Blackbaud (BLKB) Risk Analysis

Fundamental to the use of our solutions is the secure collection, storage and transmission of confidential donor, customer and end user data, personally identifiable information and transaction data, including in our payment services. Despite the network, application and physical security procedures and internal control measures we employ to safeguard our systems, we have been, and in the future may be, vulnerable to a security breach, intrusion, loss or theft of confidential donor data and transaction data, which has in the past harmed and may in the future harm our business, reputation and future financial results. Furthermore, our reliance on remote access to information systems increases our exposure to potential cybersecurity incidents. Like virtually all major businesses, we are, from time to time, a target of cyberattacks, such as the Security Incident (as described below and in Note 11 to our consolidated financial statements in this report), information systems interruptions, phishing, social engineering schemes and other systems disruptions. We expect these threats to continue, some of which have been, and in the future may be, successful to varying degrees. Because the numerous and evolving cybersecurity threats used to obtain unauthorized access, disable, degrade or sabotage systems have become increasingly more complex and sophisticated, it may be difficult to anticipate these acts or to detect them for periods of time, as with the Security Incident, and we may be unable to respond adequately or timely. As these threats continue to evolve and increase, we have already devoted and expect to continue to devote significant resources in order to modify and enhance our security controls and to identify and remediate any security vulnerabilities. A compromise of our data security, such as the Security Incident, that results in customer or customer constituent personal or payment card data being obtained by unauthorized persons could adversely affect our reputation with our customers and others, as well as our operations, results of operations, financial condition and liquidity and has resulted in, and could in the future result in, litigation against us, government investigations or the imposition of fines and penalties. (See Note 11 to our consolidated financial statements in this report for information regarding litigation, government investigations, fines and penalties related to the Security Incident.) We have been, and in the future might be, required to expend significant additional capital and other resources to rectify problems caused by a security breach, including notification under data privacy laws and regulations, and incur expenses related to remediating our information security systems. Even though we may carry cyber-technology insurance policies that provide insurance coverage under certain circumstances, we have in the past suffered losses and may in the future suffer losses as a result of a security breach that exceed the coverage available under our insurance policies or for which we do not have coverage. (See Note 11 to our consolidated financial statements in this report for expense and insurance coverage information related to the Security Incident.) Furthermore, in the future such insurance may not be available on commercially reasonable terms, or at all. A security breach and any efforts we make to address such breach could also result in a disruption of our operations, particularly our online sales operations. The occurrence of actual cyber security events, such as the Security Incident, could magnify the severity of the adverse effects of future incidents on our business. The techniques used to obtain unauthorized access, disable or degrade service, or sabotage information systems can be difficult to detect for long periods of time and can involve difficult or prolonged assessment or remediation periods even once detected. We, therefore, cannot assure you that all potential causes of past significant incidents, including the Security Incident, have been fully identified and remediated. The steps we take may not be sufficient to prevent future significant incidents and, as a result, such incidents may occur again.

Certain of our solutions, in particular our financial management and payment services solutions, relate to activity heavily regulated by government agencies in the U.S., the U.K. and other countries in which we operate. The laws and regulations enforced by these agencies are proposed or enacted to deter fraud and other illicit financial transactions and to protect consumers and the financial system and are often revised or increased in scope. We have procedures and controls in place to monitor compliance with numerous federal, state and foreign laws and regulations. However, because these laws and regulations are complex, differ between jurisdictions, and are often subject to interpretation, or as a result of unintended errors, we may, from time to time, inadvertently violate these laws and regulations. Compliance with these laws and regulations is expensive and requires the time and attention of management. These costs divert capital and focus away from efforts intended to grow our business. If we do not successfully comply with laws, regulations, or policies, we could incur fines or penalties, be subject to litigation, lose existing or new customer contracts or other business, and suffer damage to our reputation.

Our market is highly competitive and rapidly evolving, and there are limited barriers to entry for many segments of this market. The companies we compete with and other potential competitors may have greater financial, technical and marketing resources, generate greater revenue and have better name recognition than we do. Also, a large, diversified software enterprise could decide to enter the market directly, including through acquisitions. Competitive pressures can adversely impact our business by limiting the prices we can charge our customers and making the adoption and renewal of our solutions more difficult. Our competitors might also establish or strengthen cooperative relationships with resellers and third-party consulting firms or other parties with whom we have had relationships, thereby limiting our ability to promote our solutions. These competitive pressures could cause our revenue and market share to decline. In addition, the introduction of solutions encompassing new technologies, such as AI, can render existing solutions obsolete and unmarketable. As a result, our future success will depend, in part, upon our ability to continue to enhance existing solutions and develop and introduce in a timely manner or acquire new solutions that keep pace with technological developments, satisfy increasingly sophisticated customer requirements and achieve market acceptance. If we are unable to develop or acquire on a timely and cost-effective basis new software solutions or enhancements to existing solutions or if such new solutions or enhancements do not achieve market acceptance, we may be unable to compete successfully and our business, results of operations and financial condition may be materially adversely affected.

Many organizations in the social impact community, including nonprofits, foundations, companies, education institutions, and healthcare organizations, have not traditionally used integrated and comprehensive software and services for their specific needs. We cannot be certain that the market for such solutions and services will continue to develop and grow or that these organizations will elect to adopt our solutions and services rather than continue to use traditional, less automated methods, attempt to develop software internally, rely upon legacy software systems, or use software solutions not specifically designed for this market. Organizations that have already invested substantial resources in other fundraising methods or other non-integrated software solutions might be reluctant to adopt our solutions and services to supplement or replace their existing systems or methods. In addition, the implementation of one or more of our software solutions can involve significant capital commitments by our customers, which they may be unwilling or unable to make. If demand for and market acceptance of our solutions and services does not increase, we might not grow our business as we expect. Furthermore, our subscription arrangements are generally for a term of three years at contract inception with three-year renewals thereafter. Our maintenance arrangement renewals are generally for a term of three years. As the end of the contract term approaches, we seek the renewal of the agreement with the customer. Historically, subscription and maintenance renewals have represented a significant portion of our total revenue. Because of this characteristic of our business, if our customers choose not to renew their subscriptions or maintenance arrangements with us on beneficial terms or at all, our business, operating results and financial condition could be harmed. Our customers' renewal rates may decline or fluctuate as a result of a number of factors, including their level of satisfaction with our solutions and services and their ability to continue their operations and spending levels due to general economic conditions, extraordinary business interruptions, client-specific financial issues or otherwise.

Our solutions provide our customers payment processing capabilities that enable their constituents to make donations and purchase services using numerous payment options, including credit card and automated clearing house ("ACH") checking transactions, through secure online transactions. The provision of convenient, trusted, fast and effective payment processing services to our customers and potential customers is critical to our business, and revenue from payments processing constitutes a significant percentage of our total revenue. Increases in payment processing fees, material changes in our payment processing systems, changes to rules or regulations concerning payments or disruptions or failures in our payment processing systems or payment products, including products we use to update payment information, could materially adversely impact our customer retention and results of operation. In addition, from time to time, we encounter fraudulent use of payment methods that could result in substantial additional costs or delay, preclude planned transactions, product launches or improvements, require significant and costly operational changes, impose restrictions, limitations, or additional requirements on our business, products and services, prevent or limit us from providing our products or services in a given market and adversely impact customer retention. Furthermore, we continue to undertake system upgrades designed to improve the availability, reliability, resiliency and speed of our payments systems. These efforts are costly and time-consuming, involve significant technical complexity and risk, may divert our resources from new features and products and may ultimately not be effective. The rules of payment card associations in which we participate require that we comply with Payment Card Industry Data Security Standard ("PCI DSS") in order to preserve security of payment card data. Under PCI DSS, we are required to adopt and implement internal controls over the use, storage and security of payment card data to help prevent card fraud. Conforming our solutions and services to PCI DSS or other payment services related regulations or requirements imposed by payment networks or our customers or payment processing partners is expensive and time-consuming. However, failure to comply may subject us to fines, penalties, damages and civil liability, may impair the security of payment card data in our possession, and may harm our reputation and our business prospects, including by limiting our ability to process transactions. All Blackbaud products in scope for PCI DSS compliance meet applicable PCI DSS security requirements. In addition, we routinely subject our various data protection processes and controls to voluntary third-party review, audit or reporting, including, for example, the American Institute of Certified Public Accountants' System and Organization Controls reporting. Failure to conduct these voluntary data protection process and control reviews or to obtain and maintain audits or reports covering our data protection processes and controls may harm our reputation or our business prospects and our ability to market our solutions to our customers.

Our online social giving platforms receive a high degree of media coverage for particularly news-worthy or controversial fundraising campaigns, as well as for our fee-based business model. Although our terms of service provide express limitations on the platforms' user-initiated fundraising campaigns and reserve our right to remove content that violates our terms of service, it may not always be possible to remove such content prior to it receiving attention in the media. Negative publicity related to our online social giving platforms could have an adverse effect on the size, engagement and loyalty of our user base and could result in decreased revenue, which could adversely affect our business and financial results.

A large percentage of our customers are nonprofits, foundations, education institutions, healthcare organizations and other members of the social impact community that fully or partially rely on charitable donations. If charitable giving, including online giving, does not continue to grow or declines, it could limit our current and potential customers' ability to use and pay for our solutions and services, which could adversely affect our operating results and financial condition. In addition, we derive a significant portion of our revenue from transaction-based payment processing fees that we collect from our customers through our Blackbaud Merchant Services solution, which enables our customers' donors to make donations and purchase goods and services using various payment options. A reduction in the growth of, or a decline in, charitable giving to these customers, whether due to deteriorating general economic conditions, the impact of past or future changes to applicable tax laws, or otherwise, could negatively impact the volume and size of such payment processing transactions and thereby adversely affect our operating results and financial condition.

We currently have non-U.S. operations primarily in the U.K., Canada, Australia, Costa Rica and India, and we intend to expand further into international markets. Expansion of our international operations has required, and will continue to require, a significant amount of attention from our management and substantial financial resources and might require us to add qualified management in these markets. For example, we are currently expanding our operations in India, which we expect will give us greater access to talent, and increase the number of our employees, including management, in India. We have rented office space in India to accommodate those new operations, although we do not currently expect to generate revenue in India in the foreseeable future. Our direct sales model requires us to attract, retain and manage qualified sales personnel capable of selling into markets outside the United States. In some cases, our costs of sales might increase if our customers require us to sell through local distributors. If we are unable to grow our international operations in a cost-effective and timely manner, our business and operating results could be harmed. Increases in our international revenues denominated in foreign currencies subject us to fluctuations in foreign currency exchange rates. The expansion of our international operations has increased, and is expected to continue to increase, our exposures to gains and losses on foreign currency transactions. (See Foreign Currency Exchange Rates on page 59 for more information regarding the impact of foreign currency exchange rates on our operations.) Doing business internationally involves additional risks that could harm our operating results. Along with risks similar to those faced by our U.S. operations, our international operations are also subject to risks related to differing legal, political, social and regulatory requirements and economic conditions, including: - the imposition of additional withholding taxes or other tax on our foreign income, tariffs or restrictions on foreign trade or investment, including currency exchange and capital expropriation controls;- greater risk of a failure of our employees and partners to comply with both U.S. and foreign laws, including antitrust regulations, the U.S. Foreign Corrupt Practices Act, the U.K. Bribery Act of 2010, and any trade regulations ensuring fair trade practices;- greater risk of failure to comply with foreign country employment or other human resources laws and regulations;- the imposition of, or unexpected adverse changes in, foreign laws or regulatory requirements, including those pertaining to export restrictions, privacy and data protection, trade and employment restrictions and intellectual protections; and - general business disruptions caused by geopolitical situations and developments.

As previously disclosed, on July 16, 2020, we contacted certain customers to inform them about the Security Incident. To date, we have received approximately 260 specific requests from customers for reimbursement of expenses incurred by them related to the Security Incident, all of which have been fully resolved and closed or are inactive and are considered by us to have been abandoned by the customers. We have also received approximately 400 reservations of the right to seek expense recovery in the future from customers or their attorneys in the U.S., U.K. and Canada related to the Security Incident,none of which resulted in claims submitted to us and are considered by us to have been abandoned by the customers. We have also received notices of proposed claims on behalf of a number of U.K. data subjects, which have been fully resolved and closed or are inactive and are considered by us to have been abandoned by the data subjects. In addition, insurance companies representing various customers' interests through subrogation claims have contacted us, and certain insurance companies have filed subrogation claims in court, of which two cases remain active and unresolved. We also were a defendant in putative consumer class action cases in Canadian courts alleging harm from the Security Incident which have now been resolved. In addition, presently, we are a defendant in putative consumer class action cases in U.S. federal courts (most of which have been consolidated under multi district litigation to a single federal court) alleging harm from the Security Incident. The plaintiffs in these cases, who generally purport to represent various classes of individual constituents of our customers, generally claim to have been harmed by alleged actions and/or omissions by us in connection with the Security Incident and assert a variety of common law and statutory claims seeking monetary damages, injunctive relief, costs and attorneys' fees, and other related relief. On May 14, 2024, the Court issued a memorandum opinion and order (1) denying the multi district litigation plaintiffs' motion for class certification, (2) granting our motion to exclude the multi district litigation plaintiffs' expert, (3) denying the multi district litigation plaintiffs' motion to exclude our expert and (4) denying all other pending motions. On July 30, 2024, the Fourth Circuit Court of Appeals denied the plaintiffs' petition for permission to appeal the Court's ruling. This litigation remains ongoing. In addition,- On March 9, 2023, the Company reached a settlement with the SEC that fully resolved the previously disclosed SEC investigation of the Security Incident;- On October 5, 2023, the Company entered into separate, substantially similar Administrative Orders with each of 49 state Attorneys General and the District of Columbia that fully resolved the previously disclosed multi-state Civil Investigative Demand and the separate Civil Investigative Demand from the Office of the Indiana Attorney General relating to the Security Incident;- On May 20, 2024, the U.S. Federal Trade Commission (the "FTC") finalized an Order (the "FTC Order") evidencing its settlement with us in connection with the Security Incident;- On June 13, 2024, we agreed to a Final Judgment and Permanent Injunction with the Attorney General of the State of California (the "California Judgment") relating to the Security Incident; and - We previously received notices of governmental actions or investigations by the U.S. Department of Health and Human Services, the Office of the Australian Information Commissioner and the Office of the Privacy Commissioner of Canada, each of which we now believe are now longer active actions or investigations. See Note 11 to our consolidated financial statements included in this report for a more detailed description of the Security Incident and related matters. The terms of the California Judgment, FTC Order, the Attorneys General Administrative Orders and our settlement with the SEC require that we implement and maintain certain processes and programs and comply with certain legal requirements related to cybersecurity and data protection. Any future regulatory investigation or litigation settlements may also contain such requirements. Effectively implementing, monitoring and updating these requirements has been, and is expected to be over an extended period of time, expensive and time-consuming. Our failure to do so in accordance with the terms of our agreements with FTC, the Attorneys General and with the SEC, and possibly others, could expose us to additional material liability under the terms of the Administrative Orders, the SEC settlement, or otherwise. We may be named as a party in additional lawsuits, other claims may be asserted by or on behalf of our customers or their constituents, and we may be subject to additional governmental inquiries, requests or investigations. Responding to and resolving these current and any future lawsuits, claims and/or investigations could result in material remedial and other expenses that will not be covered by insurance. It is reasonably possible that our estimated or actual losses may change in the near term for those matters and be materially in excess of the amounts accrued. Certain governmental authorities have imposed, and others may in the future impose, undertakings, injunctive relief, consent decrees, or other civil or criminal penalties, which have materially increased our data security costs or otherwise required us to alter how we operate our business, and could further do so in the future. Although we intend to defend ourselves vigorously against the claims asserted against us, we cannot predict the potential outcomes, cost and expenses associated with current and any future claims, lawsuits, inquiries and investigations. In addition, any legislative or regulatory changes adopted in reaction to the Security Incident or other companies' data breaches could require us to make modifications to the operation of our business that could have an adverse effect and/or increase or accelerate our compliance costs. Significant management time and Company resources have been, and are expected to continue to be, devoted to the Security Incident. For example, for full year 2024, we incurred net pre-tax expenses of $13.7 million related to the Security Incident, which included $7.0 million for ongoing legal fees and $6.8 million for settlements and recorded liabilities for loss contingencies. During 2024, we had net cash outlays of $15.9 million related to the Security Incident, which included ongoing legal fees, and the $6.8 million paid during the third quarter of 2024 related to our settlement with the Attorney General of the State of California (as discussed in Note 11). Although we carry insurance against certain losses related to the Security Incident, we exceeded the limit of that insurance coverage in the first quarter of 2022. As a result, we will be responsible for all expenses or other losses (including penalties, fines or other judgments) or all types of claims that may arise in connection with the Security Incident, which could materially and adversely affect our liquidity and results of operations. (See Note 11 to our consolidated financial statements included in this report.) If any such fines or penalties were great enough that we could not pay them through funds generated from operating activities and/or cause a default under the 2024 Credit Facilities, we may be forced to renegotiate or obtain a waiver under the 2024 Credit Facilities and/or seek additional debt or equity financing. Such renegotiation or financing may not be available on acceptable terms, or at all. In these circumstances, if we were unable to obtain sufficient financing, we may not be able to meet our obligations as they come due. In addition, publicity or developments related to the Security Incident could in the future have a range of other adverse effects on our business or prospects, including causing or contributing to loss of customer confidence, reduced customer demand, reduced customer retention, strategic growth opportunities, and associated retention and recruiting difficulties, some or all of which could be material.

To meet our objectives successfully, we must attract and retain highly qualified personnel with specialized skill sets. If we are unable to attract and retain suitably qualified management, there could be a material adverse impact on our business. Further, we use equity incentive programs and equity awards in lieu of cash as part of our overall employee compensation agreements to both attract and retain personnel. A decline in our stock price could negatively impact the effectiveness of these equity incentive and related compensation programs as retention and recruiting tools. We may need to create new or additional equity incentive programs and/or compensation packages to remain competitive, which could be dilutive to our existing stockholders and/or adversely affect our results of operations.

We expect to continue licensing technologies from third parties, including applications used in our research and development activities, technologies that are integrated into our solutions and solutions that we resell. We believe that the loss of any third-party technologies currently integrated into our solutions could have a material adverse effect on our business. Our inability in the future to obtain any third-party licenses on commercially reasonable terms, or at all, could delay future solution development until equivalent technology can be identified, licensed or developed and integrated. This inability in turn could harm our business and operating results. Our use of third-party technologies also exposes us to increased risks including, but not limited to, risks associated with the integration of new technology into our solutions, the diversion of our resources from development of our own proprietary technology and our inability to generate revenue from licensed technology sufficient to offset associated acquisition and maintenance costs.