Cogent Comms (CCOI) Risk Analysis

We rely on our own and third-party computer systems, hardware, software, technology infrastructure and online sites and networks for both internal and external operations that are critical to our business (collectively, "IT Systems"). We own and manage some of these IT Systems but also rely on third parties for a range of IT Systems and related products and services, including but not limited to cloud computing services. Our business depends on our ability to limit and mitigate interruptions to or degradation of the security of our networks. We face numerous and evolving cybersecurity risks that threaten the confidentiality, integrity and availability of our IT Systems, as well as trade secrets, intellectual property, personal information or other Company confidential information (collectively "Confidential Information"). We are considered a critical infrastructure provider and therefore may be more likely to be the target of cyber-attacks. Our IT Systems are subject and vulnerable to unauthorized access, social engineering/phishing, malware (including ransomware), malfeasance by insiders, human or technological error, and as a result of bugs, misconfigurations or exploited vulnerabilities in software or hardware, computer viruses, cyber-attacks, distributed denial of service ("DDOS"), and other cybersecurity risks. Additionally, any integration of artificial intelligence in our or any third party's operations, products or services is expected to pose new or unknown cybersecurity risks and challenges. We and our employees are the target of phishing attempts and compromised links, and our IT Systems are the target of attempts at unauthorized access, a small number of which have been successful in accessing non-critical areas of our IT Systems. Our customer-facing network firewall regularly suppresses cyber-attacks and our IP Network routinely manages DDOS attacks. Although none of the incidents, individually or in the aggregate, have materially impacted our operations or business, we cannot guarantee material incidents will not occur in the future. An attack on or security breach of our network could result in theft of Confidential Information, the interruption, degradation, or cessation of services, an inability to meet our service level commitments or our financial reporting obligations, and could potentially compromise customer data stored on or transmitted over our network. Cyber-attacks are expected to accelerate on a global basis in frequency and magnitude as threat actors are becoming increasingly sophisticated in using techniques and tools – including artificial intelligence – that circumvent security controls, evade detection and remove forensic evidence. As a result, we may be unable to detect, investigate, remediate or recover from future attacks or incidents, or avoid a material adverse impact to our IT Systems, Confidential Information or business. Moreover, as cyber warfare becomes a tool in asymmetric conflicts between the United States and other nations, we, as a US provider, may be targeted with increasing frequency. We cannot guarantee that our security measures will not be circumvented, thereby resulting in security events, network failures or interruptions that could impact our network security or availability and have a material adverse effect on our business, our ability to meet our financial reporting obligations, brand and reputation, financial condition and operational results. We may be required to expend significant resources to protect against such threats, and may experience a reduction in revenues, litigation (including class action lawsuits), and a diminution in goodwill, caused by a compromise of our cybersecurity. Although our customer contracts limit our liability, affected customers and third parties may seek to recover damages from us under various legal theories. We cannot guarantee that any costs and liabilities incurred in relation to an attack or incident will be covered by our existing insurance policies or that applicable insurance will be available to us in the future on economically reasonable terms or at all. In response to past attacks, we have implemented additional controls and taken and planned for other preventative actions to further strengthen our systems against future attacks. However, we cannot assure you that such measures will provide absolute security, that we will be able to react in a timely manner, or that our remediation efforts following any past or future attacks will be successful. There can also be no assurance that our cybersecurity risk management program and processes, including our policies, controls or procedures, will be fully implemented, complied with or effective in protecting our IT Systems and Confidential Information. Any adverse impact to the availability, integrity or confidentiality of our IT Systems or Confidential Information can result in legal claims or proceedings (such as class actions), regulatory investigations and enforcement actions, fines and penalties, negative reputational impacts that cause us to lose existing or future customers, and/or significant incident response, system restoration or remediation and future compliance costs. Any or all of the foregoing could materially adversely affect our business, operating results, and financial condition.

In 2025, President Trump announced new and additional tariffs for most imports, including imports from Canada, Mexico and China. As a result, China later announced and implemented retaliatory tariffs on U.S. goods and expanded export controls on certain critical raw materials, including rare earth minerals. The amount import tariffs and the number of products subject to tariffs have changed numerous times based on action by the U.S. government, and certain of these tariffs have been subsequently paused or modified. Following a meeting between President Trump and President Xi in October 2025, U.S. and China announced a temporary truce, including the U.S. suspending escalation of planned reciprocal tariffs for approximately one year and China suspending its 2025 retaliatory tariffs and pausing its export controls on rare earth minerals and other materials. The Administration also refrained from implementing the previously announced additional 100% tariff on Chinese imports. However, the tariff situation remains fluid. Given the uncertainty surrounding U.S. international trade policy and the U.S.-China relationship, we cannot predict how future changes in tariffs or trade restrictions will affect us. At least one of our primary equipment vendors manufactures and ships equipment that we purchase from China. If higher tariffs are applied to our equipment purchases, it would increase our cost of equipment and our capital expenditures. To the extent that we are unable to pass all or any such cost increases on to our customers, such cost increases could adversely affect our financial results. In addition, higher costs stemming from tariffs could lead customers to seek alternative products or services from competitors in regions not affected by such trade policies, which may further impact our financial results due to declines in our sales and operating income. As a result, our financial condition and results of operations could be adversely affected. Further, if the United States imposes additional tariffs on other countries in which we operate, those countries may respond by imposing tariffs on imports from the United States. Any such tariffs may be applied to our equipment shipments from our US operating company to our international subsidiaries, increasing our costs and impacting our financial condition and results of operations.

With the acquisition of the Cogent Fiber Business, our operations now include the ownership of a substantial fiber network. With this ownership, we assume the critical responsibility for the maintenance and repair of the entire fiber infrastructure. This introduces inherent risks that could impact our operational continuity. As historically we did not own a fiber network, this new responsibility necessitates an adjustment in our operational approach and poses challenges affecting the efficiency of maintenance activities. If we are unable to maintain our owned fiber or adequately and efficiently manage disruptions to our owned fiber network, our ability to provide services in the affected markets or parts of markets would be impaired unless we have or can obtain alternative fiber routes. Our new wavelength service is delivered as specific wavelengths on defined physical routes. Because these wave services are tied to a specific physical path, a single interruption on a route, such as a fiber cut, will affect all wavelengths on that route simultaneously. Such disruptions could result in a total loss of service for all wave customers on the affected route. In addition, we may incur unexpected and significant costs, delays or other difficulties in maintaining or repairing our fiber infrastructure, resulting in increased disruption in services to our customers. We may, as a result, lose revenue or customers.

We face significant competition from incumbent carriers, ISPs and facilities-based network operators. Relative to us, many of these providers have significantly greater financial resources, more well-established brand names, larger customer bases, sales and marketing capabilities, and more diverse strategic plans and service offerings. A number of these providers also have large bases of consumers, which makes their networks particularly attractive to content providers as they can provide a direct connection to their customers. We also face competition from new entrants to the communications services market. Many of these companies offer products and services that are similar to our products and services. Intense competition from these traditional and new communications companies has led to declining prices and margins for many communications services, and we expect this trend to continue as competition intensifies in the future. Decreasing prices for high-speed Internet services have somewhat diminished the competitive advantage that we have enjoyed as a result of our service pricing. Our Internet business is premised on the idea that customers want simple Internet access and private networks rather than a combination of such services with other services such as voice services and complex managed services. Our competitors offer such services. Should the market come to favor such services our ability to acquire and keep customers would be impaired. Our competitors may also upgrade their existing services or introduce new technologies or services, such as satellite-based Internet or 5G services that could make our services less attractive to potential customers. In our optical wavelength business, we compete with long - established network operators. These operators also have well - established brand name, larger customer bases and a sales and marketing capabilities experienced in the wavelength business. As these operators have a long history offering wavelength services, we may face challenges persuading customers to add us as a provider or to end a longstanding relationship with an existing provider. Moreover, the continuous evolution of technology may empower our competitors to upgrade their existing services or introduce new, more advanced offerings that could potentially diminish our sales of VPN and colocation services. As a consequence, we may face challenges in acquiring and retaining customers.

In the fall of 2021, we began to implement a policy designed to return the vast majority of our employees to the office. Except for a brief return to remote work at the beginning of 2022 for a portion of our workforce, we have, largely maintained a full-time, in-office requirement. This policy led to small minority of our workforce leaving our employment. Further, we are experiencing competitive challenges as other companies offer hybrid or fully remote work options. Increasing and/or continued demands to work in a hybrid or fully remote work style may reduce our ability to attract and retain employees, in particular attracting and retaining salespeople.