ACI Worldwide (ACIW) Risk Analysis

To protect our proprietary rights in our intellectual property, we rely on a combination of contractual provisions, including customer licenses that restrict use of our products, confidentiality agreements and procedures, and trade secret and copyright laws. Despite such efforts, we may not be able to adequately protect our proprietary rights, or our competitors may independently develop similar technology, duplicate products, or design around any rights we believe to be proprietary. This may be particularly true in countries other than the United States because some foreign laws do not protect proprietary rights to the same extent as certain laws of the United States. Any failure or inability to protect our proprietary rights could materially adversely affect our business. Additionally, various events outside of our control may pose a threat to our intellectual property rights, as well as to our products and services. Effective protection of intellectual property rights is expensive and difficult to maintain, both in terms of application and maintenance costs, as well as the costs of defending and enforcing those rights. The efforts we have taken to protect our intellectual property rights may not be sufficient or effective. Our intellectual property rights may be infringed, misappropriated, or challenged, which could result in them being narrowed in scope or declared invalid or unenforceable. We also use a limited amount of software licensed by its authors or other third parties under so-called "open source" licenses and may continue to use such software in the future. Some of these licenses contain requirements that we make available source code for modifications or derivative works we create based upon the open source software, and that we license such modifications or derivative works under the terms of a particular open source license or other license granting third parties certain rights of further use. By the terms of certain open source licenses, we could be required to release the source code of our proprietary software if we combine our proprietary software with open source software in a certain manner. Additionally, the terms of many open source licenses have not been interpreted by United States or other courts, and there is a risk that these licenses could be construed in a manner that could impose unanticipated conditions or restrictions on our ability to commercialize our solutions. In addition to risks related to license requirements, usage of certain open source software can lead to greater risks than use of third-party commercial software, as open source licensors generally do not provide warranties or controls on origin of the software. Our exposure to risks associated with the use of intellectual property may be increased for third-party products distributed by us or as a result of acquisitions since we have a lower level of visibility, if any, into the development process with respect to such third-party products and acquired technology or the care taken to safeguard against infringement risks.

As part of our business, we electronically receive, process, store, and transmit information, including personal information and sensitive business information of our customers. Cybersecurity incidents vary in their form and can include the deployment of harmful malware or ransomware, denial-of-services attacks, and other attacks, which may affect business continuity and threaten the availability, confidentiality and integrity of our systems and information. Cybersecurity incidents can also include employee or personnel failures, fraud, phishing or other social engineering attempts or other methods to cause confidential information, payments, account access or access credentials, or other data to be transmitted to an unintended recipient. Cybersecurity threat actors also may attempt to exploit vulnerabilities in software including software commonly used by companies in cloud-based services and bundled software. Like many other companies, we detect attempts by threat actors to gain access to our systems and networks on a frequent basis, and the frequency of such attempts could increase in the future. Unauthorized access, use, or disruptions to our data, computer systems or databases or other cybersecurity incidents or similar attacks could result in the theft or publication of confidential information or the deletion or modification of records or could otherwise cause interruptions in our operations. These concerns about security are increased when we transmit information over the Internet. Security breaches and cybersecurity incidents in connection with the delivery of our products and services, including products and services utilizing the Internet, or well-publicized security breaches, and the trend toward broad consumer and general public notification of such incidents, could significantly harm our business, financial condition, cash flows and/or results of operations. We cannot be certain that advances in criminal capabilities, discovery of new vulnerabilities, attempts to exploit vulnerabilities in our systems, data thefts, physical system or network break-ins or inappropriate access, or other developments will not compromise or breach the technology protecting our networks and confidential information. Computer viruses have also been distributed and have rapidly spread over the Internet. Computer viruses could infiltrate our systems, disrupting our delivery of services and making our applications unavailable. Any inability to prevent security breaches or computer viruses could also cause existing customers to lose confidence in our systems and terminate their agreements with us, and could inhibit our ability to attract new customers. A cybersecurity incident or failure or disruption relating to our information or systems or that of our third-party business partners, or any failure by us or our third-party business partners to effectively address, enforce and maintain our information technology infrastructure, systems, or security measures may result in substantial harm to our business strategy, results of operations and financial condition, including major disruptions to business operations, loss of intellectual property, release of confidential information, alteration or corruption of data or systems, costs related to remediation or the payment of ransom, and litigation including individual claims or consumer class actions, commercial litigation, administrative, and civil or criminal investigations or actions, regulatory intervention and sanctions or fines, investigation and remediation costs and possible prolonged negative publicity. Although we maintain a cyber insurance policy, there is no guarantee that such coverage will be sufficient to address costs, liabilities and damages we may incur in connection with a cybersecurity incident or that such coverage will continue to be available on commercially reasonable terms or at all.

Our software products are complex. Software may contain bugs or defects that could unexpectedly interfere with the operation of the software products when first introduced or as new versions are released. Additionally, errors could occur during our provision of services, including processing services such as our bill payment services and other services delivered through public or private cloud. Software defects or service errors may result in the loss of, or delay in, market acceptance of our products and services and a corresponding loss of sales or revenues. Customers depend upon our products and services for mission-critical applications, and product defects or service errors may hurt our reputation with customers. In addition, software product defects or errors could subject us to liability for damages, performance and warranty claims, government inquiries or investigations, claims and litigation, and fines or penalties from governmental authorities, which could be material. We may incur additional costs or expenses to remediate the issues.

ACI Payments, Inc. is licensed as a money transmitter in those states where such licensure is required. These licenses require us to demonstrate and maintain certain levels of net worth and liquidity, require us to file periodic reports and subject us to inspections by state regulatory agencies. In addition, our payment business is generally subject to federal regulation in the United States, including anti-money laundering regulations and certain restrictions on transactions to or from certain individuals or entities. The complexity of these regulations will continue to increase our cost of doing business. Any violations of these laws may also result in civil or criminal penalties against us and our officers or the prohibition against us providing money transmitter services in particular jurisdictions. We could also be forced to change our business practices or be required to obtain additional licenses or regulatory approvals that could cause us to incur substantial costs. In addition, our customers must ensure that our services comply with the government regulations, including the EU GDPR, and industry standards that apply to their businesses. Federal, state, foreign or industry authorities could adopt laws, rules, or regulations affecting our customers' businesses that could lead to increased operating costs that may lead to reduced market acceptance. In addition, action by regulatory authorities relating to credit availability, data usage, privacy, or other related regulatory developments could have an adverse effect on our customers and, therefore, could have a material adverse effect on our business, financial condition, and results of operations.

We are subject to income and non-income based taxes in the United States and in various foreign jurisdictions. Significant judgment is required in determining our worldwide income tax liabilities and other tax liabilities. We believe that our tax-saving strategies comply with applicable tax law. If the governing tax authorities have a different interpretation of the applicable law and successfully challenge any of our tax positions, our financial condition, cash flows and/or results of operations could be adversely affected. Our U.S. companies are the subject of an examination by several state tax departments. Some of our foreign subsidiaries are currently the subject of a tax examination by the local taxing authorities. Other foreign subsidiaries could face challenges from various foreign tax authorities. It is not certain that the local authorities will accept our tax positions. We believe our tax positions comply with applicable tax law and intend to vigorously defend our positions. However, differing positions on certain issues could be upheld by foreign tax authorities, which could adversely affect our financial condition and/or results of operations.

Failure to achieve favorable renewals of customer contracts could negatively impact our business. Our contracts with our customers generally run for a period of five years, or three years in the case of certain acquired SaaS and PaaS contracts. At the end of the contract term, customers have the opportunity to renegotiate their contracts with us and to consider whether to engage one of our competitors to provide products and services. Failure to achieve high renewal rates on commercially favorable terms could adversely affect our results of operations and financial condition.

The crises in eastern Europe and the Middle East continue to be a challenge to global companies, including us. We currently have one employee in Russia, a dormant customer in Russia, and customers located in the Middle East. The U.S. and other global governments have placed restrictions on how companies may transact with, and provide services or solutions to, parties in these regions, particularly Russia, Belarus and restricted areas in Ukraine. No assurances can be given that additional developments in the impacted regions, and responses thereto from the U.S. and other global governments, would not have a material adverse effect on our business, results of operations and financial condition.