue to place, a significant strain on our managerial, customer operations, research and development, marketing and sales, administrative, financial and other resources. If we are unable to manage our continued growth successfully, our business and results of operations could suffer. In addition, as we expand our business, it is important that we continue to maintain a high level of customer service and satisfaction. As our customer base continues to grow, we will need to expand our account management, customer service and other personnel, and our network of ISVs, system integrators and other channel partners, to provide personalized account management and customer service. If we are not able to continue to provide high levels of customer service, our reputation, as well as our business, results of operations and financial condition, could be harmed.

We have incurred significant net losses in each year since our inception, including net losses of $848 million, $815 million and $355 million in fiscal 2022, 2023 and 2024, respectively. We expect to continue to incur net losses for the foreseeable future. We expect our operating expenses to significantly increase over the next several years as we hire additional personnel, particularly in sales and marketing, expand and improve the effectiveness of our distribution channels, expand our operations and infrastructure, both domestically and internationally, pursue business combinations and continue to develop our platform. If our revenue does not increase to offset these increases in our operating expenses, we will not be profitable in future periods. While historically, our total revenue has grown, not all components of our total revenue have grown consistently. Further, in future periods, our revenue growth could slow or our revenue could decline for a number of reasons, including slowing demand for our software, increasing competition, any failure to gain or retain channel partners, a decrease in the growth of our overall market, or our failure, for any reason, to continue to capitalize on growth opportunities. As a result, our past financial performance should not be considered indicative of our future performance. Any failure by us to achieve or sustain profitability on a consistent basis could cause the value of our common stock to decline.

We have incurred significant net losses in each year since our inception, including net losses of $266 million, $848 million and $815 million in fiscal 2021, 2022 and 2023, respectively. We expect to continue to incur net losses for the foreseeable future. Because the market for our platform is rapidly evolving and has not yet reached widespread adoption, it is difficult for us to predict our future results of operations. We expect our operating expenses to significantly increase over the next several years as a result of the Auth0 acquisition, and as we hire additional personnel, particularly in sales and marketing, expand and improve the effectiveness of our distribution channels, expand our operations and infrastructure, both domestically and internationally, pursue business combinations and continue to develop our platform. As we continue to develop as a public company, we may incur additional legal, accounting and other expenses that we did not incur historically. If our revenue does not increase to 18 18 18 offset these increases in our operating expenses, we will not be profitable in future periods. While historically, our total revenue has grown, not all components of our total revenue have grown consistently. Further, in future periods, our revenue growth could slow or our revenue could decline for a number of reasons, including slowing demand for our software, increasing competition, any failure to gain or retain channel partners, a decrease in the growth of our overall market, or our failure, for any reason, to continue to capitalize on growth opportunities. As a result, our past financial performance should not be considered indicative of our future performance. Any failure by us to achieve or sustain profitability on a consistent basis could cause the value of our common stock to decline.

The number of people who access the internet through mobile devices and access cloud-based software applications through mobile devices, including smartphones and handheld tablets or laptop computers, has increased significantly in the past several years and is expected to continue to increase. While we have created mobile applications and mobile versions of our products, if these mobile applications and products do not perform well, our business may suffer. We are also dependent on third-party application stores that may prevent us from timely updating our current products or uploading new products. In addition, our products interoperate with servers, mobile devices and software applications predominantly through the use of protocols, many of which are created and maintained by third parties. As a result, we depend on the interoperability of our products with such third-party services, mobile devices and mobile operating systems, as well as cloud-enabled hardware, software, networking, browsers, database technologies and protocols that we do not control. Past and future changes in such technologies that degrade the functionality of our products or give preferential treatment to competitive services have, in the past, and could, in the future, adversely affect adoption and usage of our platform. Any change in our customers’ preference for cloud-based identity management or any shift towards on-premises systems could also adversely affect adoption and usage of our platform. Also, we may not be successful in developing or maintaining relationships with key participants in the mobile industry or in developing products that operate effectively with a range of operating systems, networks, devices, browsers, protocols and standards. In addition, we may face different fraud, security and regulatory risks from transactions sent from mobile devices than we do from personal computers. If we are unable to effectively anticipate and manage these risks, or if it is difficult for our customers to access and use our platform, our business, results of operations and financial condition may be harmed. Our success also depends on the willingness of third-party developers and technology providers to build applications and provide integrations that are complementary to our service. Without the development of these applications and integrations, both current and potential customers may not find our service sufficiently attractive, and our business, results of operations and financial condition could suffer. 34 34 34

The number of people who access the internet through mobile devices and access cloud-based software applications through mobile devices, including smartphones and handheld tablets or laptop computers, has increased significantly in the past several years and is expected to continue to increase. While we have created mobile applications and mobile versions of our products, if these mobile applications and products do not perform well, our business may suffer. We are also dependent on third-party application stores that may prevent us from timely updating our current products or uploading new products. In addition, our products interoperate with servers, mobile devices and software applications predominantly through the use of protocols, many of which are created and maintained by third parties. As a result, we depend on the interoperability of our products with such third-party services, mobile devices and mobile operating systems, as well as cloud-enabled hardware, software, networking, browsers, database technologies and protocols that we do not control. Any changes in such technologies that degrade the functionality of our products or give preferential treatment to competitive services could adversely affect adoption and usage of our platform. Also, we may not be successful in developing or maintaining relationships with key participants in the mobile industry or in developing products that operate effectively with a range of operating systems, networks, devices, browsers, protocols and standards. In addition, we may face different fraud, security and regulatory risks from transactions sent from mobile devices than we do from personal computers. If we are unable to effectively anticipate and manage these risks, or if it is difficult for our customers to access and use our platform, our business, results of operations and financial condition may be harmed. Our success also depends on the willingness of third-party developers and technology providers to build applications and provide integrations that are complementary to our service. Without the development of these applications and integrations, both current and potential customers may not find our service sufficiently attractive, and our business, results of operations and financial condition could suffer.

From fiscal 2022 to fiscal 2023, our revenue grew from $1,300 million to $1,858 million, an increase of 43%, and from fiscal 2023 to fiscal 2024, our revenue grew from $1,858 million to $2,263 million, an increase of 22%. In future periods, we may not be able to sustain revenue growth consistent with recent history, or at all. We believe our revenue growth depends on a number of factors, such as macroeconomic conditions including the inflation and interest rate environment and budget constraints, as well as, but not limited to, our ability to: •price our platform effectively so that we are able to attract and retain customers without compromising our profitability; •attract new customers, successfully deploy and implement our platform, upsell or otherwise increase our existing customers’ use of our platform, obtain customer renewals and provide our customers with excellent customer support; •increase our network of channel partners; •adequately expand our sales force, and maintain or increase our sales force’s productivity; •protect against security breaches of, technical difficulties with, or interruptions to, the delivery and use of our platform and products, and any negative market perception or customer reactions related to, or arising from the disclosure of, such breaches, difficulties or interruptions; 18 18 18 •successfully identify and enter into agreements with suitable acquisition targets, integrate any acquisitions and integrate acquired technologies into our existing products or use them to develop new products; •successfully introduce new products, enhance existing products and address new use cases; •introduce our platform to new markets outside of the United States; •successfully compete against larger companies and new market entrants; and •increase awareness of our brand on a global basis. If we are unable to accomplish any of these tasks, our revenue growth will be harmed. We also expect our operating expenses to increase in future periods, and if our revenue growth does not increase to offset these anticipated increases in our operating expenses, our business, financial position and results of operations will be harmed, and we may not be able to achieve or maintain profitability.

From fiscal 2021 to fiscal 2022, our revenue grew from $835 million to $1,300 million, an increase of 56%, and from fiscal 2022 to fiscal 2023, our revenue grew from $1,300 million to $1,858 million, an increase of 43%. In future periods, we may not be able to sustain revenue growth consistent with recent history, or at all. We believe our revenue growth depends on a number of factors, such as macroeconomic conditions including the inflation and interest rate environment, budget constraints and the economic impact of the COVID-19 pandemic, as well as, but not limited to, our ability to: •price our platform effectively so that we are able to attract and retain customers without compromising our profitability; •attract new customers, successfully deploy and implement our platform, upsell or otherwise increase our existing customers’ use of our platform, obtain customer renewals and provide our customers with excellent customer support; •increase our network of channel partners, which include resellers, system integrators and other distribution partners and independent software vendors (“ISVs”); •adequately expand our sales force, and maintain or increase our sales force’s productivity; •successfully identify and enter into agreements with suitable acquisition targets, integrate any acquisitions and integrate acquired technologies into our existing products or use them to develop new products; •successfully introduce new products, enhance existing products and address new use cases; •introduce our platform to new markets outside of the United States; •successfully compete against larger companies and new market entrants; and •increase awareness of our brand on a global basis. If we are unable to accomplish any of these tasks, our revenue growth will be harmed. We also expect our operating expenses to increase in future periods, and if our revenue growth does not increase to offset these anticipated increases in our operating expenses, our business, financial position and results of operations will be harmed, and we may not be able to achieve or maintain profitability.

Under Section 382 of the Internal Revenue Code of 1986, as amended, if a corporation undergoes an “ownership change,” generally defined as a greater than 50% change (by value) in its equity ownership over a three-year period, the corporation’s ability to use its pre-change net operating loss carry-forwards and other pre-change tax attributes, such as research tax credits and distributed interest deduction carryover, to offset its post-change income may be limited. We have experienced ownership changes in the past and any such ownership change in the future could result in increased future tax liability. In addition, we may experience ownership changes in the future as a result of subsequent shifts in our stock ownership. As a result, if we earn net taxable income, our ability to use our pre-change net operating loss carry-forwards to offset U.S. federal taxable income may be subject to limitations, which could potentially result in increased future tax liability to us. 41 41 41

Under Section 382 of the Internal Revenue Code of 1986, as amended, if a corporation undergoes an “ownership change,” generally defined as a greater than 50% change (by value) in its equity ownership over a three-year period, the corporation’s ability to use its pre-change net operating loss carry-forwards and other pre-change tax attributes, such as research tax credits and distributed interest deduction carryover, to offset its post-change income may be limited. We have experienced ownership changes in the past and any such ownership change in the future could result in increased future tax liability. In addition, we may experience ownership changes in the future as a result of subsequent shifts in our stock ownership. As a result, if we earn net taxable income, our ability to use our pre-change net operating loss carry-forwards to offset U.S. federal taxable income may be subject to limitations, which could potentially result in increased future tax liability to us. On March 27, 2020, the U.S. government enacted the Coronavirus Aid, Relief, and Economic Security Act (“CARES Act”), which included temporary relief from the net operating loss limitations imposed by the Tax Cuts and Jobs Act for tax years beginning after December 31, 2017 and before January 1, 2021, and made certain technical corrections to applying the net operating loss utilization limitations for tax years beginning after January 1, 2021. Our ability to use our net operating losses is conditioned upon generating future U.S. federal taxable income. Since we do not know whether or when we will generate the U.S. federal taxable income necessary to use our remaining net operating losses, these net operating loss carryforwards generated prior to our fiscal 2018 could expire unused. 41 41 41

Security is essential for Okta and for our customers. A number of our product offerings have attained multiple certifications, including SOC 2 Type II Attestations, CSA Star Level 2 Attestation, ISO/IEC 27001:2013, ISO/IEC 27017:2015, ISO/IEC 27018:2019, multiple agency FedRAMP Authorities to Operate, Department of Defense Impact Level 4, are in accordance with Health Insurance Portability and Accountability Act ("HIPAA"), and comply with many other international security frameworks. Workforce Identity Cloud also supports FIPS 140-2 encryption requirements. If we fail to maintain our security attestations and certifications, or if we fail to seek expansion of their applicability to acquired and/or newly-developed products, we may fail to meet our contractual commitments and we may fail to retain our existing customers or attract new customers, and our business, results of operations and financial condition could suffer.

Security is a mission-critical issue for Okta and for our customers. We have attained multiple certifications, including SOC 2 Type II certifications, CSA Star Level 2 Attestation, ISO/IEC 27001:2013, ISO/IEC 27018:2019 certifications, and agency FedRAMP Moderate Authorities to Operate. We also support FIPS 140-2 encryption requirements. If we fail to maintain our security attestations and certifications, or if we fail to seek expansion of their applicability to acquired and/or newly-developed products, we may fail to meet our contractual commitments and we may fail to retain our existing customers or attract new customers, and our business, results of operations and financial condition could suffer.

The conversion of some or all of the Notes would dilute the ownership interests of existing stockholders to the extent we satisfy our conversion obligation by delivering shares of our Class A common stock upon any conversion of such Notes. Our 2025 Notes and 2026 Notes may become in the future convertible at the option of their holders under certain circumstances. If holders of our Notes elect to convert their notes, we may settle our conversion obligation by delivering to them a significant number of shares of our Class A common stock, which would cause dilution to our existing stockholders. We have in the past, and may in the future, engage in exchanges, repurchase, or induce conversions of the Notes. Holders of the Notes that participate in any of these exchanges, repurchases, or induced conversions may enter into or unwind various derivatives with respect to our Class A common stock or sell shares of our Class A common stock in the open market to hedge their exposure in connection with these transactions. These activities could decrease (or reduce the size of any increase in) the market price of our Class A common stock or the Notes, or dilute the ownership interests of our stockholders. In addition, the market price of our Class A common stock is likely to be affected by short sales of our Class A common stock or the entry into or unwind of economically equivalent derivative transactions with respect to our Class A common stock by investors that do not participate in the exchange transactions and by the hedging activity of the counterparties to our capped call transactions ("Capped Calls") or their respective affiliates. In addition, in connection with the issuance of the 2025 Notes and 2026 Notes, we entered into Capped Calls with certain financial institutions (the “Option Counterparties”). The Capped Calls are generally expected to reduce potential dilution to our Class A common stock upon any conversion or settlement of the 2025 Notes and 2026 Notes and/or offset any cash payments we are required to make in excess of the principal amount of converted 2025 Notes and 2026 Notes, as the case may be, with such reduction and/or offset subject to a cap. If we unwind the Capped Calls in connection with Note repurchases or otherwise, we would lose the anti-dilutive impact of any unwound Capped Calls. From time to time, the Option Counterparties or their respective affiliates may modify their hedge positions by entering into or unwinding various derivative transactions with respect to our Class A common stock and/or purchasing or selling our Class A common stock or other securities of ours in secondary market transactions prior to the maturity of the Notes. This activity could cause a decrease in the market price of our Class A common stock. 47 47 47

The conversion of some or all of the Notes would dilute the ownership interests of existing stockholders to the extent we satisfy our conversion obligation by delivering shares of our Class A common stock upon any conversion of such Notes. Our 2025 Notes and 2026 Notes may become in the future convertible at the option of their holders under certain circumstances. If holders of our Notes elect to convert their notes, we may settle our conversion obligation by delivering to them a significant number of shares of our Class A common stock, which would cause dilution to our existing stockholders. In addition, in connection with the issuance of the 2023 Notes, we entered into warrant transactions with certain financial institutions (the “2023 Notes Option Counterparties”) pursuant to which we sold warrants for the purchase of our Class A common stock (“Warrants”). The Warrant transactions could separately have a dilutive effect to the extent that the market price per share of our Class A common stock exceeds the strike price of any Warrants unless, subject to the terms of the Warrant transactions, we elect to cash settle the Warrants. Through January 31, 2023, we have terminated Warrants corresponding to approximately 6 million shares. As of January 31, 2023, Warrants to acquire up to approximately 1 million shares (subject to adjustment) remained outstanding. In addition, in connection with the issuance of the 2025 Notes and 2026 Notes, we entered into capped call transactions (“Capped Calls”) with certain financial institutions (the 2025 Notes and 2026 Notes Capped Call Counterparties and together with the 2023 Notes Option Counterparties, the “Option Counterparties”). The Capped Calls are generally expected to reduce potential dilution to our Class A common stock upon any conversion or settlement of the 2025 Notes and 2026 Notes and/or offset any cash payments we are required to make in excess of the principal amount of converted 2025 Notes and 2026 Notes, as the case may be, with such reduction and/or offset subject to a cap. From time to time, the Option Counterparties or their respective affiliates may modify their hedge positions by entering into or unwinding various derivative transactions with respect to our Class A common stock and/or purchasing or selling our Class A common stock or other securities of ours in secondary market transactions prior to the maturity of the Notes. This activity could cause a decrease in the market price of our Class A common stock. 47 47 47

We have experienced significant growth in the number of our customers since our founding, but this growth has slowed in recent periods. As we increase our focus on sales to the world’s largest organizations, we do not expect customer growth to continue at the same pace as it has previously. This could cause customer growth to fall below analyst or investor expectations. If we fail to meet or exceed such expectations for this or any other reason, the market price of our Class A common stock could fall substantially, and we could face costly lawsuits, including securities class action suits. 21 21 21

We have experienced significant growth in the number of our customers in recent periods. As our customer base continues to grow and as we increase our focus on sales to the world’s largest organizations, we do not expect customer growth to continue at the same pace as it has previously. These factors could cause customer growth to fall below analyst or investor expectations. If we fail to meet or exceed such expectations for these or any other reasons, the market price of our Class A common stock could fall substantially, and we could face costly lawsuits, including securities class action suits.

We have experienced rapid growth since our founding in 2009. As we continue efforts to expand our business globally, we have faced new macroeconomic conditions, as well as operational and organizational challenges, that make it difficult to forecast our revenue and evaluate our business and future prospects. We have encountered and will continue to encounter risks and uncertainties that growing companies frequently experience in rapidly changing industries and macroeconomic environments, including the risks and uncertainties described in this document. Additionally, the sales cycle for the evaluation and implementation of our platform, which typically extends for multiple months for enterprise deals, may also cause us to experience a delay between increasing operating expenses and the generation of corresponding revenue, if any. Accordingly, we may be unable to prepare accurate internal financial forecasts or replace anticipated revenue that we do not receive as a result of delays arising from these factors, and our results of operations in future reporting periods may be below the expectations of investors. If we do not address these risks successfully, our results of operations could differ materially from our estimates and forecasts or the expectations of investors, causing our business to suffer and our stock price to decline.

17 17 17 Much of our growth has occurred in recent periods, which makes it difficult to forecast our revenue and evaluate our business and future prospects. We have encountered and will continue to encounter risks and uncertainties frequently experienced by growing companies in rapidly changing industries, including the risks and uncertainties described in this document. Additionally, the sales cycle for the evaluation and implementation of our platform, which typically extends for multiple months for enterprise deals, may also cause us to experience a delay between increasing operating expenses and the generation of corresponding revenue, if any. Accordingly, we may be unable to prepare accurate internal financial forecasts or replace anticipated revenue that we do not receive as a result of delays arising from these factors, and our results of operations in future reporting periods may be below the expectations of investors. If we do not address these risks successfully, our results of operations could differ materially from our estimates and forecasts or the expectations of investors, causing our business to suffer and our stock price to decline.

We are subject to global data protection laws and regulations (“Data Protection Laws”) that may impact how we do business with customers. Data Protection Laws, such as those applicable in the European Union, Canada and certain of its provinces, United Kingdom, Asia, and certain states in the United States, have enhanced data protection obligations for companies that handle personal data. Obligations include, for example, expanded disclosures about how personal data is to be used, individual rights to access and delete personal data, limitations on retention of personal data, mandatory data breach notification requirements and strict obligations on service providers. In addition, increasing numbers of Data Protection Laws restrict transfers of personal data outside of their country of origin to countries deemed to lack adequate privacy protections. These types of transfers must be supported by a transfer mechanism that we may be required to implement; for example, data transfers out of the European Economic Area may require certification to the EU-U.S. Data Privacy Framework (“DPF”) or agreeing to the European Commission’s Standard Contractual Clauses (“SCCs”), each of which impose additional compliance obligations. 32 32 32 One Okta subsidiary is a certified participant of the DPF and receives European personal data in the U.S. pursuant to the DPF and the SCCs, and by contrast, the rest of Okta relies on the SCCs for its lawful transfers of European personal data to the U.S. The DPF and the SCCs are subject to further review by European authorities (such as the Court of Justice of the European Union) and could be invalidated in the future, requiring expenditure of additional resources to support lawful transfers of European personal data. Additional jurisdictions continue to adopt data localization laws, which require personal data, or certain subcategories of personal data, to be stored in the jurisdiction of origin. These regulations may deter customers from using cloud-based services such as ours and may inhibit our ability to expand into those markets or prohibit us from continuing to offer services in those markets without significant additional costs. This regulatory environment applicable to the handling of personal data, and our actions taken in response, may cause us to assume additional liabilities or incur additional costs and could result in our business, results of operations and financial condition being harmed. We and our customers may face a risk of enforcement actions by an increasing number of global data protection authorities in countries where data protection laws apply to us and with which we may not be able to comply. Any such enforcement actions could result in substantial costs and diversion of resources, distract management and technical personnel and negatively affect our business, results of operations and financial condition. Non-compliance with these obligations can trigger significant fines. For example, in Europe fines for non-compliance can be a maximum of €20 million or 4% of total worldwide annual revenue, whichever is higher. In some U.S. states, fines can be up to $7,500 per violation, multiplied by the number of impacted individuals, and, in addition, some states allow a private right of action. Given the breadth and depth of changes in data protection obligations, complying with these requirements has caused us to expend significant resources, which is likely to continue into the near future as we respond to new interpretations and enforcement actions. In addition, new laws are continually being passed. For example, in the European Union, a draft ePrivacy Regulation extends strict opt-in marketing rules, alters rules on third-party cookies, web beacons and similar technology and significantly increases penalties for violations. India recently passed a comprehensive data protection law that will apply new privacy rules for the first time in that country. In addition, the number of U.S. states with comprehensive Data Protection Laws significantly increased in 2023. We cannot yet determine the impact that such future laws, regulations and standards may have on our business. Such laws and regulations are often subject to differing interpretations and may be inconsistent among jurisdictions. We may incur substantial expense in complying with any new obligations, we may be required to make significant changes in our business operations and product and services development, and we may not be able to comply with some of these regulatory developments, all of which may adversely affect our revenues and our business overall.

We are subject to the EU General Data Protection Regulation 2016/679 (“GDPR”) and the UK General Data Protection Regulation and Data Protection Act 2018 (“UK Data Protection Laws”). The GDPR and UK Data Protection Laws have enhanced data protection obligations for processors and controllers of personal data, including, for example, expanded disclosures about how personal data is to be used, limitations on retention of information, mandatory data breach notification requirements and onerous new obligations on services providers. Non-compliance with the GDPR can trigger fines of up to €20 million, or 4% of total worldwide annual revenue, whichever is higher. The UK Data Protection Laws mirror the fines under the GDPR. Given the breadth and depth of changes in data protection obligations, complying with its requirements has caused us to expend significant resources and such expenditures are likely to continue into the near future as we respond to new interpretations and enforcement actions following the effective date of the regulation and as we continue to negotiate data processing agreements with our customers and business partners. Separate EU laws and regulations (and member states’ implementations of them) govern the protection of consumers and of electronic communications and these are also evolving. A draft of the new ePrivacy Regulation extends the strict opt-in marketing rules with limited exceptions to business-to-business communications, alters rules on third-party cookies, web beacons and similar technology and significantly increases penalties. We cannot yet determine the impact that such future laws, regulations and standards may have on our business. Such laws and regulations are often subject to differing interpretations and may be inconsistent among jurisdictions. We may incur substantial expense in complying with any new obligations and we may be required to make significant changes in our business operations and product and services development, all of which may adversely affect our revenues and our business overall. In addition, the GDPR restricts transfers outside of the EU to third countries deemed to lack adequate privacy protections (such as the United States), unless an appropriate safeguard specified by the GDPR is implemented, such as the Standard Contractual Clauses (“SCCs”) approved by the European Commission and, until July 16, 2020, the Privacy Shield for EU-U.S. data transfers. With regard to transfers to the United States of personal data from our employees and European customers and users, we rely upon the SCCs. On July 16, 2020, in what is known as the “Schrems II” decision, the Court of Justice of the European Union (“CJEU”) invalidated the EU-U.S. Privacy Shield Framework (“Privacy Shield”) under which personal data could be transferred from the EEA to U.S. 32 32 32 entities who had self-certified under the Privacy Shield scheme. While the CJEU upheld the adequacy of the SCCs (a standard form of contract approved by the European Commission as an adequate personal data transfer mechanism, and potential alternative to the Privacy Shield), it made clear that reliance on them alone may not necessarily be sufficient in all circumstances. Use of the SCCs must now be assessed on a case-by-case basis taking into account the legal regime applicable in the destination country, in particular applicable surveillance laws and rights of individuals and additional measures and/or contractual provisions may need to be put in place. In June 2021, the European Commission issued new SCCs that account for the CJEU’s “Schrems II” decision. The new SCCs must be used for relevant new data transfers, and existing SCCs arrangements were required to be migrated to the new SCCs by December 27, 2022. These new SCCs only apply to the transfer of personal data outside the EEA, and not the United Kingdom. The United Kingdom’s Information Commissioner’s Office released revised UK standard contractual clauses that can be used from March 21, 2022, with a two-year grace period. U.S. and EU officials are actively seeking a solution to replace the Privacy Shield. On March 25, 2022, the U.S. and European Commission announced that they had agreed in principle to a new “Trans-Atlantic Data Privacy Framework” to enable trans-Atlantic data flows and address the concerns raised in the Schrems II decision. There is no clear timeline for the enactment of this new framework. Moreover, once enacted, the new framework is likely to be subject to legal challenges and may be struck down by the CJEU. Although we believe we continue to satisfy regulatory requirements through our use of SCCs, these latest developments may require major changes to our data transfer policy, including the need to conduct legal, technical, and security assessments for each data transfer from the EEA and UK to a country outside of the EEA and UK. This means that we may be unsuccessful in maintaining legitimate means for our transfer and receipt of personal data from the EEA and UK. We may, in addition to other impacts, experience additional costs associated with increased compliance burdens, and we and our customers face the potential for regulators in the EEA and UK to apply different standards to the transfer of personal data from the EEA and UK to the United States, and to block, or require ad hoc verification of measures taken with respect to, certain data flows from the EEA and UK to the United States. We also anticipate being required to engage in new contract negotiations with third parties that aid in processing data on our behalf, and entering into the new SCCs. We may experience reluctance or refusal by current or prospective European customers to use our products, and we may find it necessary or desirable to make further changes to our handling of personal data of EEA and UK residents. There are few viable alternatives to the SCCs, and the law in this area remains dynamic. These recent developments will require us to review and may require us to amend the legal mechanisms by which we make and/or receive personal data transfers to/in the United States. The regulatory environment applicable to the handling of EEA and UK residents' personal data, and our actions taken in response, may cause us to assume additional liabilities or incur additional costs and could result in our business, operating results and financial condition being harmed. We and our customers may face a risk of enforcement actions by data protection authorities in the EEA and UK relating to personal data transfers to us and by us from the EEA and UK. Any such enforcement actions could result in substantial costs and diversion of resources, distract management and technical personnel and negatively affect our business, operating results and financial condition. We also continue to see jurisdictions imposing data localization laws, which require personal information, or certain subcategories of personal information to be stored in the jurisdiction of origin. These regulations may deter customers from using cloud-based services such as ours, and may inhibit our ability to expand into those markets or prohibit us from continuing to offer services in those markets without significant additional costs. We and our customers are at risk of enforcement actions taken by certain EEA and UK data protection authorities until such point in time that we may be able to ensure that all transfers of personal data to us in the United States from the EEA and UK are conducted in compliance with all applicable regulatory obligations, the guidance of data protection authorities and evolving best practices. Any investigation or charges by EEA and UK data protection authorities could have a negative effect on our existing business and on our ability to attract and retain new customers. We may find it necessary to establish systems to maintain EEA and UK personal data within the EEA and UK, which may involve substantial expense and may cause us to need to divert resources from other aspects of our business, all of which may adversely affect our business.