Accuray (ARAY) Risk Factors

Information technology helps us operate more efficiently, interface with customers, maintain financial accuracy and efficiency and accurately produce our financial statements. If we do not allocate and effectively manage the resources necessary to build, sustain and secure the proper technology infrastructure, we could be subject to transaction errors, processing inefficiencies, the loss of customers, business disruptions or the loss, unavailability of or damage to data and intellectual property through a cyberattack (including ransomware and other attacks) or other security breach or incident. While management is committed to identifying and improving data security risks through oversight of data security by our Chief Information Security Officer and implementation of various technical safeguards, procedural requirements and policies, regardless of the resources we allocate and the effectiveness with which we manage them, we face a risk of cyberattacks and other security breaches and incidents. Any cyberattacks or other security breaches or incidents we suffer could expose us to a risk of lost, unavailable, or corrupted information, unauthorized disclosure or other processing of information, claims, litigation and possible liability to employees, customers and others, and investigations and proceedings by regulatory authorities. Artificial intelligence ("AI") technologies may be used for certain cyberattacks or to increase the frequency or intensity of certain cyberattacks, which may increase our risks presented by cyberattack activity. Additionally, cyberattack activity may be heightened in connection with geopolitical events such as the Russia-Ukraine and the Middle East conflicts. In addition to potential exposure to cyberattacks, security incidents, or other actions that may compromise the security of or interfere with the function of our products, defects or vulnerabilities in the software or systems of our third-party vendors may expose failures in our internal controls and risk management processes, which may adversely impact our business, financial condition, results of operations, or cash flows and may also harm our reputation, brand, and customer relationships. If our data management systems or those of our third-party providers do not effectively collect, store, process and report relevant data for the operation of our business, whether due to equipment malfunction or constraints, software deficiencies, computer viruses, security breaches or incidents, cyberattacks, catastrophic events or human error, our ability to effectively plan, forecast and execute our business plan and comply with applicable laws and regulations will be impaired, perhaps materially. Any such impairment could materially and adversely affect our financial condition, results of operations, cash flows and the timeliness with which we internally and externally report our operating results. As a result, our information systems require an ongoing commitment of significant resources to maintain, protect, and enhance existing systems and develop new systems to keep pace with continuing changes in information processing technology, evolving legal and regulatory standards, the increasing need to protect patient and customer information, and the information technology needs associated with our changing products and services. There can be no assurance that our process of consolidating the number of systems we operate, upgrading and expanding our information systems capabilities, continuing our efforts to build security into the design of our products, protecting and enhancing our systems and developing new systems to keep pace with continuing changes in information processing technology will be successful or that additional systems issues will not arise in the future, or that we will not suffer from disruptions or other systems issues even if we devote substantial resources and personnel to these efforts. In addition, privacy and security breaches and incidents arising from errors, malfeasance or misconduct by employees, contractors or others with permitted access to our systems may pose a risk that sensitive data, including individually identifiable data, may be exposed to unauthorized persons or to the public and may compromise our security systems. There can be no assurance that any efforts we make to prevent against such privacy or security breaches or incidents have been or will be able to prevent breakdowns or breaches or incidents in our systems or those of our third-party service providers that could adversely affect our business. Third parties may also attempt to fraudulently induce employees or customers into disclosing usernames, passwords or other sensitive information, which may in turn be used to access our information technology systems. For example, our employees have received in the past and likely will continue to receive "phishing" e-mails attempting to induce them to divulge sensitive information. We may also face increased cybersecurity risks due to our reliance on internet technology and many of our employees working remotely at least part of the time, which may create additional opportunities for cybercriminals to exploit vulnerabilities. In addition, adversaries might attempt to gain unauthorized access to our products or systems to obtain personal data relating to patients or employees, our confidential or proprietary information or confidential information we hold on behalf of third parties, which, if successful, could pose a risk of loss, unavailability, or corruption of, or unauthorized access to or acquisition of, data, risk to patient safety and risk of product recall. The techniques used to obtain unauthorized access to our systems change frequently and may be difficult to detect, and we may not be able to anticipate and prevent these intrusions or mitigate them when they occur. Third-party service providers store and otherwise process certain personal data and other confidential or proprietary information of ourselves and third parties on our behalf, and these service providers face similar risks. In addition, our employees, third-party service providers, strategic partners, or other contractors or consultants may input personal or confidential information, or other business data of ours, into an artificial intelligence system (in particular, a system that is managed, owned, or controlled by a third party), which may disrupt and otherwise compromise our business operations, divert the attention of management and key information technology resources, potentially lead to security breaches or incidents or other unauthorized access to, or other use or processing of, personal information, our confidential information or other business data. Moreover, we manufacture and sell hardware and software products that allow our customers to store confidential information about their patients. Both types of products are often connected to and reside within our customers' information technology infrastructures. We do not have measures to configure or secure our customers' equipment or any information stored in our customers' systems or at their locations, which is the responsibility of our customers. Our customers are also continually updating their cybersecurity standards for the products that they purchase. While we have implemented security measures designed to protect our hardware and software products from unauthorized access and cyberattacks, these measures may not meet the standards set by our customers or be effective in securing these products, particularly since techniques used to obtain unauthorized access, or to sabotage systems, change frequently and may not be recognized until launched against a target. A network security or systems security breach of incident suffered by ourselves or our third-party service providers or other events that cause the loss or unauthorized use or disclosure of, or access by third parties to, sensitive information stored by us or our customers could result in loss, unavailability, or unauthorized acquisition, modification, or other processing of data, and any such events, or the perception that these events have occurred or that our security measures for our products are lacking, could have serious negative consequences for our business, including indemnity obligations, possible fines, penalties and damages, reduced demand for our products and services, an unwillingness of our customers to use our products or services, harm to our reputation and brand, and time consuming and expensive litigation, any of which could have an adverse effect on our business, financial condition, and operating results. Due to frequently changing attack techniques, along with the increased volume and sophistication of the attacks, including the increasing use of tools and techniques that are designed to circumvent controls, avoid detection, and remove or obfuscate forensic evidence, all of which hinders our ability to identify, investigate, and recover from incidents, we could be adversely impacted by cybersecurity attacks or other security breaches. This impact could result in reputational, competitive, operational, or other business harm as well as financial costs and claims, demands, litigation and regulatory action. While we do maintain insurance coverage that is intended to address certain aspects of data security risks, such insurance coverage may be insufficient to cover all losses or all types of claims that may arise.

We have integrated AI, including machine learning, in certain of our products, services and internal operations. Further, certain of our third-party vendors utilize AI and machine learning technologies in furnishing services to us. As with many technological innovations, AI presents risks and challenges that could affect its adoption, and therefore our business. Our products utilize, and we plan to further examine, develop and introduce, machine learning algorithms, predictive analytics, and other AI technologies to offer new or upgraded solutions and enhance our capabilities. If these AI or machine learning models are incorrectly designed, the performance of our products, services, and business, as well as our reputation, could suffer or we could incur liability through the violation of laws or contracts to which we are a party. Additionally, many countries and regions, including the United States, have proposed new and evolving regulations related to the use of AI and machine learning technologies, and the EU has adopted an AI Act that adopts an overall regulatory framework for AI. The regulations may impose onerous obligations and may require us to unexpectedly rework or reevaluate improvements to be compliant. Use of AI technologies may expose us to an increased risk of regulatory enforcement and litigation. Moreover, some of the AI features involve the processing of personal data and may be subject to laws, policies, legal obligations, and codes of conduct related to privacy and data protection. Though we have taken steps to be thoughtful in our development, training, and implementation of AI, it could pose certain risks to our customers, including patients, clinicians, and healthcare institutions, and it is not guaranteed that regulators will agree with our approach to limiting these risks or to our compliance more generally. Risks can include, but are not limited to, the potential for errors or inaccuracies in the algorithms or models used by AI, the potential for bias or inaccuracies in the data used to train the AI, the potential for improper processing of personal information, and the potential for cybersecurity breaches that could compromise patient data or product functionality. Such risks could negatively affect the performance of our products, services, and business, as well as our reputation and the reputations of our customers, and we could incur liability through the violation of laws or contracts to which we are a party or civil claims.

We are and may become a party to legal proceedings, claims, investigations, demands and other legal matters in the ordinary course of business or otherwise including intellectual property, product liability, employment, class action, whistleblower and other litigation claims, and governmental and other regulatory investigations and proceedings. These legal proceedings, claims and other legal matters, regardless of merit, may be costly, time-consuming and require the attention of key management and other personnel. The outcomes of such matters are uncertain and difficult to predict. If any such matters are adjudicated against us, in whole or in part, we may be subject to substantial monetary damages, disgorgement of profits and injunctions that prevent us from operating our business, any of which could materially and adversely affect our business and financial condition. We cannot guarantee that our insurance coverage will be sufficient to cover any damages awarded against us. Further, legal proceedings, and any adverse resolution thereof, can result in adverse publicity and damage to our reputation, which could adversely impact our business.

There are numerous state, federal and foreign laws, regulations, decisions and directives regarding privacy and the collection, storage, transmission, use, processing, disclosure and protection of personal information and other data, the scope of which is continually evolving and subject to differing interpretations. Our worldwide operations mean that we are subject to privacy, cybersecurity and data protection laws and regulations in many jurisdictions to varying degrees, and that some of the data we process, store and transmit may be transmitted across countries. For example, in the U.S., privacy and security rules implementing the Health Insurance Portability and Accountability Act ("HIPAA") require us as a business associate, in certain instances, to protect the confidentiality of patient health information, and the Federal Trade Commission has consumer protection authority, including with regard to privacy and cybersecurity. In Europe, the GDPR imposes several stringent requirements for controllers and processors of personal data that impose substantial obligations and, in the event of violations, may impose significant fines of up to the greater of 4% of worldwide annual revenue or €20 million. In the UK, the Data Protection Act of 2018 and the UK GDPR collectively implement material provisions of the GDPR and provide for penalties for noncompliance of up to the greater of £17.5 million or four percent of worldwide revenues. Data transfer and localization requirements also appear to be increasing and becoming more complex. With regard to transfers to the U.S. of personal data from our employees and European customers and users, both the EU-U.S. Privacy Shield and standard contractual clauses issued by the European Commission (the "EU SCCs") have been subject to legal challenge. In July 2020, the Court of Justice of the European Union ("CJEU") released a decision in the Schrems II case (Data Protection Commissioner v. Facebook Ireland, Schrems) (the "CJEU Decision"), declaring the EU-U.S. Privacy Shield invalid and imposing additional obligations in connection with the use of the EU SCCs, another mechanism for cross-border personal data transfers from the European Economic Area ("EEA"). Although the EU SCCs remain a valid means to transfer personal data from the EEA, the CJEU imposed additional obligations in connection with their use and, on June 4, 2021, the European Commission issued revised EU SCCs that address certain concerns of the CJEU. The United Kingdom also has issued new standard contractual clauses (the "UK SCCs") that became effective March 21, 2022, and which are required to be implemented. In March 2022, the EU and U.S. reached an agreement in principle on a new EU-U.S. Data Privacy Framework ("DPF"). In October 2022, the U.S. issued an executive order in furtherance of the DPF, on which basis the European Commission adopted an adequacy decision with respect to the DPF in July 2023, allowing its implementation and availability for companies to use to legitimize transfers of personal data from the E.U. to the U.S. It remains unclear, however, whether this new framework will be appropriate for us to rely upon. The DPF has already faced a legal challenge and it may be subject to additional challenges. Additionally, the European Commission's adequacy decision regarding the DPF provides that the DPF will be subject to future reviews and may be subject to suspension, amendment, repeal, or limitations to its scope by the European Commission. The CJEU Decision, the revised EU SCCs and UK SCCs, regulatory guidance and opinions, and other developments relating to cross-border data transfer may require us to implement additional contractual and technical safeguards for any personal data transferred out of the EEA, Switzerland, and the United Kingdom, which may increase compliance costs, lead to increased regulatory scrutiny or liability, may require additional contractual negotiations, and may adversely impact our business, financial condition and operating results. Other jurisdictions have adopted laws and regulations addressing privacy, data protection, data security, or other aspects of data processing, such as data localization. For example, the People's Republic of China ("PRC") and Russia have passed laws that require individually identifiable data on their citizens to be maintained on local servers and that may restrict transfer or processing of that data if certain data quantity thresholds are triggered. Additionally, the Personal Information Protection Law ("PIPL") of the PRC went into effect on November 1, 2021. The PIPL shares similarities with the GDPR, including extraterritorial application, data minimization, data localization, and purpose limitation requirements, and obligations to provide certain notices and rights to citizens of the PRC. The PIPL allows for fines of up to 50 million Renminbi or 5% of a covered company's revenue in the prior year. We may be required to modify our policies, procedures, and data processing measures in order to address requirements under these or other privacy, data protection, or cybersecurity regimes, and may face claims, litigation, investigations, or other proceedings regarding them and may incur related liabilities, expenses, costs, and operational losses. Further, the current U.S. administration is engaged in a comprehensive evaluation of national security concerns and other risks relating to the transfer of personally identifiable information from the United States to China, and on June 9, 2021, U.S. President Biden signed an executive order instituting a framework for determining national security risks of transactions that involve applications connected to governments or militaries of certain foreign adversaries or that collect sensitive personal data from U.S. consumers. In 2019, an executive order citing national security risks in the telecommunications sector served to block U.S. companies from buying Chinese-made Huawei and ZTE products. If our operations, including those involving the processing of U.S.-collected data such as medical imagery, through the JV in China, come to be perceived as a U.S. national security risk, those operations may become subject to executive orders, sanctions, or other measures. Any ban or other restriction on our transfer of data to the JV in China may increase costs as we seek operational and data processing alternatives. New and proposed privacy, cybersecurity, and data protection laws are also providing new rights to individuals and increasing the penalties associated with non-compliance. For example, the California Consumer Privacy Act (the "CCPA"), which became effective on January 1, 2020, imposes stringent data privacy and data protection requirements regarding the personal information of California residents, and provides for penalties for noncompliance of up to $7,500 per violation, as well as a private right of action from individuals in relation to certain security breaches. The California Privacy Rights Act ("CPRA"), approved by California voters in November 2020, became effective on January 1, 2023. The CPRA, significantly modified the CCPA, has resulted in further uncertainty and may require us to incur additional costs and expenses in an effort to comply. We will continue to monitor developments related to the CPRA and anticipate additional costs and expenses associated with CPRA compliance. The enactment of the CCPA, as modified by the CPRA, is prompting a wave of similar legislative developments in other states in the U.S., which could potentially create a patchwork of overlapping but different state laws. For example, Virginia, Colorado, Utah, and Connecticut all have enacted state laws that became effective in 2023; Texas, Montana, Oregon, and Florida have adopted laws that have become effective in 2024, Delaware, Iowa, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey and Tennessee have adopted laws that will become effective in 2025; and Indiana Kentucky, and Rhode Island have adopted laws that will become effective in 2026. These new state laws share similarities with the CCPA, CPRA, and legislation proposed in other states. Other states have enacted other types of privacy legislation, such as Washington's My Health, My Data Act, which includes a private right of action. Additionally, the U.S. federal government is contemplating privacy legislation. We cannot fully predict the impact of the CCPA, CPRA, or other new or proposed legislation on our business or operations, but the restrictions imposed by these laws and regulations may require us to modify our data handling practices and impose additional costs and burdens, including risks of regulatory fines, litigation and associated reputational harm. In addition, U.S. and international laws that have been applied to protect consumer privacy (including laws regarding unfair and deceptive practices in the U.S. and GDPR in the EU) may be subject to evolving interpretations or applications in light of privacy developments. As a result, we may be subject to significant consequences, including penalties and fines, for any failure to comply with such laws, regulations and directives. Privacy, cybersecurity and data protection legislation around the world is comprehensive and complex and there has been a trend towards more stringent enforcement of requirements regarding protection and confidentiality of personal data. The restrictions imposed by such laws and regulations may limit the use and adoption of our products and services, reduce overall demand for our products and services, require us to modify our data handling practices and impose additional costs and burdens. With increasing enforcement of privacy, cybersecurity and data protection laws and regulations, there is no guarantee that we will not be subject to investigation, enforcement actions or other proceedings by governmental bodies or that our costs relating to privacy, data protection or cybersecurity laws and regulations will not increase significantly. Enforcement actions, investigations and other proceedings can be costly, require significant time and attention of management and other personnel and interrupt regular operations of our business. In addition, there has been a developing trend of civil lawsuits and class actions relating to breaches of consumer data held by large companies. While we have not been named in any such suits, we may be in the future, including if we were to suffer a security breach or incident. Any inability to adequately address concerns relating to privacy, data protection or cybersecurity, even if unfounded, or to comply with applicable laws, regulations, policies, industry standards, contractual obligations or other legal obligations could result in additional cost and liability to us, damage our reputation, inhibit sales and adversely affect our business. Our actual or alleged failure to comply with applicable laws and regulations could result in investigation, enforcement actions or other proceedings against us, including fines and public censure, claims for damages by customers and other affected individuals, damage to our reputation and loss of goodwill (both in relation to existing customers and prospective customers), any of which could harm our business, results of operations and financial condition.

We are highly dependent on the members of our senior management, sales, marketing, operations and research and development staff. Our future success will depend in part on our ability to retain our key employees and to identify, hire and retain additional personnel. Competition for qualified personnel in the medical device industry is intense and finding and retaining qualified personnel with experience in our industry is very difficult. We believe there are only a limited number of individuals with the requisite skills to serve in many of our key positions and we face significant competition for key personnel and other employees, from other medical equipment and software manufacturers, technology companies, universities and research institutions. Fluctuations in labor availability globally, including labor shortages and staff burnout and attrition, may also impact our ability to hire and retain personnel critical to our manufacturing, logistics, and commercial operations. As a result, we may not be able to retain our existing employees or hire new employees quickly enough to meet our needs. Moreover, we have from time to time conducted reductions in force in order to optimize our organizational structure and reduce costs, some of which were substantial, and certain senior personnel have also departed for various reasons. For example, in October 2023, we informed affected employees of a cost savings initiative to reduce operating expenses resulting in the elimination of approximately 5.9 percent of our global workforce. At the same time, we may face high turnover among employees that are critical to our ongoing operations, requiring us to expend time and resources, including financial resources, to source, train and integrate new employees. The challenging markets in which we compete for talent may also require us to invest significant amounts of cash and equity to attract and retain employees. In addition, a significant portion of our compensation to our key employees is in the form of stock related grants. A prolonged depression in our stock price could make it difficult for us to retain our key and other employees and recruit additional qualified personnel and we may have to pay additional compensation to employees to incentivize them to join or stay with us. We do not maintain, and do not currently intend to obtain, key employee life insurance on any of our personnel. If we fail to hire and retain key personnel and other employees, we may be unable to continue to grow our business successfully.

The medical device industry in general and the non-invasive cancer treatment field in particular are subject to intense and increasing competition and rapidly evolving technologies. Because our products often have long development and government approval cycles, we must anticipate changes in the marketplace and the direction of technological innovation and customer demands. To compete successfully, we will need to continue to demonstrate the advantages of our products and technologies over well-established alternative procedures, products and technologies, and convince physicians and other healthcare decision makers of the advantages of our products and technologies. Traditional surgery and other forms of minimally invasive procedures, brachytherapy, chemotherapy or other drugs remain alternatives to the CyberKnife and TomoTherapy platforms. We consider the competition for the CyberKnife and TomoTherapy platforms to be existing radiation therapy systems, primarily using C-arm linacs, which are sold by large, well-capitalized companies with significantly greater market share and resources than we have. Several of these competitors are also able to leverage their fixed sales, service and other costs over multiple products or product lines. In particular, we compete with a number of existing radiation therapy equipment companies, including Varian Medical Systems, Inc., a Siemens Healthineers company ("Varian"), Elekta AB ("Elekta"), RefleXion Medical Inc. and Zap Surgical Systems. Varian has been the leader in the external beam radiation therapy market for many years and has the majority market share for radiation therapy systems worldwide. In general, because of aging demographics and attractive market factors in oncology, we believe that new competitors will enter the radiosurgery and radiation therapy markets in the years ahead. In addition, some manufacturers of conventional linac based radiation therapy systems, including Varian and Elekta, have products that can be used in combination with body and/or head frames and image guidance systems to perform both radiosurgical and radiotherapy procedures. Furthermore, many government, academic and business entities are investing substantial resources in research and development of cancer treatments, including surgical approaches, radiation treatment, MRI-guided radiotherapy systems, proton therapy systems, radiopharmaceutical/pharmaceutical treatments, gene therapy (which is the treatment of disease by replacing, manipulating, or supplementing nonfunctional genes) and other approaches. Successful developments that result in new approaches for the treatment of cancer could reduce the attractiveness of our products or render them obsolete. Our future success will depend in large part on our ability to establish and maintain a competitive position in current and future technologies. Rapid technological development may render the CyberKnife and TomoTherapy platforms and their technologies obsolete. Many of our competitors have or may have greater corporate, financial, operational, sales and marketing resources, and more experience and resources in research and development than we have. We cannot assure you that our competitors will not succeed in developing or marketing technologies or products that are more effective or commercially attractive than our products or that would render our technologies and products obsolete or less useful. We may not have the financial resources, technical expertise, marketing, distribution or support capabilities to compete successfully in the future. In addition, some of our competitors may compete by changing their pricing model or by lowering the price of their products. If we are unable to maintain or increase our selling prices, our revenue and gross margins may suffer. Our success will depend in large part on our ability to maintain a competitive position with our technologies. In addition to competition from technologies performing similar functions as our platforms, competition also exists for the limited capital expenditure budgets of our customers. For example, our platforms may compete with other equipment required by a radiation therapy department for financing under the same capital expenditure budget, which is typically limited. A purchaser, such as a hospital or cancer treatment center, may be required to select between the two items of capital equipment. Our ability to compete may also be adversely affected when purchase decisions are based solely upon price, since our products are premium-priced systems due to their higher level of functionality and performance.

Our business and results of operations are materially affected by conditions in the global markets and the economy generally. Concerns over economic and political stability; inflation levels and related efforts to mitigate inflation; a potential recession; the level of U.S. national debt, the U.S. debt credit rating and U.S. budgetary concerns; currency fluctuations and volatility; the rate of growth of Japan, China and other Asian economies, including the impact of the China anti-corruption campaign and timing of China stimulus program on those economies; unemployment; the availability and cost of credit; trade relations, including the imposition of various sanctions and tariffs in other countries; the duration and severity of the ongoing recovery from the COVID-19 pandemic; energy costs; instability in the banking and financial services sector and geopolitical uncertainty and conflict, and forthcoming changes in the U.S. presidential administration, have contributed to increased volatility and diminished expectations for the economy and the markets in general. In turn, periods of economic slowdown or recession could lead to a reduction in demand for our products and services, which in turn would reduce our revenues and adversely affect our results of operations and our financial position. The results of these macroeconomic conditions, and the actions taken by governments, central banks, companies, and consumers in response, have and may continue to result in higher inflation in the U.S. and globally, which has led to an increase in costs and caused changes in fiscal and monetary policy, including increased interest rates. Other adverse impacts of recent macroeconomic conditions that have impacted us and may continue to impact us are foreign exchange rate fluctuations, supply chain constraints, logistics challenges, and fluctuations in labor availability. Thus, if general macroeconomic conditions deteriorate, our business and financial results could be materially and adversely affected. In an inflationary environment, we may be unable to raise the prices of our products and services sufficiently to keep up with the rate of inflation. Impacts from inflationary pressures could be more pronounced and materially adversely impact aspects of our business where revenue streams and cost commitments are linked to contractual agreements that extend many years into the future, as we may not be able to quickly or easily adjust pricing, reduce costs, or implement counter measures. A higher inflationary environment can also negatively impact raw material, component, and logistics costs that, in turn, has increased the costs of producing and distributing our products. For example, inflationary pressures beginning in fiscal year 2023 have resulted in rising costs for certain materials, including increased logistics and duties costs, that have adversely affected our gross margins, which have had a material effect on our business, financial condition or results of operations. Continued pressure from these inflationary factors could further exacerbate these effects. Further, the U.S. federal government has called for, or enacted, substantial changes to healthcare, trade, fiscal, and tax policies, which may include changes to existing trade agreements and may have a significant impact on our operations. For example, the United States has imposed tariffs on certain foreign products, including from China, that have resulted in and may result in future retaliatory tariffs on U.S. goods and products. We cannot predict whether these policies will continue, or if new policies will be enacted, or the impact, if any, that any policy changes could have on our business. In addition, failure of the U.S. Government to pass a budget in a timely manner or any reductions in healthcare spending in the budget may adversely impact us or our customers. If economic conditions worsen, or new legislation is passed related to the healthcare system, trade, fiscal or tax policies, customer demand may not materialize to levels we require to achieve our anticipated financial results, which could have a material adverse effect on our business, financial condition and results of operations. Additionally, inflation and the ongoing supply chain challenges and logistics costs have materially affected our gross margins and net income (loss), and we expect that gross margins and net income (loss) will continue to be adversely affected by increased material costs and freight and logistic expenses through fiscal year 2025, and potentially longer. In addition, we expect inflation and the ongoing supply chain challenges and logistics costs to impact our cash from operations through fiscal year 2025. The uncertain macroeconomic environment, including volatile credit markets and concerns regarding the availability and cost of credit, increased interest rates, inflation, reduced economic growth or a recession, instability in the banking and financial services sector, and concerns relating to changes in the U.S. presidential administration, in any of the geographic areas where we do business, could impact consumer and customer demand for our products and services, as well as our ability to manage normal commercial relationships with our customers, suppliers and creditors, including financial institutions, and the ability of our customers to meet their obligations to us. For example, in the United States, at least one customer declared bankruptcy in fiscal 2023 causing us to increase our bad debt reserve due to the expectation that they will be unable to pay us. Further, some of our customers have been delayed in obtaining, or have not been able to obtain, necessary financing for their purchases of the CyberKnife or TomoTherapy platforms. In addition, some of our customers have been delayed in obtaining, or have not been able to obtain, necessary financing for the construction or renovation of facilities to house the CyberKnife or TomoTherapy platforms, the cost of which can be substantial. These delays have, in some instances, led to our customers postponing the shipment and installation of previously ordered systems or cancelling their system orders and may cause other customers to postpone their system installation or to cancel their agreements with us. Reduced budgets and lower capital deployment priority for radiotherapy equipment, along with longer customer installation timelines, in the United States have also negatively impacted our net revenue since fiscal year 2024, and we expect this will continue to have an impact through fiscal year 2026. A continuation or further deterioration of the adverse economic environment would further increase delays and order cancellations, or affect our ability to collect from our customers, any of which would continue to adversely affect revenues, and therefore, harm our business and results of operations.

We derive most of our revenue from our international operations, and we plan to continue expanding our business in international markets in the future. In addition, we have employees engaged in R&D, manufacturing, administration, manufacturing, support and sales and marketing activities. As a result of our international operations, in addition to similar risks we face in our U.S. operations, we are affected by economic, business, regulatory, social, and political conditions in foreign countries, including the following: - economic or political instability in the world or in particular regions or countries in which we do business, including the market volatility resulting from conflicts or war, such as the Russia-Ukraine and the Middle East conflicts and changes in the U.S. presidential administration;- import delays;- changes in foreign laws and regulations governing, among other matters, the clearance, approval and sales of medical devices;- compliance with differing foreign regulatory requirements to sell and market our products;- U.S. relations with the governments of the foreign countries in which we operate, which may, among other things, affect our access to such markets, including China, where our JV is located;- longer payment cycles associated with many customers outside the United States;- inability of customers to obtain requisite government approvals, such as customers in China, including customers of the JV, obtaining one of the limited number of Class A or Class B user licenses available in order to purchase our products;- effective compliance with privacy, data protection and information security laws, such as the European Union ("EU") General Data Protection Regulation (the "GDPR") and new regulations in China;- adequate coverage and reimbursement for the CyberKnife and TomoTherapy platform treatment procedures outside the United States;- failure of local laws to provide the same degree of protection against infringement of our intellectual property;- protectionist laws and business practices that favor local competitors;- U.S. trade and economic sanctions policies that are in effect from time to time and the possibility that foreign countries may impose additional taxes, tariffs or other restrictions on foreign trade;- trade restrictions that are in effect from time to time, including U.S. prohibitions and restrictions on exports of certain products and technologies to certain nations and customers;- the unfamiliarity of shipping companies and other logistics providers with U.S. export control laws, which may lead to their unwillingness to ship or delays in shipping, our products to certain nations and customers despite such shipments being permitted under such laws;- the inability to obtain required export or import licenses or approvals;- risks relating to foreign currency, including fluctuations in foreign currency exchange rates possibly causing fewer sales due to the strengthening of the U.S. Dollar;- effects of and uncertainties caused by the United Kingdom's withdrawal from the European Union;- contractual provisions governed by foreign laws; and - natural disasters, such as earthquakes and fires, and global or regional health pandemics or epidemics, such as COVID-19 or data privacy or security incidents, that may have a disproportionate effect in certain geographies resulting in decreased demand or decreased ability of our employees or employees of our customers and partners to work and travel. Our inability to overcome these obstacles could harm our business, financial condition and operating results. Even if we are successful in managing these obstacles, our partners internationally are subject to these same risks and may not be able to manage these obstacles effectively. In addition, our partners internationally are subject to these same risks. If we or our partners are impacted by any of these factors, our business, financial condition and operating results could be adversely affected.

Unexpected events beyond our control, including as a result of responses to epidemics or pandemics; fires or explosions; natural disasters, such as hurricanes, floods, tornadoes and earthquakes; war or terrorist activities (including the conflicts in Russia-Ukraine and the Middle East); unplanned outages; supply disruptions; and failures of equipment or systems, including telecommunications systems, or the failure to take adequate steps to mitigate the likelihood or potential impact of such events, could significantly disrupt our operations, delay or prevent product manufacturing and shipment for the time required to repair, rebuild or replace our manufacturing facilities, which could be lengthy, result in large expenses to repair or replace the facilities, and adversely affect our business, financial condition and results of operation. Moreover, global climate change could result in certain types of natural disasters occurring more frequently or with more intense effects. The impacts of climate change may include physical risks (such as frequency and severity of extreme weather conditions),social and human effects (such as population dislocations or harm to health and well-being), compliance costs, transition risks, shifts in market trends, and other adverse effects. Such impacts may disrupt parties in our supply chain, our customers, and our operations. We have facilities in countries around the world, including two manufacturing facilities in Madison, Wisconsin and Chengdu, China, each of which is equipped to manufacture unique components of our products. We do not maintain backup manufacturing facilities for any of our manufacturing facilities or for our IT facilities, so we depend on each of our current facilities for the continued operation of our business. In addition, we conduct a significant portion of other activities, including administration and data processing, at facilities located in California, which has experienced major earthquakes and fires in the past, as well as other natural disasters. Chengdu, China, where one of our manufacturing facilities is located, has also experienced major earthquakes in the past. We do not carry earthquake insurance. Further, concerns about terrorism, the effects of a terrorist attack, political turmoil or an epidemic outbreak could have a negative effect on our operations and the operations of our suppliers and customers and the ability to travel, which could harm our business, financial condition and results of operations. For example, the COVID-19 pandemic and its effects on the global economic environment adversely impacted the pace at which our backlog converted to revenue due to delays in deliveries and installations. Additionally, China has suffered health epidemics including COVID-19, which could adversely affect our operations in China, including our manufacturing operations in Chengdu, as well as the operations of the JV and those of our customers. For example, as a result of COVID-19 related restrictions in China, sales in China decreased and we experienced delays in the JV obtaining certain necessarily regulatory approvals. In addition, risks associated with climate change are subject to increasing societal, regulatory and political focus in the U.S. and globally. While the effects of climate change in the near-and long-term are difficult to predict, shifts in weather patterns caused by climate change are expected to increase the frequency, severity, or duration of certain adverse weather conditions and natural disasters, such as hurricanes, tornadoes, earthquakes, wildfires, droughts, extreme temperatures, or flooding, which could cause more significant business and supply chain interruptions, damage to our products and facilities as well as the infrastructure of hospitals, medical care facilities, and other customers, reduced workforce availability, increased costs of raw materials and components, increased liabilities, and decreased revenues than what we have experienced in the past from such events. In addition, increased public concern over climate change has and could result in new legal or regulatory requirements designed to mitigate the effects of climate change, including regulating greenhouse gas emissions, alternative energy policies, and sustainability initiatives. Although the SEC issued an order implementing a stay of its final climate-related disclosure rules, there have also been substantial legislative and regulatory developments on climate-related issues, including proposed, issued and implemented legislation and rulemakings that would require companies to assess and/or disclose climate metrics, risks, opportunities, policies and practices by both the Securities and Exchange Commission and California. These initiatives could result in the adoption of more stringent environmental laws and regulations or stricter enforcement of existing laws and regulations, which could result in increased compliance burden and costs to meet such regulatory obligations and could also impact how we source raw materials from suppliers, our manufacturing operations, and how we distribute our products. There also may be increasing scrutiny and changing expectations from the market and other stakeholders with respect to Environmental, Social, and Governance practices. Any such developments could have a significant effect on our operating and financial decisions, including those involving capital expenditures to comply with new regulatory requirements or stakeholder expectations, which could harm our business, financial condition and results of operations.