Blackbaud (BLKB) Risk Analysis

Fundamental to the use of our solutions is the secure collection, storage and transmission of confidential donor, customer and end user data, personally identifiable information and transaction data, including in our payment services. Despite the network, application and physical security procedures and internal control measures we employ to safeguard our systems, we have been, and in the future may be, vulnerable to a security breach, intrusion, loss or theft of confidential donor data and transaction data, which has in the past harmed and may in the future harm our business, reputation and future financial results. Furthermore, our reliance on remote access to information systems increases our exposure to potential cybersecurity incidents. Like virtually all major businesses, we are, from time to time, a target of cyberattacks, such as the Security Incident (as described below and in Note 11 to our consolidated financial statements in this report), information systems interruptions, phishing, social engineering schemes and other systems disruptions. We expect these threats to continue, some of which have been, and in the future may be, successful to varying degrees. Because the numerous and evolving cybersecurity threats used to obtain unauthorized access, disable, degrade or sabotage systems have become increasingly more complex and sophisticated, it may be difficult to anticipate these acts or to detect them for periods of time, as with the Security Incident, and we may be unable to respond adequately or timely. As these threats continue to evolve and increase, we have already devoted and expect to continue to devote significant resources in order to modify and enhance our security controls and to identify and remediate any security vulnerabilities. A compromise of our data security, such as the Security Incident, that results in customer or customer constituent personal or payment card data being obtained by unauthorized persons could adversely affect our reputation with our customers and others, as well as our operations, results of operations, financial condition and liquidity and has resulted in, and could in the future result in, litigation against us, government investigations or the imposition of fines and penalties. (See Note 11 to our consolidated financial statements in this report for information regarding litigation, government investigations, fines and penalties related to the Security Incident.) We have been, and in the future might be, required to expend significant additional capital and other resources to rectify problems caused by a security breach, including notification under data privacy laws and regulations, and incur expenses related to remediating our information security systems. Even though we carry cyber-technology insurance policies that provide insurance coverage under certain circumstances, we have in the past suffered losses and may in the future suffer losses as a result of a security breach that significantly exceed the coverage available under our insurance policies or for which we do not have coverage. (See Note 11 to our consolidated financial statements in this report for expense and insurance coverage information related to the Security Incident.) Furthermore, in the future such insurance may not be available on commercially reasonable terms, or at all. A security breach and any efforts we make to address such breach could also result in a disruption of our operations, particularly our online sales operations. The occurrence of actual cyber security events, such as the Security Incident, could magnify the severity of the adverse effects of future incidents on our business. The techniques used to obtain unauthorized access, disable or degrade service, or sabotage information systems can be difficult to detect for long periods of time and can involve difficult or prolonged assessment or remediation periods even once detected. We, therefore, cannot assure you that all potential causes of past significant incidents, including the Security Incident, have been fully identified and remediated. The steps we take may not be sufficient to prevent future significant incidents and, as a result, such incidents may occur again. A material example of the foregoing risks is the ransomware attack that in May 2020 during which a cybercriminal removed a copy of a subset of data from our self-hosted environment (the "Security Incident"). As a result of the Security Incident, we received approximately 260 specific requests from customers for reimbursement of expenses incurred by them related to the Security Incident, approximately 400 reservations of the right to seek expense recovery in the future from customers or their attorneys in the U.S., U.K. and Canada related to the Security Incident and notices of proposed claims on behalf of a number of U.K. data subjects, all of which have been fully resolved and closed or are inactive and are considered by us to have been abandoned. In addition, insurance companies representing various customers' interests through subrogation claims contacted us, and certain insurance companies filed subrogation claims in court, of which two cases remain active and unresolved. We also were a defendant in putative consumer class action cases in U.S. and Canadian courts alleging harm from the Security Incident, all of which have now been resolved. In addition, the Company reached a settlement with the SEC that fully resolved an SEC investigation of the Security Incident; entered into separate, substantially similar Administrative Orders with each of 49 state Attorneys General and the District of Columbia that fully resolved a multi-state Civil Investigative Demand and the separate Civil Investigative Demand from the Office of the Indiana Attorney General relating to the Security Incident; reached a settlement with the U.S. Federal Trade Commission (the "FTC") in connection with the Security Incident; and agreed to a Final Judgment and Permanent Injunction with the Attorney General of the State of California (the "California Judgment") relating to the Security Incident. In addition, we received notices of governmental actions or investigations by the U.S. Department of Health and Human Services, the Office of the Australian Information Commissioner and the Office of the Privacy Commissioner of Canada, each of which we now believe are now longer active actions or investigations. The terms of the California Judgment, FTC Order, the Attorneys General Administrative Orders and our settlement with the SEC require that we implement and maintain certain processes and programs and comply with certain legal requirements related to cybersecurity and data protection. Effectively implementing, monitoring and updating these requirements has been, and is expected to be over an extended period of time, expensive and time-consuming. Our failure to do so in accordance with the terms of our agreements with FTC, the Attorneys General and with the SEC, and possibly others, could expose us to additional material liability under the terms of the Administrative Orders, the SEC settlement, or otherwise. Furthermore, significant management time and Company resources have been, and are expected to continue to be, devoted to the Security Incident. In addition, publicity or developments related to the Security Incident could in the future have a range of other adverse effects on our business or prospects, including causing or contributing to loss of customer confidence, reduced customer demand, reduced customer retention, strategic growth opportunities, and associated retention and recruiting difficulties, some or all of which could be material.

Certain of our solutions, in particular our financial management and payment services solutions, relate to activity heavily regulated by government agencies in the U.S., the U.K., Canada and other countries in which we operate. The laws and regulations enforced by these agencies are proposed or enacted to deter fraud and other illicit financial transactions and to protect consumers and the financial system and are often revised or increased in scope. We have procedures and controls in place to monitor compliance with numerous federal, state and foreign laws and regulations. However, because these laws and regulations are complex, differ between jurisdictions, and are often subject to interpretation, or as a result of unintended errors, we may, from time to time, inadvertently violate these laws and regulations. Compliance with these laws and regulations is expensive and requires the time and attention of management. These costs divert capital and focus away from efforts intended to grow our business. If we do not successfully comply with laws, regulations, or policies, we could incur fines or penalties, be subject to litigation, lose existing or new customer contracts or other business, and suffer damage to our reputation.

Our market is highly competitive and rapidly evolving, and there are limited barriers to entry for many segments of this market. The companies we compete with and other potential competitors may have greater financial, technical and marketing resources, generate greater revenue and have better name recognition than we do. Also, a large, diversified software enterprise could decide to enter the market directly, including through acquisitions. Competitive pressures can adversely impact our business by limiting the prices we can charge our customers and making the adoption and renewal of our solutions more difficult. Our competitors might also establish or strengthen cooperative relationships with resellers and third-party consulting firms or other parties with whom we have had relationships, thereby limiting our ability to promote our solutions. These competitive pressures could cause our revenue and market share to decline. In addition, the introduction of solutions encompassing new technologies, such as AI (as discussed below), can render existing solutions obsolete and unmarketable. As a result, our future success will depend, in part, upon our ability to continue to enhance existing solutions and develop and introduce in a timely manner or acquire new solutions that keep pace with technological developments, satisfy increasingly sophisticated customer requirements and achieve market acceptance. If we are unable to develop or acquire on a timely and cost-effective basis new software solutions or enhancements to existing solutions or if such new solutions or enhancements do not achieve market acceptance, we may be unable to compete successfully and our business, results of operations and financial condition may be materially adversely affected.

Our solutions provide our customers payment processing capabilities that enable their constituents to make donations and purchase services using numerous payment options, including credit card and automated clearing house ("ACH") checking transactions, through secure online transactions. The provision of convenient, trusted, fast and effective payment processing services to our customers and potential customers is critical to our business, and revenue from payments processing constitutes a significant percentage of our total revenue. Increases in payment processing fees, material changes in our payment processing systems, changes to rules or regulations concerning payments or disruptions or failures in our payment processing systems or payment products, including products we use to update payment information, could materially adversely impact our customer retention and results of operation. In addition, from time to time, we encounter fraudulent use of payment methods that could result in substantial additional costs or delay, preclude planned transactions, product launches or improvements, require significant and costly operational changes, impose restrictions, limitations, or additional requirements on our business, products and services, prevent or limit us from providing our products or services in a given market and adversely impact customer retention. Furthermore, we continue to undertake system upgrades designed to improve the availability, reliability, resiliency and speed of our payments systems. These efforts are costly and time-consuming, involve significant technical complexity and risk, may divert our resources from new features and products and may ultimately not be effective. The rules of payment card associations in which we participate require that we comply with Payment Card Industry Data Security Standard ("PCI DSS") in order to preserve security of payment card data. Under PCI DSS, we are required to adopt and implement internal controls over the use, storage and security of payment card data to help prevent card fraud. Conforming our solutions and services to PCI DSS or other payment services related regulations or requirements imposed by payment networks or our customers or payment processing partners is expensive and time-consuming. However, failure to comply may subject us to fines, penalties, damages and civil liability, may impair the security of payment card data in our possession, and may harm our reputation and our business prospects, including by limiting our ability to process transactions. All Blackbaud products in scope for PCI DSS compliance meet applicable PCI DSS security requirements. In addition, we routinely subject our various data protection processes and controls to voluntary third-party review, audit or reporting, including, for example, the American Institute of Certified Public Accountants' System and Organization Controls reporting. Failure to conduct these voluntary data protection process and control reviews or to obtain and maintain audits or reports covering our data protection processes and controls may harm our reputation or our business prospects and our ability to market our solutions to our customers.

Our online social giving platforms receive a high degree of media coverage for particularly news-worthy or controversial fundraising campaigns, as well as for our fee-based business model. Although our terms of service provide express limitations on the platforms' user-initiated fundraising campaigns and reserve our right to remove content that violates our terms of service, it may not always be possible to remove such content prior to it receiving attention in the media. Negative publicity related to our online social giving platforms could have an adverse effect on the size, engagement and loyalty of our user base and could result in decreased revenue, which could adversely affect our business and financial results.

To meet our objectives successfully, we must attract and retain highly qualified personnel with specialized skill sets, including with regard to our AI products and our expansion in India, each as discussed in more detail below. If we are unable to attract and retain suitably qualified management, there could be a material adverse impact on our business. Further, we use equity incentive programs and equity awards in lieu of cash as part of our overall employee compensation agreements to both attract and retain personnel. Declines in our stock price may have in the past negatively impacted, and could again in the future negatively impact, the effectiveness of these equity incentive and related compensation programs as retention and recruiting tools. We may need to create new or additional equity incentive programs and/or compensation packages to remain competitive, which could be dilutive to our existing stockholders and/or adversely affect our results of operations.

We expect to continue licensing technologies from third parties, including applications used in our research and development activities, technologies that are integrated into our solutions and solutions that we resell. We believe that the loss of any third-party technologies currently integrated into our solutions could have a material adverse effect on our business. Our inability in the future to obtain any third-party licenses on commercially reasonable terms, or at all, could delay future solution development until equivalent technology can be identified, licensed or developed and integrated. This inability in turn could harm our business and operating results. Our use of third-party technologies also exposes us to increased risks including, but not limited to, risks associated with the integration of new technology into our solutions, the diversion of our resources from development of our own proprietary technology and our inability to generate revenue from licensed technology sufficient to offset associated acquisition and maintenance costs.

A large percentage of our customers are nonprofits, foundations, education institutions, healthcare organizations and other members of the social impact community that fully or partially rely on charitable donations. If charitable giving, including online giving, does not continue to grow or declines, it could limit our current and potential customers' ability to use and pay for our solutions and services, which could adversely affect our operating results and financial condition. In addition, we derive a significant portion of our revenue from transaction-based payment processing fees that we collect from our customers through our Blackbaud Integrated Payments solution, which enables our customers' donors to make donations and purchase goods and services using various payment options. A reduction in the growth of, or a decline in, charitable giving to these customers, whether due to deteriorating general economic conditions, the impact of past or future changes to applicable tax laws, or otherwise, could negatively impact the volume and size of such payment processing transactions and thereby adversely affect our operating results and financial condition.

We currently have non-U.S. operations primarily in the U.K., Canada, Australia, Costa Rica and India, and we intend to expand further into international markets. Expansion of our international operations has required, and will continue to require, a significant amount of attention from our management and substantial financial resources and might require us to add qualified management in these markets. For example, we are currently expanding our operations in India, which we expect will give us greater access to talent, and increase the number of our employees, including management, in India. We have rented office space in India to accommodate those new operations, although we do not currently expect to generate revenue in India in the foreseeable future. Our direct sales model requires us to attract, retain and manage qualified sales personnel capable of selling into markets outside the United States. In some cases, our costs of sales might increase if our customers require us to sell through local distributors. In addition, there is intense competition in India for skilled technology personnel, and we expect such competition to increase. As a result, we may be unable to retain our current employees in India or to hire additional new employees in India. If we are unable to grow our international operations in a cost-effective and timely manner, our business and operating results could be harmed. Increases in our international revenues denominated in foreign currencies subject us to fluctuations in foreign currency exchange rates. The expansion of our international operations has increased, and is expected to continue to increase, our exposures to gains and losses on foreign currency transactions. (See Foreign Currency Exchange Rates on page 59 for more information regarding the impact of foreign currency exchange rates on our operations.) Doing business internationally involves additional risks that could harm our operating results. Along with risks similar to those faced by our U.S. operations, our international operations are also subject to risks related to differing legal, political, social and regulatory requirements and economic conditions, including: - the imposition of additional withholding taxes or other tax on our foreign income, tariffs or restrictions on foreign trade or investment, including currency exchange and capital expropriation controls;- greater risk of a failure of our employees and partners to comply with both U.S. and foreign laws, including antitrust regulations, the U.S. Foreign Corrupt Practices Act, the U.K. Bribery Act of 2010, and any trade regulations ensuring fair trade practices;- greater risk of failure to comply with foreign country employment or other human resources laws and regulations;- the imposition of, or unexpected adverse changes in, foreign laws or regulatory requirements, including those pertaining to export restrictions, privacy and data protection, trade and employment restrictions and intellectual protections; and - general business disruptions caused by geopolitical situations and developments including, for example, in India, which has experienced in the past, and may again experience, civil unrest and terrorism and has, and may again, been involved in conflicts with other countries, such as the recent conflict with Pakistan.