ZM: 10-K Risk Factor Changes

There have been various Congressional and executive efforts to eliminate or modify Section 230 of the Communications Act of 1934, enacted as part of the Communications Decency Act of 1996. Section 230 provides protection for providers of online service from liability for content produced by third parties and protects the right to engage in moderation of user content. The current administration and many members of Congress from both parties support the reform or repeal of Section 230, so the possibility of Congressional action remains. In addition, the FCC is considering a petition to adopt rules interpreting Section 230, which limits the liability of internet platforms for third-party content that is transmitted via those platforms and for good-faith moderation of offensive content. No date has been set for a vote on that proposal, and the FCC has not released any document describing the rules that would be proposed. There is no schedule for action by the FCC on the petition. If Congress revises or repeals Section 230 or the FCC adopts rules, we may no longer be afforded the same level of protection offered by Section 230. In addition, there are pending cases before the judiciary that may result in changes to the protections afforded to internet platforms, including a lawsuit that, if successful, would greatly limit the scope of Section 230. The U.S. Supreme Court recently declined to limit the applicability of Section 230 in certain circumstances, but future cases may not yield the same results and a recent decision by the U.S. Court of Appeals for the Third Circuit would limit the applicability of Section 230 to curated content. These various efforts to limit the protections provided by Section 230 would increase the risks faced by internet-based businesses, like Zoom, that rely on third-party content. Even if claims asserted against us do not result in liability, we may incur substantial costs in investigating and defending such claims. If we are found liable for our customers’ or other users’ activities, we could be required to pay fines or penalties, redesign business methods, or otherwise expend resources to remedy any damages caused by such actions and to avoid future liability. Legislation has been adopted in Florida and Texas that is intended to reduce or eliminate the power of businesses operating on the Internet to moderate user-generated content, implicitly eliminating the federal protections granted under Section 230. Similar legislation has been introduced in other states. Implementation of the Florida and Texas statutes has been stayed by various federal courts, including the U.S. Supreme Court. On August 18, 2022, the parties in the Florida case requested, and were granted, a stay of the appeals court mandate pending Supreme Court review. On September 16, 2022, the U.S. Court of Appeals for the Fifth Circuit issued a decision upholding the Texas law. On September 30, the parties in that case filed an unopposed motion to stay the Fifth Circuit decision pending Supreme Court review, and the Fifth Circuit granted that request on October 13, 2022. On September 29, 2023, the Supreme Court announced that it would review both the Florida and Texas decisions, and on July 1, 2024, the Court issued a decision returning both cases to the trial courts for additional analysis. The district court in Texas, on August 29, 2024, issued a decision staying some portions of the Texas law and allowing others to go into effect, relying on analysis under both Section 230 and the First Amendment, and on November 18, 2024, the Fifth Circuit issued an order setting parameters for the district court's consideration of the issues raised by the Supreme Court. The district court in Florida set a trial date in its case for June 2025. Florida amended its statute in an effort to address issues that led the court to issue the stay. It is likely that any other such state legislation also would be challenged under the First Amendment to the U.S. Constitution and on the ground that it is preempted by Section 230. In addition, on August 27, 2024, the U.S. Court of Appeals for the Third Circuit issued a decision limiting the protections afforded by Section 230 in cases where a social media company curates user feeds to the extent that the feed becomes the speech of the company, reversing a trial court decision that 39 39 39 Table of Contents Table of Contents immunized the company under Section 230. We cannot predict whether any such state legislation will be adopted, enforced, modified, overturned, or vacated. Furthermore, new laws and regulations have been enacted or are being considered that impose extensive obligations regarding online safety and the operation of online services or platforms, such as the OSA and DSA, which may increase our compliance costs, require changes to our processes, operations, and business practices. For example, these new laws and regulations may seek to regulate the sharing of user‑generated content and require us to identify, mitigate, and manage the risks of harm to users from illegal or harmful content. Violating these obligations could carry significant consequences. For example, violating the DSA can result in fines of up to 6% of total annual worldwide revenue and violating the OSA can result in audits, inspections, and fines of up to £18 million or 10% of worldwide revenue, whichever is higher.

There have been various Congressional and executive efforts to eliminate or modify Section 230 of the Communications Act of 1934, enacted as part of the Communications Decency Act of 1996. Section 230 provides protection for providers of online service from liability for content produced by third parties and protects the right to engage in moderation of user content. President Biden and many Members of Congress from both parties support the reform or repeal of Section 230, so the possibility of Congressional action remains. In addition, the FCC is considering a petition, filed by the Trump Administration, to adopt rules interpreting Section 230, which limits the liability of internet platforms for third-party content that is transmitted via those platforms and for good-faith moderation of offensive content. No date has been set for a vote on that proposal, and the FCC has not released any document describing the rules that would be proposed. The Democratic members of the FCC have indicated that they are opposed to the petition and now control the agenda of the FCC. There is no schedule for action by the FCC on the petition. If Congress revises or repeals Section 230 or the FCC adopts rules, we may no longer be afforded the same level of protection offered by Section 230. In addition, there are pending cases before the judiciary that may result in changes to the protections afforded to internet platforms, including a lawsuit by former President Trump that, if successful, would greatly limit the scope of Section 230. The U.S. Supreme Court recently declined to limit the applicability of Section 230 in certain circumstances, but future cases may not yield the same results. These various efforts to limit the protections provided by Section 230 would increase the risks faced by internet-based businesses, like Zoom, that rely on third-party content. Even if claims asserted against us do not result in liability, we may incur substantial costs in investigating and defending such claims. If we are found liable for our customers’ or other users’ activities, we could be required to pay fines or penalties, redesign business methods, or otherwise expend resources to remedy any damages caused by such actions and to avoid future liability. Legislation has been adopted in Florida and Texas that is intended to reduce or eliminate the power of businesses operating on the Internet to moderate user-generated content, implicitly eliminating the federal protections granted under Section 230. Similar legislation has been introduced in other states in 2022, including a bill that has passed the Georgia State Senate and is pending before the Georgia House. Implementation of the Florida and Texas statutes has been stayed by various federal courts, including the U.S. Supreme Court. On August 18, the parties in the Florida case requested, and were granted, a stay of the appeals court mandate pending Supreme Court review. On September 16, 2022, the U.S. Court of Appeals for the Fifth Circuit issued a decision upholding the Texas law. On September 30, the parties in that case filed an unopposed motion to stay the Fifth Circuit decision pending Supreme Court review, and the Fifth Circuit granted that request on October 13, 2022. On September 29, 2023, the Supreme Court announced that would review both the Florida and Texas decisions. A Supreme Court decision is expected during the first half of 2024. Florida recently amended its statute in an effort to address issues that led the court to issue the stay. It is likely that any other such state legislation also would be challenged under the First 38 38 38 Table of Contents Table of Contents Amendment to the U.S. Constitution and on the ground that it is preempted by Section 230. We cannot predict whether any such state legislation will be adopted, enforced, modified, overturned, or vacated. Furthermore, new laws and regulations have been enacted or are being considered that impose extensive obligations regarding online safety and the operation of online services or platforms, such as the OSA and DSA, which may increase our compliance costs, require changes to our processes, operations, and business practices. For example, these new laws and regulations may seek to regulate the sharing of user‑generated content and require us to identify, mitigate, and manage the risks of harm to users from illegal or harmful content. Violating these obligations could carry significant consequences. For example, violating the DSA can result in fines of up to 6% of total annual worldwide revenue and violating the OSA can result in audits, inspections, and fines of up to £18 million or 10% of worldwide revenue, whichever is higher.

In the ordinary course of our business, we and the third parties with whom we work collect, receive, store, process, generate, use, transfer, disclose, make accessible, protect, secure, dispose of, transmit, and share confidential, proprietary, and sensitive data, including data of ours, our customers, and our users, the data which includes personal information, customer and user content, health-related data, intellectual property, trade secrets, business plans, and financial information. We and the third parties upon which we rely face a variety of evolving threats, including but not limited to ransomware attacks, which could cause security incidents. We routinely investigate security incidents, which have occurred in the past and may occur in the future, that result in unauthorized access to, loss or unauthorized disclosure of, or inadvertent disclosure of confidential, proprietary, and sensitive information. Cyberattacks, other malicious internet-based activity, online and offline fraud, and other similar activities threaten the confidentiality, integrity, and availability of our proprietary, confidential, and sensitive data and information technology systems, and those of the third parties with whom we work. Cloud-based platform providers of products and services have been and are expected to continue to be targeted. Threats are prevalent and continue to rise, are increasingly difficult to detect, and 21 21 21 Table of Contents Table of Contents come from a variety of sources, including traditional computer “hackers,” threat actors, “hacktivists,” organized criminal threat actors, personnel (such as through theft or misuse), sophisticated nation-state and nation-state supported actors, and advanced persistent threat intrusions. Some actors now engage and are expected to continue to engage in cyberattacks, including without limitation nation-state actors for geopolitical reasons and in conjunction with military conflicts and defense activities. During times of war and other major conflicts, we and the third parties with whom we work may be vulnerable to a heightened risk of these attacks, which could materially disrupt our systems and operations, supply chain, and ability to provide our services. We and the third parties with whom we work are subject to a variety of evolving threats, including but not limited to social-engineering attacks (including through deep fakes, which may be increasingly more difficult to identify as fake, and phishing attacks), malicious code (such as viruses and worms), malware (including as a result of advanced persistent threat intrusions), denial-of-service attacks, credential stuffing, personnel misconduct or error, supply-chain attacks, software bugs, server malfunctions, software or hardware failures, loss of data or other information technology assets, adware, telecommunications failures, attacks enhanced or facilitated by AI, earthquakes, fires, floods, and other similar threats. Ransomware attacks, including those perpetrated by organized criminal threat actors, nation-states, and nation-state-supported actors, are becoming increasingly prevalent and severe and can lead to significant interruptions in our operations or our ability to provide our products or services, loss of data and income, reputational harm, and diversion of funds. Extortion payments may alleviate the negative impact of a ransomware attack, but we may be unwilling or unable to make such payments due to, for example, applicable laws or regulations prohibiting such payments. Additionally, our platform, products, and services are relied on by a large number of companies worldwide and as a result, if our platform, products, or solutions are compromised, a significant number or all of our customers and their data could be simultaneously affected. The potential liability and associated consequences we could suffer as a result of such a large-scale event could be catastrophic and result in irreparable harm. Future or past business transactions (such as acquisitions or integrations) could expose us to additional cybersecurity risks and vulnerabilities, as our systems could be negatively affected by vulnerabilities present in acquired or integrated entities’ systems and technologies. Furthermore, we have discovered, and may in the future discover security issues that were not found during due diligence of such acquired or integrated entities, and it may be difficult to integrate companies into our information technology environment and security program. In addition, our reliance on third parties has in the past and could continue to introduce new cybersecurity risks and vulnerabilities, including supply-chain attacks, and other threats to our business operations. We rely on third parties to operate critical business systems to process confidential, proprietary, and sensitive data in a variety of contexts, including, without limitation, cloud-based infrastructure, data center facilities, encryption and authentication technology, employee email, content delivery to customers, and other functions. We also rely on third parties to provide other products, services and parts, or otherwise to operate our business. Our ability to monitor these third parties’ information security practices is limited, and these third parties may not have adequate information security measures in place. If the third parties with whom we work experience a security incident or other interruption, we could experience adverse consequences. While we may be entitled to damages if the third parties with whom we work fail to satisfy their privacy or security-related obligations to us, any award may be insufficient to cover our damages, or we may be unable to recover such award. In addition, supply-chain attacks have increased in frequency and severity, and we cannot guarantee that third parties’ infrastructure in our supply chain or that of the third parties with whom we work supply chains have not been compromised. If our security measures are compromised, as has occurred in the past, our reputation could be damaged; our data, information or intellectual property, or that of our customers, may be destroyed, stolen, or otherwise compromised; our business may be harmed; and we could incur significant liability. We take steps designed to detect and remediate vulnerabilities in our information systems and those of third parties with whom we work, but we may not detect or remediate all such vulnerabilities or do so in a timely manner. The threats and techniques used to exploit vulnerabilities change frequently and are often sophisticated in nature, and may be difficult to detect by security tools. Vulnerabilities could be exploited and result in a security incident. We have limited budgetary and human resources for detecting and remediating vulnerabilities and have experienced difficulties in hiring and retaining qualified security personnel, especially after our recent restructuring actions. We may experience delays in developing and deploying remedial measures, including patches, designed to address identified vulnerabilities, and our remedial measures may require action by our customers such as installing patches or updates, which may increase the amount of time a vulnerability remains unremediated. We have not always been able in the past and may be unable in the future to anticipate or prevent threats or techniques used to detect or exploit vulnerabilities in our information systems or third-party software, or obtain unauthorized access to or compromise our systems. In addition, security researchers and other individuals have in the past and will continue in the future to actively search for and exploit actual and potential vulnerabilities in our software or services. This activity may increase because of increased demand for our services and increased media scrutiny of our unified communications and collaboration platform, and can lead to additional adverse publicity, reputational harm, extortion threats, business and operational interruptions, security incidents, additional expenses, litigation, regulatory investigations and actions, and substantial harm to our business, some of which we have experienced. For example, in July 2019, a security researcher published a blog highlighting concerns with the Zoom Meeting platform, including certain video-on features. We were able to release updates to the software addressing these 22 22 22 Table of Contents Table of Contents vulnerabilities, and we are not aware of any customers being affected or meetings compromised by these vulnerabilities. In most cases customers are responsible for installing this update to the software, and their software is subject to these vulnerabilities until they do so. Additionally, in March 2020, a security researcher reported certain vulnerabilities related to our macOS version that could have allowed an unauthorized person to gain root access to a user’s system. Given the nature of our business and operations, our products and services will inevitably contain vulnerabilities or critical security defects that have not been identified or remediated and cannot be disclosed without compromising security. We have identified high or critical vulnerabilities in our products, services and information systems in the past, and we expect that we will continue to identify such vulnerabilities in the future. We cannot be certain that we will be able to address any vulnerabilities in our products, services and information systems that we may become aware of in the future, or there may be delays in developing patches that can be effectively deployed to address vulnerabilities. We will continue to make prioritization decisions based on, among other things, our available resources, the efficacy of our security tools, and the increasing workload to meet certain security obligations, to determine which vulnerabilities or security defects to fix and the timing of these fixes, which could result in an exploit that compromises security. In some cases, customers are responsible for installing our software updates, and until they do so, their service remains subject to the vulnerabilities addressed in the software update. Vulnerabilities and critical security defects, errors in remediating vulnerabilities or security defects, failure of third-party providers to remediate vulnerabilities or security defects, or customers not deploying security releases or deciding not to install software updates could result in claims of liability against us, damage our reputation, or otherwise harm our business. Security incidents and vulnerabilities, and concerns regarding privacy, data protection, and information security may also prevent some of our customers and users from using or cause some of our customers and users to stop using our solutions and fail to upgrade or renew their subscriptions. Failures to meet customers’ and users’ expectations with respect to security and confidentiality of their data and information could damage our reputation and affect our ability to retain customers and users, attract new customers and users, and grow our business. In addition, cybersecurity events or security vulnerabilities could result in breaches of our agreements with customers, lawsuits against us (including class action litigation), regulatory investigations or actions, and significant increases in costs, including costs for remediating the effects of such an event or vulnerability, lost revenue due to network downtime, and a decrease in customer and user trust, increases in insurance premiums due to cybersecurity incidents, increased costs to address cybersecurity issues, and attempts to prevent future incidents, fines, penalties, judgments and settlements, and attorney fees, and harm to our business and our reputation because of any such incident. Any of the previously identified or similar threats could cause a security incident or other interruption that could result in unauthorized, unlawful, or accidental acquisition, modification, destruction, loss, alteration, encryption, disclosure of, or access to confidential, proprietary, or sensitive data or our information technology systems, or those of the third parties with whom we work A security incident or other interruption could disrupt our ability (and that of third parties with whom we work) to provide our services. We expend significant resources or modify our business activities to try to protect against security incidents. Additionally, certain privacy, data protection, and information security obligations require us to implement and maintain certain security measures or industry-standard or reasonable security measures to protect our information technology systems and sensitive data. Many governments have enacted laws requiring companies to provide notice of data security incidents, including those recently promulgated by the SEC. These laws may also require us to take certain measures, such as providing credit monitoring to individuals. Such laws are inconsistent, and compliance in the event of a widespread data breach is costly, and the disclosure or the failure to comply with such requirements could lead to adverse consequences. In addition, some of our customers require us to notify them of data security breaches. Actual or perceived security gaps or security compromises experienced in our industry or by our competitors, our customers, a third party with whom we work, or us could cause us to experience adverse consequences, such as government enforcement actions (for example, investigations, fines, penalties, audits, and inspections); additional reporting requirements and/or oversight; restrictions on processing sensitive data (including personal information); litigation (including class claims); indemnification obligations; negative publicity; reputational harm; monetary fund diversions; diversion of management attention; interruptions in our operations (including availability of data); financial loss; and other similar harms. Security incidents and attendant consequences may cause customers to stop using our services, deter new customers from using our services, and negatively impact our ability to grow and operate our business. In addition, while more than half of our employees are based in the United States, like many similarly situated technology companies, we have a sizable number of research and development personnel outside of the United States, including in China, which has exposed and could continue to expose us to governmental and regulatory as well as market and media scrutiny regarding the actual or perceived integrity of our platform or data security and privacy features. 23 23 23 Table of Contents Table of Contents Increased usage of our services, novel uses of our services, and additional awareness of Zoom and our brand has led and could in the future lead to greater public scrutiny of, press related to, or a negative perception of our information security and potential vulnerabilities associated with our platform. For example, during the COVID-19 pandemic, we opened our platform to unprecedented numbers of first-time users, leading to challenges for users who did not have full IT support or established protocols for security and privacy like our larger customers. As a result, we have experienced negative publicity related to meeting disruptions and security and privacy issues, including on encryption. Such unfavorable publicity and scrutiny could result in material reputational harm, a loss of customer and user confidence, increased regulatory or litigation exposure, additional expenses, and other harm to our business. There can be no assurance that any limitations of liability provisions in our subscription agreements, terms of use or other agreements would be enforceable or adequate or would otherwise protect us from any such liabilities or damages with respect to any particular claim. We also cannot be sure that our existing general liability insurance coverage and coverage for cyber liability or errors or omissions will continue to be available on acceptable terms or will be available in sufficient amounts to cover one or more large claims or that the insurer will not deny coverage as to any future claim. The successful assertion of one or more large claims against us that are not covered or exceed available insurance coverage, or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could harm our business. In addition to experiencing a security incident, third parties may gather, collect, or infer sensitive information about us from public sources, data brokers, or other means that reveals competitively sensitive details about our organization and could be used to undermine our competitive advantage or market position.

Unlike traditional communications and collaborations technologies, our services depend on our users’ high-speed broadband access to the internet, usually provided through a cable or digital subscriber line connection. Increasing numbers of users and increasing bandwidth requirements may degrade the performance of our platform due to capacity constraints and other internet infrastructure limitations. As our number of users has grown and their usage of communications capacity has increased, we have been required to make additional investments in network capacity to maintain adequate data transmission speeds, the availability of which may be limited, or the cost of which may be on terms unacceptable to us. If adequate capacity does not continue to be available to us to support our user base in the future, our network may be unable to achieve or maintain sufficiently high data transmission capacity, reliability, or performance. In addition, if internet service providers and other third parties providing internet services have outages or deteriorations in their quality of service, our users will not have access to our platform or may experience a decrease in the quality of our platform. Furthermore, as the rate of adoption of new technologies increases, the networks our platform relies on may not be able to sufficiently adapt to the increased demand for these services, including ours. Frequent or persistent interruptions could cause current or potential users to believe that our systems or platform are unreliable, leading them to switch to our competitors or to avoid our platform, which could permanently harm our business. In addition, users who access our platform through mobile devices, such as smartphones and tablets, must have a high-speed connection, such as 3G, 4G, 5G, LTE, satellite, or Wi-Fi, to use our services and applications. Currently, this access is provided by companies that have significant and increasing market power in the broadband and internet access marketplace, including incumbent phone companies, cable companies, satellite companies, and wireless companies. Some of these providers offer products and subscriptions that directly compete with our own offerings, which can potentially give them a competitive advantage. Also, these providers could take measures that degrade, disrupt, or increase the cost of user access to third-party services, including our platform, by restricting or prohibiting the use of their infrastructure to support or facilitate third-party services or by charging increased fees to third parties or the users of third-party services, any of which would make our platform less attractive to users and reduce our revenue. 20 20 20 Table of Contents Table of Contents On January 4, 2018, the Federal Communications Commission (“FCC”) released an order reclassifying broadband internet access as an information service, a regulatory regime generally referred to as network neutrality, subject to certain provisions of Title I of the Communications Act. The order requires broadband providers to publicly disclose accurate information regarding network management practices, performance characteristics, and commercial terms of their broadband internet access services sufficient to enable consumers to make informed choices regarding the purchase and use of such services, and entrepreneurs and other small businesses to develop, market, and maintain internet offerings. The new rules went into effect on June 11, 2018. Numerous parties filed judicial challenges to the order, and on October 1, 2019, the United States Court of Appeals for the District of Columbia Circuit released a decision that rejected nearly all of the challenges to the new rules, but reversed the FCC’s decision to prohibit all state and local regulation targeted at broadband internet service, requiring case-by-case determinations as to whether state and local regulation conflicts with the FCC’s rules. The court also required the FCC to reexamine three issues from the order but allowed the order to remain in effect, while the FCC conducts that review. On October 27, 2020, the FCC adopted an order concluding that the three issues remanded by the court did not provide a basis to alter its conclusions in the 2018 order. On October 19, 2023, the FCC adopted a notice of proposed rulemaking that would reinstate the 2018 rules and asked for comment on that proposal and on potential changes to those rules. We cannot predict whether or when the FCC will adopt new rules or the impact of any rules that may be adopted on our operations or business. In addition, a number of states have adopted or are adopting or considering legislation or executive actions that would regulate the conduct of broadband providers. After a federal court judge denied a request for a preliminary injunction against California’s state-specific network neutrality law, California began enforcing that law on March 25, 2021. A number of other states have adopted or are adopting or considering legislation or executive actions that would regulate the conduct of broadband providers. A similar law in Vermont is subject to a pending challenge, but went into effect on April 20, 2022 and the challenge has been suspended until an appeal in another case addressing state powers to adopt internet regulation is resolved. We cannot predict whether the FCC order or other state initiatives will be enforced, modified, overturned, or vacated by legal action of the court, federal legislation, or the FCC. In addition, the status of state regimes may be affected by the FCC's action in its new network neutrality proceeding. Under the FCC’s current rules, broadband internet access providers may be able to charge web-based services such as ours for priority access or favor services offered by our competitors or by the internet access providers themselves, which could result in increased costs and a loss of existing customers, impair our ability to attract new customers, and harm our business. If there are changes to the regulatory structures in the United States or elsewhere that reduce investment in infrastructure by internet service providers, including a return of the network neutrality regulations that were repealed, any impacts of reduced investment that reduce network capacity or speed could have a negative effect on our business, operating results, and financial condition. Our security measures, and those of third parties upon which we rely, have been compromised in the past and may be compromised in the future. If our security measures are compromised in the future or if our information technology fails, this could harm our reputation, expose us to significant fines and liability, impair our sales, and harm our business. In addition, our products and services may be perceived as not being secure. This perception may result in customers and users curtailing or ceasing their use of our products, our incurring significant liabilities, and our business being harmed. In the ordinary course of our business, we and the third parties upon which we rely collect, receive, store, process, generate, use, transfer, disclose, make accessible, protect, secure, dispose of, transmit, and share confidential, proprietary, and sensitive data, including data of ours, our customers, and our users, the data which includes personal information, customer and user content, health-related data, intellectual property, trade secrets, business plans, and financial information. We and the third parties upon which we rely face a variety of evolving threats, including but not limited to ransomware attacks, which could cause security incidents. Security incidents have occurred in the past and may occur in the future, resulting in unauthorized access to, loss or unauthorized disclosure of, or inadvertent disclosure of confidential, proprietary, and sensitive information. Cyberattacks, other malicious internet-based activity, online and offline fraud, and other similar activities threaten the confidentiality, integrity, and availability of our proprietary, confidential, and sensitive data and information technology systems, and those of the third parties upon which we rely. Cloud-based platform providers of products and services have been and are expected to continue to be targeted. Threats are prevalent and continue to rise, are increasingly difficult to detect, and come from a variety of sources, including traditional computer “hackers,” threat actors, “hacktivists,” organized criminal threat actors, personnel (such as through theft or misuse), sophisticated nation-state and nation-state supported actors, and advanced persistent threat intrusions. Some actors now engage and are expected to continue to engage in cyberattacks, including without limitation nation-state actors for geopolitical reasons and in conjunction with military conflicts and defense activities. During times of war and other major conflicts, we and the third parties upon which we rely may be vulnerable to a heightened risk of these attacks, which could materially disrupt our systems and operations, supply chain, and ability to provide our services. We may be subject to a variety of evolving threats, including but not limited to social-engineering attacks (including through deep fakes, which may be increasingly more difficult to identify as fake, and phishing attacks), malicious code (such as viruses and worms), malware (including as a result of advanced persistent threat intrusions), denial-of-service attacks, credential stuffing, 21 21 21 Table of Contents Table of Contents personnel misconduct or error, supply-chain attacks, software bugs, server malfunctions, software or hardware failures, loss of data or other information technology assets, adware, telecommunications failures, attacks enhanced or facilitated by AI, earthquakes, fires, floods, and other similar threats. Ransomware attacks, including those perpetrated by organized criminal threat actors, nation-states, and nation-state-supported actors, are becoming increasingly prevalent and severe and can lead to significant interruptions in our operations or our ability to provide our products or services, loss of data and income, reputational harm, and diversion of funds. Extortion payments may alleviate the negative impact of a ransomware attack, but we may be unwilling or unable to make such payments due to, for example, applicable laws or regulations prohibiting such payments. Additionally, our platform, products, and services are relied on by a large number of companies worldwide and as a result, if our platform, products, or solutions are compromised, a significant number or all of our customers and their data could be simultaneously affected. The potential liability and associated consequences we could suffer as a result of such a large-scale event could be catastrophic and result in irreparable harm. Future or past business transactions (such as acquisitions or integrations) could expose us to additional cybersecurity risks and vulnerabilities, as our systems could be negatively affected by vulnerabilities present in acquired or integrated entities’ systems and technologies. Furthermore, we may discover security issues that were not found during due diligence of such acquired or integrated entities, and it may be difficult to integrate companies into our information technology environment and security program. In addition, our reliance on third-party service providers could introduce new cybersecurity risks and vulnerabilities, including supply-chain attacks, and other threats to our business operations. We rely on third-party service providers and technologies to operate critical business systems to process confidential, proprietary, and sensitive data in a variety of contexts, including, without limitation, cloud-based infrastructure, data center facilities, encryption and authentication technology, employee email, content delivery to customers, and other functions. We also rely on third-party service providers to provide other products, services and parts, or otherwise to operate our business. Our ability to monitor these third parties’ information security practices is limited, and these third parties may not have adequate information security measures in place. If our third-party service providers experience a security incident or other interruption, we could experience adverse consequences. While we may be entitled to damages if our third-party service providers fail to satisfy their privacy or security-related obligations to us, any award may be insufficient to cover our damages, or we may be unable to recover such award. In addition, supply-chain attacks have increased in frequency and severity, and we cannot guarantee that third parties’ infrastructure in our supply chain or our third-party partners’ supply chains have not been compromised. If our security measures are compromised, our reputation could be damaged; our data, information or intellectual property, or that of our customers, may be destroyed, stolen, or otherwise compromised; our business may be harmed; and we could incur significant liability. We take steps designed to detect and remediate vulnerabilities in our information systems and those of third parties upon whom we rely, but we may not detect or remediate all such vulnerabilities or do so in a timely manner. The threats and techniques used to exploit vulnerabilities change frequently and are often sophisticated in nature, and may be difficult to detect by security tools. Vulnerabilities could be exploited and result in a security incident. We have limited budgetary and human resources for detecting and remediating vulnerabilities and have experienced difficulties in hiring and retaining qualified security personnel, especially after our recent restructuring actions. We may experience delays in developing and deploying remedial measures, including patches, designed to address identified vulnerabilities, and our remedial measures may require action by our customers such as installing patches or updates, which may increase the amount of time a vulnerability remains unremediated. We have not always been able in the past and may be unable in the future to anticipate or prevent threats or techniques used to detect or exploit vulnerabilities in our information systems or third-party software, or obtain unauthorized access to or compromise our systems. In addition, security researchers and other individuals have in the past and will continue in the future to actively search for and exploit actual and potential vulnerabilities in our software or services. This activity may increase because of increased demand for our services and increased media scrutiny of our unified communications and collaboration platform, and can lead to additional adverse publicity, reputational harm, extortion threats, business and operational interruptions, security incidents, additional expenses, litigation, regulatory investigations and actions, and substantial harm to our business, some of which we have experienced. For example, in July 2019, a security researcher published a blog highlighting concerns with the Zoom Meeting platform, including certain video-on features. We were able to release updates to the software addressing these vulnerabilities, and we are not aware of any customers being affected or meetings compromised by these vulnerabilities. In most cases customers are responsible for installing this update to the software, and their software is subject to these vulnerabilities until they do so. Additionally, in March 2020, a security researcher reported certain vulnerabilities related to our macOS version that could have allowed an unauthorized person to gain root access to a user’s system. Given the nature of our business and operations, our products and services will inevitably contain vulnerabilities or critical security defects that have not been identified or remediated and cannot be disclosed without compromising security. We have identified high or critical vulnerabilities in our products, services and information systems in the past, and we expect that we will continue to identify such vulnerabilities in the future. We cannot be certain that we will be able to address any vulnerabilities in our products, 22 22 22 Table of Contents Table of Contents services and information systems that we may become aware of in the future, or there may be delays in developing patches that can be effectively deployed to address vulnerabilities. We will continue to make prioritization decisions based on, among other things, our available resources, the efficacy of our security tools, and the increasing workload to meet certain security obligations, to determine which vulnerabilities or security defects to fix and the timing of these fixes, which could result in an exploit that compromises security. In some cases, customers are responsible for installing our software updates, and until they do so, their service remains subject to the vulnerabilities addressed in the software update. Vulnerabilities and critical security defects, errors in remediating vulnerabilities or security defects, failure of third-party providers to remediate vulnerabilities or security defects, or customers not deploying security releases or deciding not to install software updates could result in claims of liability against us, damage our reputation, or otherwise harm our business. Security incidents and vulnerabilities, and concerns regarding privacy, data protection, and information security may also prevent some of our customers and users from using or cause some of our customers and users to stop using our solutions and fail to upgrade or renew their subscriptions. Failures to meet customers’ and users’ expectations with respect to security and confidentiality of their data and information could damage our reputation and affect our ability to retain customers and users, attract new customers and users, and grow our business. In addition, cybersecurity events or security vulnerabilities could result in breaches of our agreements with customers, lawsuits against us (including class action litigation), regulatory investigations or actions, and significant increases in costs, including costs for remediating the effects of such an event or vulnerability, lost revenue due to network downtime, and a decrease in customer and user trust, increases in insurance premiums due to cybersecurity incidents, increased costs to address cybersecurity issues, and attempts to prevent future incidents, fines, penalties, judgments and settlements, and attorney fees, and harm to our business and our reputation because of any such incident. Any of the previously identified or similar threats could cause a security incident or other interruption that could result in unauthorized, unlawful, or accidental acquisition, modification, destruction, loss, alteration, encryption, disclosure of, or access to confidential, proprietary, or sensitive data or our information technology systems, or those of the third parties upon whom we rely. A security incident or other interruption could disrupt our ability (and that of third parties upon whom we rely) to provide our services. We may expend significant resources or modify our business activities to try to protect against security incidents. Additionally, certain privacy, data protection, and information security obligations may require us to implement and maintain specific security measures or industry-standard or reasonable security measures to protect our information technology systems and sensitive data. Many governments have enacted laws requiring companies to provide notice of data security incidents, including those recently promulgated by the SEC. Such laws are inconsistent, and compliance in the event of a widespread data breach is costly. In addition, some of our customers require us to notify them of data security breaches. Actual or perceived security gaps or security compromises experienced in our industry or by our competitors, our customers, a third party upon whom we rely, or us could cause us to experience adverse consequences, such as government enforcement actions (for example, investigations, fines, penalties, audits, and inspections); additional reporting requirements and/or oversight; restrictions on processing sensitive data (including personal information); litigation (including class claims); indemnification obligations; negative publicity; reputational harm; monetary fund diversions; diversion of management attention; interruptions in our operations (including availability of data); financial loss; and other similar harms. Security incidents and attendant consequences may cause customers to stop using our services, deter new customers from using our services, and negatively impact our ability to grow and operate our business. In addition, while more than half of our employees are based in the United States, like many similarly situated technology companies, we have a sizable number of research and development personnel outside of the United States, including in China, which has exposed and could continue to expose us to governmental and regulatory as well as market and media scrutiny regarding the actual or perceived integrity of our platform or data security and privacy features. Increased usage of our services, novel uses of our services, and additional awareness of Zoom and our brand has led and could in the future lead to greater public scrutiny of, press related to, or a negative perception of our information security and potential vulnerabilities associated with our platform. For example, during the COVID-19 pandemic, we opened our platform to unprecedented numbers of first-time users, leading to challenges for users who did not have full IT support or established protocols for security and privacy like our larger customers. As a result, we have experienced negative publicity related to meeting disruptions and security and privacy issues, including on encryption. Such unfavorable publicity and scrutiny could result in material reputational harm, a loss of customer and user confidence, increased regulatory or litigation exposure, additional expenses, and other harm to our business. There can be no assurance that any limitations of liability provisions in our subscription agreements, terms of use or other agreements would be enforceable or adequate or would otherwise protect us from any such liabilities or damages with respect to any particular claim. We also cannot be sure that our existing general liability insurance coverage and coverage for cyber liability or errors or omissions will continue to be available on acceptable terms or will be available in sufficient amounts 23 23 23 Table of Contents Table of Contents to cover one or more large claims or that the insurer will not deny coverage as to any future claim. The successful assertion of one or more large claims against us that are not covered or exceed available insurance coverage, or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could harm our business. In addition to experiencing a security incident, third parties may gather, collect, or infer sensitive information about us from public sources, data brokers, or other means that reveals competitively sensitive details about our organization and could be used to undermine our competitive advantage or market position.

There are inherent climate-related risks wherever business is conducted. We have a global workforce, and operate in leased office spaces and data centers, and the short, medium and long term climate impacts to our business are unclear. 48 48 48 Table of Contents Table of Contents Changing market dynamics, global policy developments and the increasing frequency and impact of extreme weather events to infrastructure in the U.S. and elsewhere have the potential to disrupt our business, the business of our third-party suppliers and the business of our customers, and may cause us to experience losses and additional costs to maintain or resume operations. In addition, we may be subject to increased regulations, reporting requirements, standards or expectations regarding the environmental impacts of our business.

While we seek to mitigate our business risks associated with climate change (such as drought, wildfires, hurricanes, increased storm severity and sea level rise), we recognize that there are inherent climate-related risks wherever business is conducted. Our primary locations may be vulnerable to the adverse effects of climate change. For example, certain of our offices have experienced, and are projected to continue to experience, climate-related events at an increasing frequency, including drought, heat waves, wildfires and resultant air quality impacts and power shutoffs associated with wildfire prevention. Changing market dynamics, global policy developments and the increasing frequency and impact of extreme weather events on critical infrastructure in the U.S. and elsewhere have the potential to disrupt our business, the business of our third-party suppliers and the business of our customers, and may cause us to experience losses and additional costs to maintain or resume operations. In addition, we may be subject to increased regulations, reporting requirements, standards or expectations regarding the environmental impacts of our business.

There is an increasing focus from regulators, investors, customers and other stakeholders concerning environmental, social and governance matters. To the extent we share information about our practices in this area, we could be criticized for the accuracy, adequacy, or completeness of such disclosures. In addition, we may communicate related goals or initiatives from time to time, which can be costly to achieve and difficult to implement. There is no assurance that we will achieve any of these goals, that our initiatives will achieve their intended outcome, and our ability to implement these initiatives or achieve these goals may be dependent on external factors outside our control. Further, we may experience backlash from customers, government entities, advocacy groups, employees, or other stakeholders who disagree with our actual or perceived positions, or with our lack of position on social, environmental, governance, political, public policy, economic, geopolitical, or other sensitive issues. Any perceived lack of transparency about these matters could harm our brand and reputation, our employees’ engagement and retention, and the willingness of our customers and partners to do business with us.

There is an increasing focus from regulators, investors, customers and other stakeholders concerning environmental, social and governance matters (“ESG”). Regulators are driving legislation to bring consistency and transparency to ESG disclosures. Some investors may use these ESG performance factors to guide their investment strategies and, in some cases, may choose not to invest in us if they believe our policies and actions relating to ESG are inadequate. We may face reputational damage in the event that we do not meet the ESG standards set by various constituencies. Our voluntary ESG and climate disclosures, as well as our reporting under related disclosure regulations, or a failure to meet evolving stakeholder expectations for ESG reporting and practices, may potentially harm our reputation and customer relationships or expose us to liability. Due to new regulatory standards and market standards, certain new or existing customers may impose stricter ESG guidelines or contractual language for, and may scrutinize relationships more closely with, their counterparties, including us, which may lengthen sales cycles or increase our costs. Furthermore, if our competitors’ ESG performance is perceived to be better than ours, potential or current investors may elect to invest with our competitors instead. In addition, in the event that we communicate certain initiatives or goals regarding ESG matters, we could fail, or be perceived to fail, in our achievement of such initiatives or goals, or we could be criticized for the scope of such initiatives or goals.