Akamai (AKAM) Risk Factors

Innovation is important to our future success. In particular, as security and compute solutions have become, and are expected to continue to be, an important part of our business, we must be particularly adept at developing new security solutions that meet the constantly-changing threat landscape and compute and compute-to-edge solutions that meet the needs of professional users and enterprises looking to increase the utility of the internet for their business. The process of developing new solutions and product enhancements is complex, lengthy and uncertain and has become increasingly complex due to the sophistication of our customers' needs. The development timetable is uncertain and we may commit significant resources to developing solutions for which a viable market may not ultimately develop. For example, with the acquisition of Linode, we are investing significant resources in our compute solutions and platform, working on expanding the capacity of these facilities, adding additional sites and developing increased compute features and functionality. Success in these efforts is not guaranteed and will largely depend on our ability to create products that are competitive in the enterprise market, source additional co-location facilities and manage an uncertain supply chain for server related hardware. In addition, we have also experienced, and may in the future experience, delays in developing and releasing new products and product enhancements. This could cause our expenses to grow more rapidly than our revenue. Trying to innovate through acquisition can be costly and with uncertain prospects for success; we may find that attractive acquisition targets are too expensive for us to pursue which could cause us to pursue more time-consuming internal development. Failure to develop, on a cost-effective basis, innovative or enhanced solutions that are attractive to customers and profitable to us could have a material detrimental effect on our business, results of operations, financial condition and cash flows.

We regularly face attempts to gain unauthorized access or deliver malicious software to Akamai Connected Cloud and our internal IT systems, with the goal of stealing proprietary information related to our business, products, employees and customers; disrupting our systems and services or those of our customers or others; or demanding ransom to return control of such systems and services. These attempts take a variety of forms, including Distributed Denial of Service (DDoS) attacks, infrastructure attacks, botnets, malicious file uploads, application abuse, credential abuse, social engineering, ransomware, bugs, viruses, worms and malicious software programs. Additionally, the use of artificial intelligence by bad actors has heightened the sophistication and effectiveness of these types of attacks. There have in the past and could in the future be attempts to infiltrate our systems through our supply chain and contractors. Malicious actors are known to attempt to fraudulently induce employees and suppliers to disclose sensitive information through illegal electronic spamming, phishing or other tactics. Other parties may attempt to gain unauthorized physical access to our facilities in order to infiltrate our internal-use information systems. Furthermore, nation state and hacktivist attacks against us or our customers have in the past and may in the future intensify during periods of heightened geopolitical tensions or armed conflict, such as the ongoing war in Ukraine and the Israel-Hamas War. We may not be able to anticipate the techniques used in such attacks, as they change frequently and may not be recognized until launched. While we have, from time to time, experienced threats to and breaches of our and our third-party vendors' data and systems, to date , to our knowledge, cyber threats and other attacks have not resulted in any material adverse effect to our business or operations, but such threats are constantly evolving, increasing the difficulty of detecting and successfully defending against them. The complexities in managing the security profile of a distributed network with vast scale and geographic reach that evolves to incorporate new capabilities expose us to both known and unknown vulnerabilities. We have discovered vulnerabilities in software used in our technology, such as the vulnerability in Apache Log4j 2 referred to as "Log4Shell" identified in late 2021 that impacted a large portion of the internet ecosystem, and may have other undiscovered vulnerabilities. Vulnerabilities, resident in either software or configurations, have in the past and may in the future require significant operational efforts to mitigate and may persist for extended periods of time and the effects of any such vulnerability could be exacerbated. Similar security risks exist with respect to acquired companies, our business partners and the third-party vendors that we rely on for aspects of our information technology support services and administrative functions. As a result, we are subject to risks that the activities of our business partners and third-party vendors may adversely affect our business even if an attack or breach does not directly target our systems. To protect our corporate and deployed networks, we aim to continuously engineer more secure solutions, enhance security and reliability features, improve the deployment of software updates to address security vulnerabilities, develop mitigation technologies that help to secure customers from attacks and maintain the digital security infrastructure that protects the integrity of our network and services. For example, our ongoing efforts to continually enhance the security and reliability of Akamai Connected Cloud, customer applications, and corporate systems comprise various initiatives and mitigation efforts, including but not limited to upgrading access and configuration controls; improving security instrumentation, monitoring, detection and prevention tools; enhancing software inventory and tracking and patching systems; upgrading encryption processes and protections; enhancing authorization methods in applications; enhancing data loss prevention and endpoint security management capabilities; upgrading vulnerability identification, assessment, and remediation processes and technologies; and enhancing the security of passwords and other credentials, as applicable and appropriate. Our efforts to engineer more secure solutions are frequently costly, with a negative impact on near-term profitability, and may be unsuccessful in preventing security incidents that may have an adverse effect on our business and reputation. For example, with the acquisition of Linode, we continue to adapt procedures for mitigating risks that have in the past or may in the future materialize, including any harms that may arise from abuse of our compute products. If we fail to mitigate these harms or if there is a significant cybersecurity event using our compute products or our compute products are perceived to be less reliable than our competitors, it could result in loss of customers and reputational damage. Any actual, alleged or perceived breach of network security in our systems or networks, or any other actual, alleged or perceived compromise of data security incident we, our customers or our third-party suppliers suffer, can result in damage to our reputation; negative publicity; loss of channel partners, customers and sales; loss of revenue; loss of competitive advantages; increased costs to remedy any problems and otherwise respond to any incident; regulatory investigations and enforcement actions and fines; costly litigation; and other liabilities.

U.S. and international laws and regulations that apply to the internet related to, among other things, content liability, security requirements, law enforcement access to information, critical infrastructure, net neutrality, so-called "fair share" or internet content taxes, international data transfer restrictions, sanctions, export controls and restrictions on social media or other content could pose risks to our revenues, intellectual property and customer relationships as well as increase expenses or create other disadvantages to our business. Section 230 of the U.S. Communications Decency Act, often referred to as Section 230, gives websites that host user-generated content broad protection from legal liability for content posted on their sites. Proposals to repeal or amend Section 230 could expose us to greater legal liability in the conduct of our business. Our Acceptable Use Policy prohibits customers from using our network to deliver illegal or inappropriate content; if customers violate that policy, we may nonetheless face reputational damage, enforcement actions or lawsuits related to their content. Regulations have been enacted or proposed in a number of countries that limit the delivery of certain types of content into those countries. Enactment and expansion of such laws and regulations would negatively impact our revenues. For example, restrictions were adopted in India in 2020 prohibiting access to identified Chinese applications which caused a reduction in revenue to us. In addition, in April 2024, the U.S. government passed legislation that may prohibit access to a Chinese application beginning as soon as the first quarter of 2025. Traffic in the U.S. from this application in 2023 constituted less than 1.5% of our revenue, however should the restrictions become effective, our revenue would be negatively impacted. In addition, due to geopolitical considerations or otherwise, the owner of this application could decide to limit even more of its business with U.S. providers like Akamai, including even in circumstances where the legislation is successfully challenged in court or does not take effect. Further, such laws and regulations could cause internet service providers, or others, to block our products in order to enforce content-blocking efforts. In addition, efforts to block a single product or domain name may end up blocking a number of other products or domain names in an overbroad manner that could affect our business. In addition to regulations related to content, enactment and expansion of laws related to the use of artificial intelligence and machine learning in our operations and increased regulation of cloud services providers also could increase costs of doing business, subject us to potential liability or regulatory risk and introduce other disadvantages to our business, including brand or reputational harm. Interpretations of laws or regulations that would subject us to regulatory enforcement actions, supervision or, in the alternative, require us to exit a line of business or a country, could lead to the loss of significant revenues and have a negative impact on the quality of our solutions. Engineering efforts to build new capabilities to facilitate compliance with law enforcement access requirements, content access restrictions or other regulations could require us to take on substantial expenses and divert engineering resources from other projects. These circumstances could harm our profitability.

Our future income taxes could be adversely affected by earnings being lower than anticipated in jurisdictions that have lower statutory tax rates and higher than anticipated in jurisdictions that have higher statutory tax rates, or changes in tax laws, regulations or accounting principles, as well as certain discrete items such as equity-related compensation. The Organisation for Economic Co-operation and Development ("OECD") and participating OECD member countries continue to work toward the enactment of a 15% global minimum corporate tax rate for large multinational enterprise groups, also known as "Pillar Two". Many of the participating countries have enacted legislation that became effective beginning in 2024, while other countries continue to work on defining the underlying rules and administrative procedures. Although the enacted and effective legislation in many countries is applicable to us beginning January 1, 2024, and increased our effective income tax rate, the increase did not have a material impact on our overall results of operations or cash flows. We will continue to monitor and evaluate the impacts of the developing legislation. We have recorded certain tax reserves to address potential exposures involving our income tax and indirect tax positions. These potential tax liabilities result from the varying application of statutes, rules, regulations and interpretations by different jurisdictions. We are currently subject to tax audits in various jurisdictions. If the ultimate outcome of any tax audits are adverse to us, our reserves may not be adequate to cover our total actual liability, and we would need to take a financial charge. Although we believe our estimates, our reserves and the positions we have taken in all jurisdictions are reasonable, the ultimate tax outcome may differ from the amounts recorded in our financial statements and may materially affect our financial results in the period or periods for which such determination is made.

We operate globally and as a result, our business, revenues and profitability are impacted by global macroeconomic conditions. The success of our activities is affected by general economic and market conditions, including, among others, inflation, interest rates, tax rates, economic uncertainty, political instability, warfare, changes in laws, trade barriers, the actual or perceived failure or financial difficulties of financial institutions, reduced consumer confidence and spending and economic and trade sanctions. For example, approximately 1% of our 2021 revenue had been generated from traffic into Russia, Belarus and Ukraine, and we experienced a decline in revenue in 2022 and 2023 related to the war in Ukraine due to a decrease in traffic in these countries. Global economic and geopolitical conditions can impact our customers, causing them to take cost-savings measures that can include optimization and "do-it-yourself", or DIY, initiatives, which can impact our revenues. For example, a large social media company has recently taken steps to lower costs and reduce reliance on U.S. providers by optimizing its platform, including a DIY component, which has reduced traffic on our network and negatively impacted our revenue in the first nine months of 2024. In addition, due to changes in international tax laws, we expect our effective income tax rate will increase in 2024. The U.S. capital markets have experienced and may continue to experience extreme volatility and disruption in the recent past. Furthermore, inflation rates in the U.S. have been elevated compared to historical rates and have fluctuated. Such economic volatility has in the past and could in the future adversely affect our business, financial condition, results of operations and cash flows and future market disruptions could negatively impact us. For example, these unfavorable economic conditions could increase our operating costs, which could negatively impact our profitability. Geopolitical destabilization and warfare have impacted and could continue to impact global currency exchange rates, resources from our suppliers, and our ability to operate or grow our business. In addition, we have recently experienced rising energy costs in areas in which we operate, particularly in Europe. Additionally, we have offices and employees located in regions that historically have and may again experience periods of political instability, warfare, changes in laws, trade barriers, and economic and trade sanctions. Adverse conditions in these countries have in the past and may in the future affect our operations, including disruptions to our workforce, supply chains, networks, financial systems and other critical infrastructure, which could adversely affect our business, results of operations, financial condition, and cash flows. For example, approximately six percent of our global employees are located in Tel Aviv, Israel and some of our employees have been mobilized as members of the Israeli military reserves. The ongoing war could cause harm to our employees or otherwise impair their ability to work for extended periods of time.

A significant portion of our hiring, new customers and revenue growth in recent quarters has been attributable to our business outside the U.S. Our operations in international countries subject us to risks that may increase our costs, impact our financial results, disrupt our operations or make our operations less efficient and require significant management attention. These risks include: foreign exchange rate risks; uncertainty regarding liability for content or services, including uncertainty as a result of local laws and lack of legal precedent; loss of revenues if the U.S. or international governments impose limitations on doing business with significant current or potential customers; difficulty in staffing, training, developing and managing international operations as a result of distance, language, cultural differences, differences in employee/employer relationships or regulations; theft of intellectual property in high-risk countries where we operate; difficulties in enforcing contracts, collecting accounts and longer payment cycles in certain countries; difficulties in transferring funds from, or converting currencies in, certain countries; managing the costs and processes necessary to comply with export control, sanctions, such as the sanctions imposed in connection with the Russian invasion of Ukraine, anti-corruption, data protection, cybersecurity and competition laws and regulations or other regulatory or contractual limitations on our ability to sell or develop our products and services in certain international markets; macroeconomic developments and changes in the labor markets in which we operate; geopolitical developments, including any that impact our or our customers' ability to operate in or deliver content to a country; other circumstances outside of our control such as trade disputes, political unrest, warfare, military or armed conflict, such as the Russian invasion of Ukraine and the ongoing Israel-Hamas War, terrorist attacks, public health emergencies, energy crises and natural disasters that could disrupt our ability to provide services or limit customer purchases of them. For example, approximately six percent of our global employees are located in Tel Aviv, Israel and have been and may continue to be impacted by the Israel-Hamas War. A number of our employees have been, and more may be, required to report for military duty which could impact our ability to operate and successfully complete ongoing initiatives particularly with respect to our security offerings and our efforts to move our internal applications from third-party clouds to Akamai Connected Cloud. In addition, further attacks by Hamas or other groups on Israel could further impact our workforce, our operations and our offices located in Tel Aviv. Furthermore, a widening of the conflict in the Middle East or further escalation could lead to broader geopolitical destabilization and macro-economic impacts. In addition, we are subject to laws and regulations worldwide that differ among jurisdictions, affecting our operations in areas such as intellectual property ownership and infringement; tax; anti-corruption; internet and technology regulations; so-called "fair share" or internet content taxes; foreign exchange controls and cash repatriation; data privacy; cyber security; competition; consumer protection; and employment. Compliance with such requirements can be onerous and expensive and may otherwise impact our business operations negatively. Although we have policies, controls and procedures designed to help ensure compliance with applicable laws, there can be no assurance that our employees, contractors, suppliers, customers or agents will not violate such laws or our policies. Violations of these laws and regulations can result in fines; additional costs related to governmental investigations; criminal sanctions against us, our officers or our employees; prohibitions on the conduct of our business; and damage to our reputation.

Because we conduct a substantial portion of our business outside the United States, we face exposure to adverse movements in foreign currency exchange rates, which could have a material adverse impact on our financial results and cash flows. These exposures may change over time as business practices evolve and economic conditions change. The fluctuations of currencies in which we conduct business can both increase and decrease our overall revenue and expenses for any given period. This exposure is the result of selling in multiple currencies, headcount in foreign locations and operating in countries where the functional currency is the local currency. Revenue generated and expenses incurred by our international subsidiaries are often denominated in their local currencies, but many of our expenses related to our operations in foreign jurisdictions are denominated in U.S. dollars. As a result, our consolidated U.S. dollar financial statements are subject to fluctuations due to changes in exchange rates as the financial results of our international subsidiaries are translated from local currencies into U.S. dollars. For example, in 2023, the strength of the U.S. dollar had a negative impact on our revenue and a positive impact on our operating expenses. In addition, our financial results are subject to changes in exchange rates that impact the settlement of transactions in non-functional currencies. In addition, we have recently experienced increased volatility in foreign currency exchange rates, due to a number of factors, including geopolitical and economic developments. We may not be able to effectively manage such volatility, and our financial results have in the past and could in the future be adversely impacted as a result of such volatility. In addition, such volatility, even when it increases our revenues or decreases our expenses, impacts our ability to accurately predict our future results and earnings.

To operate and grow our network, we are dependent in part upon transmission capacity provided by third-party telecommunications network providers, the availability of co-location facilities to house our servers and equipment to support our operations. We may be unable to purchase the bandwidth and space we need from these providers due to limitations on their resources, increasing energy costs or other reasons outside of our control. In particular, following our acquisition of Linode, our efforts to increase the size and scale of our compute solutions have required and may continue to require procuring significant additional space in co-location facilities. Inability to access facilities where we would like to install servers, or perform maintenance on existing servers for any reason impedes our ability to expand or maintain capacity. As a result, there can be no assurance that we are adequately prepared for unexpected increases in capacity demands by our customers. Failure to put in place the capacity we require to operate our business effectively could result in a reduction in, or disruption of, service to our customers and ultimately a loss of those customers. Akamai Connected Cloud relies on hardware equipment, including hundreds of thousands of servers deployed around the world. Disruptions in our supply chain have occurred in the past and could prevent us from purchasing needed equipment at attractive prices or at all. For example, we are experiencing an increase in certain server component costs that support our compute build out. In addition, from time to time, it has been, and may continue to be, more difficult to purchase equipment that is manufactured in areas that face disruptions to operations due to unrest, trade sanctions or other political activity, public health issues, safety issues, natural disasters or general economic conditions. Failure to have adequate equipment, including server equipment, could harm the quality of our services, which could lead to the loss of customers and revenue.

Our future success depends upon the services of our executive officers and other key technology, sales, research and development, marketing and support personnel who have critical industry experience and relationships. Like other companies in our industry, we have experienced difficulty in hiring and retaining highly skilled employees with appropriate qualifications, and, if we fail to attract new personnel or fail to retain and motivate our current personnel or effectively train our current employees to support our business needs, our business and future growth prospects could suffer. For example, none of our officers or key employees is bound by an employment agreement for any specific term, and members of our senior management have left our company over the years for a variety of reasons. In addition, effective succession planning is important to our long-term success and our failure to ensure effective transfer of knowledge and smooth transitions involving our officers and other key personnel could hinder our strategic planning and execution. In addition, our future success will depend upon our ability to attract, train and retain employees, particularly in our expected areas of growth such as security and cloud computing. Such efforts will require time, expense and attention by our employees as there is significant competition for talented individuals. This competition results in increased costs in the form of cash and stock-based compensation and can have a dilutive impact on our stock. In addition, our ability to hire and retain employees may be adversely affected by volatility in the price of our stock or our ability to obtain shareholder approval to offer additional stock to our employees, because a significant portion of our compensation is in the form of equity grants. In addition, we are retasking certain employees to work on our compute solutions which will require the use of our resources and if we are unable to successfully retrain our employees, our compute business may suffer. Furthermore, geopolitical events may impact our retention efforts. For example, the ongoing Israel-Hamas War has and could continue to impact our workforce in Tel Aviv, Israel as employees have been and may continue to be required to report for military service or have other competing priorities. The loss of the services of a significant number of our employees or any of our key employees or our inability to attract and retain new talent in a timely fashion may be disruptive to our operations and overall business.

We compete in markets that are intensely competitive and rapidly changing. Our current and potential competitors vary by size, product offerings and geographic region, and range from start-ups that offer solutions competing with a discrete part of our business to large technology or telecommunications companies that offer, or may be planning to introduce, products and services that are broadly competitive with what we do. The primary competitive factors in our market are differentiation of technology, global presence, quality of solutions, reliability, long-term product roadmap, customer service, technical expertise, security, ease-of-use, breadth of services offered, price and financial strength. Many of our current and potential competitors have substantially greater financial, technical and marketing resources, larger customer bases, broader product portfolios, longer operating histories, greater brand recognition and more established relationships in the industry than we do. This is particularly true with respect to our compute solutions, as a small number of very large competitors have established themselves as leaders in the compute business. As a result, some competitors may be able to: develop superior products or services; leverage better name recognition, particularly in the security and compute markets; enter new markets more easily or better manage the impact of changes in general economic conditions, geopolitical conditions and industry pressures; gain greater market acceptance for their products and services; enter into long-term contracts with our potential customers; increase their points of presence and proximity to enterprise data centers and end users faster than us; expand their offerings more efficiently and more rapidly; bundle their products that are competitive with ours with other solutions they offer in a way that makes our offerings less appealing to, or more costly for, current and potential customers; more quickly adapt to new or emerging technologies and changes in customer requirements; take advantage of acquisition, investment and other opportunities more readily; offer lower prices than ours, including at levels that may not be profitable for us to match; spend more money on the promotion, marketing and sales of their products and services; offer higher salaries to talented professionals which may impact our ability to hire or retain engineering and other personnel; and implement shorter sales cycles with customers and prospects. Smaller and more nimble competitors may be able to: attract customers by offering less sophisticated versions of products and services than we provide at lower prices than those we charge; develop new business models that are disruptive to us; and respond more quickly than we can to new or emerging technologies, changes in customer requirements and market and industry developments, resulting in superior offerings. Ultimately, any type of increased competition could result in price and revenue reductions, loss of customers and loss of market share or inability to penetrate new markets, each of which could materially impact our business, profitability, financial condition, results of operations and cash flows. We and other companies that compete in this industry and these markets experience continually shifting business relationships, reputations, commercial focuses and business priorities, all of which occur in reaction to industry and market forces and the emergence of new opportunities. These shifts have led or could lead to our customers or partners becoming our competitors; customers implementing multi-vendor policies and seeking out one or more of our competitors to provide content and application delivery or security protection services; network suppliers no longer seeking to work with us; and technology companies that previously did not appear to show interest in the markets we seek to address entering into those markets as our competitors. With this constantly changing environment, we may face operational difficulties in adjusting to the changes or our core strategies could become obsolete. Any of these or other developments could harm our business.

We are reliant on some of our larger customers to direct traffic to our network for a significant part of our revenues. At times, some of our customers have determined that it is better for them to employ a "do-it-yourself" or "DIY" strategy by putting in place equipment, software and other technology solutions for content and application delivery and security protection within their internal systems instead of using our solutions for some or all of their needs. As the amount of money a customer spends with us increases, the risk that they will seek alternative solutions such as DIY or a multi-vendor policy likewise increases. While the number of customers implementing a DIY strategy had been decreasing, current global economic and geopolitical conditions may cause customers to increase their focus on DIY solutions, which could negatively impact traffic on our network, and, as a result, our revenue. For example, a large social media customer has recently taken steps to lower costs and reduce reliance on U.S. providers by optimizing its platform, including using a DIY component, which has reduced traffic on our network and negatively impacted our revenue in the first nine months of 2024. If our customers increase their use of DIY solutions or if multiple additional large customers shift to this model, traffic on our network and our contracted revenue commitments could decrease more significantly, which could negatively impact our business, profitability, financial condition, results of operations and cash flows.