ACV Auctions (ACVA) Risk Analysis

Our business is dependent on our data-driven marketplace platform. Robust information technology systems, platforms and products are critical to our operating environment, digital online products and competitive position. Understanding technology innovation is necessary to retain our competitive advantage. We may not be successful in developing, acquiring or implementing new data-driven products, services, and technologies which are competitive and responsive to the needs of our customers. Such products, services, and technologies, which are rapidly evolving, include those that use artificial intelligence. We might lack sufficient resources to continue to make the significant investments in information technology to compete with our competitors. Certain information technology initiatives that management considers important to our long-term success will require capital investment, have significant risks associated with their execution, and could take several years to implement. We may not be able to develop or implement these initiatives in a cost-effective, timely manner or at all. There can be no assurance that others will not acquire similar or superior technologies sooner than we do or that we will acquire technologies on an exclusive basis or at a significant price advantage. If we do not accurately predict, prepare and respond to new kinds of technology innovations, market developments and changing customer needs, our business may be harmed.

Our marketplace platform allows for the storage and transmission of our customers' proprietary or confidential information, which may include personal information or other information. We may use third-party service providers and subprocessors to help us deliver services, including payment services, to our customers. These vendors may store or process personal information, payment card information, or other information on our behalf. Security breaches, cyber-attacks and other similar incidents continue to increase, and marketplace platforms such as ours may be subject to such incidents. These threats, which are becoming increasingly difficult to detect, are perpetuated by a variety of sources, including traditional computer "hackers," employees engaging in theft or misuse, organized criminal threat actors, nation-states and nation-state-supported actors. We and our third-party service providers may be subject to a variety of these evolving threats, including but not limited to social-engineering attacks (including through phishing attacks), viruses, denial-of-service attacks (such as credential stuffing), malware installation, server malfunctions, ransomware attacks, supply-chain attacks, software bugs, software or hardware failures, loss of data or other computer assets, adware, telecommunications failures, pandemics, earthquakes, fires, floods, or other similar issues. These threats are becoming increasingly prevalent and severe, especially as criminal threat actors leverage artificial intelligence-based technologies and services, and can lead to significant interruptions in our operations, loss of information and income, reputational harm, and diversion of funds. Similarly, supply chain-attacks have increased in frequency and severity and we cannot guarantee that third parties and infrastructure in our supply chain and our third-party partners' supply chains have not been compromised or that they do not contain exploitable defects or bugs that could result in a breach of or disruption to our information technology systems (including our products/services) or the third-party information technology systems that support us and our services. While we have security measures in place designed to protect customer information and prevent data loss, security breaches, cyber-attacks and other similar incidents, there can be no assurance that our security measures or those of our third-party service providers that store or otherwise process certain of our and our customers' information on our behalf will be effective in protecting against unauthorized, unlawful, or accidental acquisition, modification, destruction, loss, alteration, encryption, disclosure of, or access to our confidential information, marketplace platform or our customers' information, including personal information, particularly given that our ability to monitor our third-party service providers' information security practices is limited. The techniques used to sabotage or to obtain unauthorized, unlawful, or accidental acquisition, modification, destruction, loss, alteration, encryption, disclosure of, or access to our marketplace platform, systems, networks or physical facilities in which our information or our customers' information is stored or through which information is transmitted change frequently and often are not identified until they are launched against a target, and we may be unable to implement adequate preventative measures or stop security breaches, cyber-attacks or other similar incidents while they are occurring. The security measures that we have integrated into our marketplace platform, systems, networks and physical facilities, which are designed to protect against, detect and minimize security breaches, cyber-attacks and other similar incidents, may not be adequate to prevent or detect service interruption, system failure or data loss. Our marketplace platform, systems, networks, and physical facilities could also be breached or information could be otherwise compromised due to employee, contractor or customer error, negligence or malfeasance, if, for example, third parties attempt to fraudulently induce our employees, contractors or our customers to disclose information or user names or passwords, or otherwise compromise the security of our marketplace platform, networks, systems and physical facilities. Third parties may also exploit vulnerabilities in, or obtain unauthorized, unlawful, or accidental acquisition, modification, destruction, loss, alteration, encryption, disclosure of, or access to, marketplace platforms, systems, networks or physical facilities. See the section titled "Cybersecurity" for additional information on certain aspects of our approach to cybersecurity risk management and strategy. We are required to comply with laws, regulations, rules, industry codes of conduct, policies, standards and other obligations that require us to maintain reasonable security measures designed to protect personal information, in our possession, custody, or control. We have legal obligations to notify relevant stakeholders of certain security breaches, cyber-attacks and other similar incidents. Such mandatory disclosures are costly and could lead to adverse consequences. These consequences may include: government enforcement actions (for example, investigations, fines, penalties, audits, and inspections); additional reporting requirements and/or oversight; restrictions on processing information (including personal information); litigation (including class claims); indemnification obligations; negative publicity, which may cause our customers to lose confidence in the effectiveness of our security measures and require us to expend significant capital and other resources to respond to or alleviate problems; interruptions in our operations (including availability of information); financial loss; and other similar harms. Security incidents and attendant consequences may cause customers to stop using our products/services, deter new customers from using our products/services, and negatively impact our ability to grow and operate our business. Our agreements with certain customers may require us to use industry-standard or reasonable measures to safeguard personal information. A security breach, cyber-attack or other similar incident may cause us to breach our customer contracts. A security breach, cyber-attack or other similar incident could lead to claims by our customers or other relevant stakeholders that we have failed to comply with such obligations. As a result, we could be subject to legal action or our customers could end their relationships with us. Our contracts may not contain limitations of liability, and, even where they do, there can be no assurance that the limitations of liability in our contracts would be enforceable or adequate or would otherwise protect us from liabilities or damages related to a security breach, cyber-attack or other similar incident. Further, security compromises experienced by our customers with respect to information hosted on our marketplace platform, even if caused by the customer's own misuse or negligence, may require us to make certain public disclosures, which could harm our reputation, erode customer confidence in the effectiveness of our security measures, negatively impact our ability to attract new customers, or cause existing customers to elect not to use our marketplace platform. We may be subject to indemnity demands, regulatory proceedings, audits, penalties or litigation based on our customers' misuse of our marketplace platform with respect to such sensitive information and defending against such litigation and otherwise addressing such matters may be expensive, cause distraction and result in us incurring liability, all of which may harm our business. Litigation resulting from security breaches, cyber-attacks or other similar incidents may adversely affect our business. Actual or alleged unauthorized access to our or our vendors' platform, systems, networks, or physical facilities could result in litigation with our customers or other relevant stakeholders. These proceedings could force us to spend money in defense or settlement, divert management's time and attention, increase our costs of doing business, or adversely affect our reputation. We could be required to fundamentally change our business activities and practices or modify our products and marketplace platform capabilities in response to such litigation, which could have an adverse effect on our business. If a security breach, cyber-attack or other similar incident were to occur, and the confidentiality, integrity or availability of personal information was disrupted, we could incur significant liability, or our marketplace platform, systems or networks may be perceived as less desirable, which could negatively affect our business and damage our reputation. While we maintain general liability insurance coverage and coverage for errors and omissions including cyber-attacks, we cannot assure you that such coverage will be adequate or otherwise protect us from liabilities or damages with respect to claims alleging compromises of personal information or that such coverage will continue to be available on acceptable terms or at all. The successful assertion of one or more large claims against us that exceeds our available insurance coverage, or results in changes to our insurance policies (including premium increases or the imposition of large deductible or co-insurance requirements), could have an adverse effect on our business. In addition, we cannot be sure that our existing insurance coverage and coverage for errors and omissions will continue to be available on acceptable terms or that our insurers will not deny coverage as to any future claim.

We mainly compete with large, national physical vehicle auction companies, such as Manheim, a subsidiary of Cox Enterprises, Inc., Adesa, a subsidiary of Carvana, and OPENLANE. The physical vehicle auction market in North America is largely consolidated, with Manheim and Adesa serving as large players in the market. Manheim has expanded into online wholesale marketplaces and auctions, and OPENLANE is also competing in the online wholesale auction market. However, we do compete with smaller chains of auctions and independent auctions in the physical market. We also compete with a number of smaller digital marketplace companies. Our future success also depends on our ability to respond to evolving industry trends, changes in customer requirements and new technologies. If new industry trends take hold, the automotive remarketing industry's economics could significantly change, and we may need to incur additional costs or otherwise alter our business model to adapt to these changes. Some of our competitors have much greater financial and marketing resources than we have, may be able to respond more quickly to evolving industry dynamics and changes in customer requirements or may be able to devote greater resources to the development, promotion and sale of new or emerging services and technologies. Our ability to successfully grow through investments in the area of emerging opportunities depends on many factors, including advancements in technology, regulatory changes and other factors that are difficult to predict. If we are unable to compete successfully or to successfully adapt to industry changes, our business may be harmed.

Our business depends on our ability to grow the share of wholesale transactions from existing customers, increasing the number of wholesale transactions they conduct on our marketplace platform. Our customers have no obligation to conduct a minimum number of transactions on our marketplace platform or to continue using our marketplace platform over time. In order for us to maintain or improve our results of operations, it is important that our customers continue using our marketplace platform and increase the share of wholesale transactions which they complete on our marketplace platform. We cannot accurately predict whether we will grow the share of wholesale transactions from existing customers. The volume of transactions from existing customers may decline or fluctuate as a result of a number of factors, including business strength or weakness of our customers, customer satisfaction with our marketplace platform and other offerings, our fees, the capabilities and fees of our competitors or the effects of global economic conditions. These factors may also be exacerbated if, consistent with our growth strategy, our customer base continues to grow to encompass larger enterprises, which may also require more sophisticated and costly sales efforts. If our customers do not continue to use our marketplace platform or purchase additional services from us, our revenue may decline and our business, results of operations and financial condition may be harmed.

We are the subject of media coverage from time to time. Unfavorable publicity regarding our business model, customer support, technology, product offerings, marketplace changes, marketplace quality, data privacy or security practices or management team could adversely affect our reputation. Such negative publicity could also harm the size of our marketplace and the engagement and loyalty of buyers and sellers that utilize it, which could adversely affect our business, results of operations and financial condition. As our marketplace continues to scale and public awareness increases, any future issues that draw media coverage could have an amplified negative effect on our reputation. In addition, negative publicity related to key dealers or commercial partners that we have partnered with may damage our reputation, even if the publicity is not directly related to us. Any negative publicity that we may receive could diminish confidence in, and the use of, our marketplace, which could adversely affect our business, results of operations and financial condition.

We believe our success has depended, and continues to depend, on the efforts and talents of our executive officers and other employees. Our future success depends on our continuing ability to attract, develop, motivate and retain highly qualified and skilled executive officers and other employees. Qualified individuals are in high demand, and we may incur significant costs to attract and retain them. In addition, the loss of any of our executive officers or other employees could adversely affect our ability to execute our business plan and strategy, and we may not be able to find adequate replacements on a timely basis, if at all. Our executive officers and other employees are at-will employees, which means they may terminate their employment relationship with us at any time, and their knowledge of our business and industry would be extremely difficult to replace. We may not be able to retain the services of any members of our executive officers or other employees. If we do not succeed in attracting well-qualified executive officers or employees or retaining and motivating existing executive officers or employees, our business may be harmed.

We are subject to various litigation matters from time to time, the outcomes of which could harm our business. Claims arising out of actual or alleged violations of law could be asserted against us by individuals, either individually or through class actions, by governmental entities in civil or criminal investigations and proceedings or by other entities. These claims could be asserted under a variety of laws, including but not limited to intellectual property laws, data privacy and security laws, labor and employment laws, securities laws and employee benefit laws. These actions could expose us to adverse publicity and to substantial monetary damages and legal defense costs, injunctive relief and criminal and civil fines and penalties, including but not limited to suspension or revocation of licenses to conduct business. Furthermore, defending ourselves against these claims may require us to expend substantial financial resources and divert management's attention, which could adversely impact our business, results of operations and financial condition.

In the ordinary course of business, we collect, receive, store, generate, use, transfer, disclose, make accessible, protect, secure, dispose of, transmit, share and otherwise process confidential, proprietary and personal information. There are numerous federal, state, local and international laws, regulations, rules, industry codes of conduct, policies and standards regarding data privacy and security, including the processing of personal information and other data. The regulatory framework for data privacy and security is in considerable flux and evolving rapidly. Our obligations related to data privacy and security subject to change and subject to differing interpretations and may be costly to comply with, inconsistent between jurisdictions or conflicting with other rules. In the United States, federal, state, and local governments have enacted numerous data privacy and security laws, regulations and rules, including data breach notification laws, personal information privacy laws, and consumer protection laws. For example, the Telephone Consumer Protection Act imposes specific requirements relating to marketing to individuals using technology such as phones, mobile devices, and text messages. As another example, the California Consumer Privacy Act, as modified by the California Privacy Rights Act (collectively, "CCPA") gives California residents expanded rights to among other things, request disclosure of personal information collected about them and whether the data has been sold to others, request deletion of personal information (subject to certain exceptions), opt out of certain personal information sharing and not be discriminated against for exercising these rights. The CCPA provides civil penalties for violations, as well as a private right of action for certain data breaches. A number of other U.S states have also enacted, or are considering enacting comprehensive data privacy laws that share similarities with the CCPA, with at least four such laws (in Virginia, Colorado, Connecticut and Utah) having taken effect, or scheduled to take effect, in 2023. There is also discussion in Congress of a new federal data privacy and security law to which. we may become subject if it is enacted. The effects of the CCPA, and other similar state or federal laws, are potentially significant and may require us to modify our information processing practices and policies, incur substantial compliance costs and subject us to increased potential liability. Additionally, the U.S. Federal Trade Commission ("FTC") and states' Attorneys General have brought enforcement actions and prosecuted certain data breach and other privacy-related cases as unfair and/or deceptive acts or practices under the FTC Act. Further, laws in all 50 U.S. states generally require businesses to provide notice under certain circumstances to consumers whose personal information has been disclosed as a result of a data breach. These laws are not consistent, and compliance in the event of a widespread data breach is difficult and may be costly. Upon our expansion into international markets, including our operations in France, we and our third-party service providers may be subject to a new range of detailed and complex foreign laws regarding privacy and the processing of personal information and other data, most notably the General Data Protection Act Regulation ("GDPR"). The GDPR, together with national legislation, regulations and guidelines of the European Union member states governing the processing of personal data, impose strict obligations and restrictions on the ability to collect, use, retain, protect, disclose, transfer and otherwise process personal data. In addition, we and our third-party service providers may be required to comply with operating rules and standards imposed by industry organizations such as the National Automated Clearing House Association and the Payment Card Industry Security Standards Council. Additionally, we are also subject to specific contractual requirements contained in third-party agreements governing our processing of personal information and other data. Further, we are subject to the terms of our privacy policies, and privacy-related disclosures. Although we endeavor to comply with our public statements and documentation, we may at times fail to do so or be alleged to have failed to do so. Our publication of our privacy policies and other statements that provide promises and assurances about data privacy and security can subject us to potential state and federal action if they are found to be deceptive, unfair or misrepresentative of our actual practices. While we strive to comply with applicable laws, regulations, rules, industry codes of conduct, policies, standards and other legal or contractual obligations relating to data privacy and security, it is possible that these obligations may be interpreted and applied in new ways or in a manner that is inconsistent from one jurisdiction to another and may conflict with other rules or our practices. Additionally, new laws or regulations could be enacted, further complicating our compliance efforts. Any failure or perceived failure by us or third parties we work with to comply with our policies, disclosures and obligations to customers, industry oversight organizations, or other third parties, or applicable data privacy and security laws, regulations, rules, industry codes of conduct, policies, standards or other legal or contractual obligations, may result in, among other things, governmental or regulatory investigations, enforcement actions, regulatory or other fines, orders requiring that we change our practices, criminal compliance orders, claims for damages by affected individuals or litigation or public statements against us by consumer advocacy groups or others, and could cause customers to lose trust in us. Any of the foregoing could be costly and have an adverse effect on our reputation, business, results of operations and financial condition, including but not limited to: loss of customers; interruptions or stoppages in our business operations; limited ability to develop or commercialize our products; expenditure of time and resources to defend any claim or inquiry; adverse publicity; or revision or restructuring of our operations. Additionally, if vendors, developers or other third parties that we work with violate applicable laws, regulations, rules, industry codes of conduct, policies, standards and other legal or contractual obligations relating to data privacy or security, such violations may also put personal information or other data, including customers' or vendors' information, at risk and could in turn harm our business. Even if we are not determined to have violated these laws or other obligations, government investigations into these issues typically require the expenditure of significant resources and may generate negative publicity.

Our business is affected by general business and economic conditions. Changes in economic, monetary and fiscal policies in the United States and abroad and fluctuations in exchange rates, as well as ongoing military conflicts, including between Russia and Ukraine and between Israel and Hamas, may have the effect of heightening our exposure to several risks. We are dependent on the supply of used vehicles in the wholesale market, and our financial performance depends, in part, on conditions in the automotive industry. During past global economic downturns, there has been an erosion of retail demand for new and used vehicles that, together with other factors such as financial market instability, led many lenders to reduce originations of new loans and leases and led to significant manufacturing capacity reductions by automakers selling vehicles in the United States and Canada. Capacity reductions could depress the number of vehicles that become part of the wholesale market in the future and could lead to reduced numbers of vehicles from various suppliers, negatively impacting our volumes. In addition, weak growth in or declining new vehicle sales negatively impacts used vehicle trade-ins to dealers and wholesale volumes. These factors could adversely affect our revenue and profitability. In addition, we may experience a decrease in demand for used vehicles from buyers due to factors including the lack of availability of consumer credit and declines in consumer spending and consumer confidence. Adverse credit conditions also affect the ability of dealers to secure financing to purchase used vehicles on the wholesale market, which further negatively affects buyer demand. In addition, a reduction in the number of franchised and independent used car dealers may reduce dealer demand for used vehicles. Consumer purchases of new and used vehicles may also be adversely affected by economic conditions such as employment levels, wage and salary levels, trends in consumer confidence and spending, reductions in consumer net worth, interest rates, inflation, the availability of consumer credit and taxation policies. Consumer purchases in general may decline during recessions, periods of prolonged declines in the equity markets or housing markets and periods when disposable income and perceptions of consumer wealth are lower. Changes to U.S. federal tax policy may negatively affect consumer spending. In addition, the market for used vehicles may be impacted by the significant, and likely accelerating, changes to the broader automotive industry, which may render our existing or future business model or our auction marketplace and value-added products and services less competitive, unmarketable or obsolete. For example, technology is currently being developed to produce automated, driverless vehicles that could reduce the demand for, or replace, traditional vehicles, including the used vehicles that are sold through our marketplace. Additionally, ride-hailing and ride-sharing services are becoming increasingly popular as a means of transportation and may decrease consumer demand for the used vehicles, particularly as urbanization increases. To the extent retail and rental car company demand for new and used vehicles decreases, negatively impacting our volumes, our business, results of operations and financial condition could be materially and adversely affected. Dealer consolidations or closures could reduce demand for our products, which may decrease our revenue. In the past, the number of U.S. dealers has declined due to dealership consolidations and closures as a result of varying factors, such as increased competitive pressure from online vehicle retailers and global economic downturns. When dealers consolidate, the services they previously purchased separately are often purchased by the combined entity in a lesser quantity or for a lower aggregate price than before, leading to volume compression and loss of revenue. Further dealership consolidations or closures could reduce the aggregate demand for our marketplace platform and value-added products and services. If dealership consolidated and closures occur in the future, our business may be harmed. Additionally, due to high fragmentation in the dealer industry, a small number of interested parties have significant influence over the industry. These parties include state and national dealership associations, state regulators, car manufacturers, consumer groups, independent dealers, and consolidated dealer groups. If and to the extent these parties believe that dealerships should not enter into or maintain business with us, this belief could become shared by dealerships and we may lose a number of our paying dealers.Our business is subject to the risk of natural disasters, adverse weather events, global pandemics, and other catastrophic events, and to interruption by man-made problems such as geopolitical tensions, armed conflicts and acts of terrorism. Our business is vulnerable to damage or interruption from earthquakes, fires, floods, power losses, telecommunications failures, acts of war, adverse weather events, global pandemics, geopolitical tensions, armed conflicts, acts of terrorism, human errors, infrastructure failures, energy crises and similar events. The third-party systems and operations on which we rely are subject to similar risks. For example, we rely on FedEx in order to ship and deliver titles in connection with vehicle sales through our marketplace, and the disruption to FedEx's service as a result of a natural disaster could have an adverse effect on our business, results of operations and financial conditions. Geopolitical tensions, armed conflicts, or acts of terrorism could also cause disruptions in our businesses, consumer demand or the economy as a whole. We may not have sufficient protection or recovery plans in some circumstances, such as if a natural disaster affects main transportation routes for the delivery of vehicles. Any such disruptions could negatively affect our ability to run our business, which could have an adverse effect on our business, results of operations and financial condition.