Roper Technologies Inc.: 10-K Risk Factor Changes

In some of our businesses, we derive a significant amount of revenue from large customers. The loss or reduction of any significant contracts with any of these customers could reduce our net revenues and cash flows. Additionally, many of our products support projects for government entities. In many situations, government entities can unilaterally terminate or modify existing contracts without cause and without penalty to the government agency, and government contracts may be subject to specialized compliance obligations, audits, investigations, and bid processes that can delay awards and increase costs.

In some of our businesses, we derive a significant amount of revenue from large customers. The loss or reduction of any significant contracts with any of these customers could reduce our net revenues and cash flows. Additionally, many of our customers are government entities. In many situations, government entities can unilaterally terminate or modify our existing contracts without cause and without penalty to the government agency.

Our business operations are dependent upon information technology networks and systems to securely transmit, process, and store information and to communicate among our locations around the world and with clients, suppliers, and business partners. A shutdown of, or inability to access, one or more of our facilities, a power outage, or a failure of one or more of our information technology, telecommunications, or other systems could significantly impair our ability to perform such functions on a timely basis. Our compliance, cybersecurity and data privacy programs, cybersecurity technology, and risk management cannot eliminate all system risk. Credential compromise and identity-based attacks represent risks, and while we deploy identity threat protection and multi-factor authentication across our enterprise systems, determined attackers may still gain unauthorized access through sophisticated credential theft, session hijacking, social engineering, or privilege escalation techniques. Cybersecurity incidents including ransomware attacks, insider threats, system disruptions, and configuration errors could result in the misappropriation or corruption of data and assets, or disruptions to our business strategy, results of operations, and financial condition, and may require notification to customers and regulators with associated investigation, remediation, and monitoring obligations. These disruptions may include, but are not limited to, interruptions to business operations, loss of intellectual property, release of confidential information, alteration or corruption of data or systems, costs related to remediation or the payment of ransom, litigation (including individual claims, consumer class actions, or commercial litigation), administrative, civil, or criminal investigations or actions, regulatory intervention and sanctions or fines, investigation and remediation costs, and prolonged negative publicity. While we have experienced disruptions, and our Vertafore business was previously subject to litigation regarding the exposure of data which was dismissed, none of these matters had a significant impact on our business. We rely on business partners such as third-party data centers and cloud platforms, such as Amazon Web Services, Google Cloud Platform, Microsoft Azure, and Oracle Cloud to host certain enterprise and customer systems. Our software development and business operations rely on open-source components, third-party software libraries, and vendor dependencies that could contain undisclosed vulnerabilities, be subject to supply chain attacks, or become unavailable, potentially affecting our products, hosted services, and internal systems. Our ability to monitor such third parties’ security measures and the full impact of the systemic risk is limited, and concentration with a limited number of providers increases exposure to outages and pricing changes. If any third-party system or cloud platform that we use is unavailable to us for any reason, our customers may experience service interruptions, which could significantly impact our operations, reputation, business, and financial results. Failure of our systems or those of our third-party service providers, may result in interruptions in our service and loss of data or processing capabilities, all of which may cause a loss in customers, refunds of product fees, and/or material harm to our reputation and operating results. While certain of our businesses have experienced temporary disruptions, their impact has been limited and did not have a significant impact on our businesses. Global cybersecurity threats are rapidly evolving and attacks to identities, networks, platforms, systems, and endpoints can range from uncoordinated individual attempts to sophisticated and targeted measures known as advanced persistent threats, directed at the Company, its businesses, its customers, and/or its third-party service providers, including, but not limited to, cloud providers and providers of network management services. These may include such things as unauthorized access, phishing attacks, denial of service, insider threats, data exfiltration and extortion, introduction of malware or ransomware, and other disruptive problems caused by threat actors. We face emerging risks from AI-powered attacks, including deepfakes used to impersonate executives or customers, AI-assisted social engineering, prompt injection attempts against AI systems, and data poisoning targeting machine learning models. These sophisticated attack techniques may bypass traditional security controls. Additionally, zero-day vulnerabilities, which are previously unknown security flaws with no available patches, pose risks that cannot be fully mitigated through our standard vulnerability management processes, requiring rapid detection and response capabilities to minimize potential damage. While we have experienced and expect to continue to experience these types of cybersecurity threats and incidents, none of them to date have been material to the Company. 10 10 10 We seek to deploy measures to protect, detect, respond, and recover from cybersecurity threats and incidents, including identity and access controls, employee training, data protection, vulnerability management, incident response, secure product development, continuous monitoring of our networks, platforms, endpoints, and systems, and maintenance of ransomware resilient backup and recovery capabilities. Our customers are increasingly requiring cybersecurity protections and mandating cybersecurity standards in our products and services, and we may incur additional costs to comply with such demands. Despite these efforts, we can make no assurances that we will be able to mitigate, detect, prevent, timely and adequately respond, or fully recover from the negative effects of cybersecurity incidents, and such cybersecurity incidents, depending on their nature and scope, could potentially result in the misappropriation, destruction, corruption, or unavailability of critical data and confidential or proprietary information (our own or that of third parties) and the disruption of business operations. The potential consequences of a material cybersecurity incident include financial loss, reputational damage, damage to our IT systems, data loss, litigation, theft of intellectual property, regulatory fines, customer attrition, diminution in the value of our investments in research and development (“R&D”), and increased cybersecurity protection and remediation costs, which may not be fully covered by insurance and could adversely affect our competitiveness and results of operations. Any imposition of liability, particularly liability that is not covered by insurance or is in excess of insurance coverage, could materially harm our operating results and financial condition.

Our business operations are dependent upon information technology networks and systems to securely transmit, process, and store information and to communicate among our locations around the world and with clients, suppliers, and business partners. A shutdown of, or inability to access, one or more of our facilities, a power outage, or a failure of one or more of our information technology, telecommunications, or other systems could significantly impair our ability to perform such functions on a timely basis. Our compliance, cyber and data privacy programs, cybersecurity technology, and risk management cannot eliminate all system risk. Cybersecurity incidents, ransomware attacks, systems disruptions or interruptions, cyberattacks, configuration or human error, insider threat, and/or other external hazards or threats could result in the misappropriation of assets or information, corruption of data, or disruptions in our business strategy, results of operations, and financial condition. These disruptions may include, but are not limited to, interruptions to business operations, loss of intellectual property, release of confidential information, malicious alteration or corruption of data or systems, costs related to remediation or the payment of ransom, litigation including individual claims or consumer class actions, commercial litigation, administrative, and civil or criminal investigations or actions, regulatory intervention and sanctions or fines, investigation and remediation costs, and possible prolonged negative publicity. We rely on business partners such as third-party data centers and cloud platforms, such as Amazon Web Services, Google Cloud Platform, and Microsoft Azure to host certain enterprise and customer systems. Our ability to monitor such third parties’ security measures and the full impact of the systemic risk is limited. If any third-party system or cloud platform that we use is unavailable to us for any reason, our customers may experience service interruptions, which could significantly impact our operations, reputation, business, and financial results. Failure of our systems or those of our third-party service providers, may result in interruptions in our service and loss of data or processing capabilities, all of which may cause a loss in customers, refunds of product fees, and/or material harm to our reputation and operating results. While certain of our businesses have experienced temporary disruptions, their impact has been limited and did not have a significant impact on our businesses. Global cybersecurity threats are rapidly evolving and attacks to networks, platforms, systems, and endpoints can range from uncoordinated individual attempts to sophisticated and targeted measures known as advanced persistent threats, directed at the Company, its businesses, its customers, and/or its third-party service providers, including, but not limited to, cloud providers and providers of network management services. These may include such things as unauthorized access, phishing attacks, denial of service, insider threats, data exfiltration and extortion, introduction of malware or ransomware, and other disruptive problems caused by threat actors. While we have experienced and expect to continue to experience these types of cybersecurity threats and incidents, none of them to date have been material to the Company. We seek to deploy measures to protect, detect, respond, and recover from cybersecurity threats and incidents, including identity and access controls, employee training, data protection, vulnerability management, incident response, secure product development, continuous monitoring of our networks, platforms, endpoints, and systems, and maintenance of ransomware resilient backup and recovery capabilities. Our customers are increasingly requiring cybersecurity protections and mandating cybersecurity standards in our products and services, and we may incur additional costs to comply with such demands. Despite these efforts, we can make no assurances that we will be able to mitigate, detect, prevent, timely and adequately respond, or fully recover from the negative effects of cyberattacks, cybersecurity incidents, or other security compromises, and such attacks, compromises, or cybersecurity incidents, depending on their nature and scope, could potentially result in the misappropriation, destruction, corruption, or unavailability of critical data and confidential or proprietary information (our own or that of third parties) and the disruption of business operations. The potential consequences of a material cybersecurity incident include financial loss, reputational damage, damage to our IT systems, data loss, litigation with third parties, theft of intellectual property, fines, customer attrition, diminution in the value of our investment in research and development, and increased cybersecurity protection and remediation costs due to the increasing sophistication and proliferation of threats, which in turn could adversely affect our competitiveness and results of operations. Any imposition of liability, particularly liability 10 10 10 that is not covered by insurance or is in excess of insurance coverage, could materially harm our operating results and financial condition.

We are increasingly incorporating AI solutions into our platforms, offerings, services, and operations, and we expect that AI will continue to become a more integral part of our business over time. Our competitors, AI companies, or other third parties may incorporate AI into their products or operations more quickly or successfully than us, or develop superior products and services with the aid of AI, which could impair our ability to compete effectively and adversely affect our results of operations. The rapid pace of AI advancement may make it difficult to maintain competitive advantages, and AI capabilities could quickly become commoditized, reducing our ability to differentiate our offerings. Additionally, we may face challenges in protecting AI-generated innovations as intellectual property protections for AI-created materials remain uncertain in many jurisdictions. Competitors may be able to reverse-engineer or replicate our AI capabilities, and questions regarding ownership of AI-generated content or inventions could create legal uncertainties. Furthermore, if we use AI that is based on data, algorithms, or other inputs that are flawed, or if the AI assists in producing content, analyses, or recommendations that are or are alleged to be deficient, inaccurate, violative of third-party intellectual property, or biased, our business, financial condition, and results of operations may be adversely affected. We rely on third-party AI platforms and services, including proprietary and open-source large language models and other AI technologies provided by companies such as OpenAI, Anthropic, Google, and Microsoft. These providers may change their terms of service, increase pricing, discontinue services, experience outages, decline to provide certain indemnities, or make changes to their AI models that adversely affect our products or operations. As AI becomes more central to our offerings, our exposure to pricing changes from these providers increases, and we may not be able to pass such cost increases on to our customers. We have limited control over these third-party AI systems and their updates, and any disruption in access to these services could have a significant impact on our business. The use of AI applications may result in cybersecurity incidents that implicate the personal data of end users of such applications. Any such cybersecurity incidents related to our use of AI applications could adversely affect our reputation and results of operations. AI also presents emerging ethical issues, and if our use of AI becomes controversial, we may experience brand, reputational, or competitive harm, or legal liability.

We are increasingly incorporating artificial intelligence (“AI”) solutions into our platforms, offerings, services, and operations, and we expect that AI will become more important to our company over time. Our competitors or other third parties may incorporate AI into their products or operations more quickly or successfully than us, or develop superior products and services with the aid of AI, which could impair our ability to compete effectively and adversely affect our results of operations. Additionally, if we use AI that is based on data, algorithms, or other inputs that are flawed, or if the AI assists in producing content, analyses, or recommendations that are or are alleged to be deficient, inaccurate, violative of third-party intellectual property, or biased, our business, financial condition, and results of operations may be adversely affected. The use of AI applications has resulted in, and may in the future result in, cybersecurity incidents that implicate the personal data of end users of such applications. Any such cybersecurity incidents related to our use of AI applications could adversely affect our reputation and results of operations. AI also presents emerging ethical issues, and if our use of AI becomes controversial we may experience brand, reputational, or competitive harm, or legal liability. We may be affected by laws and regulations that govern the use of AI. For example, the EU AI Act places new requirements on providers of AI technologies that will need to be addressed in alignment with various deadlines in the coming years. These and other laws or regulations may cause us to modify our data handling and compliance practices, which could be costly or disruptive to our operations, and may also impact our ability to use certain data to support our products or our product development efforts or hinder our customers’ ability to adopt or continue to use our products.