Clover Health Investments (CLOV) Risk Factors

Numerous U.S. federal and state laws and regulations govern the collection, dissemination, use, privacy, confidentiality, security, availability and integrity of personally identifiable information ("PII"), including protected health information ("PHI"). These federal and state laws and regulations include, but are not limited to HIPAA, as amended by HITECH, which we refer to collectively as HIPAA, and the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (the "CPRA"), which took effect on January 1, 2023 (the "CCPA"). HIPAA establishes a set of basic national privacy and security standards for the protection of PHI by health plans, healthcare clearinghouses and certain healthcare providers, referred to as covered entities, which includes us, and the business associates with whom such covered entities contract for services, which also includes us. HIPAA requires healthcare payers and providers-and we are both-to develop and maintain policies and procedures with respect to PHI that is used or disclosed, including the adoption of administrative, physical and technical safeguards to protect such information. HIPAA also implemented the use of standard transaction code sets and standard identifiers that covered entities must use when submitting or receiving certain electronic healthcare transactions, including activities associated with the billing and collection of healthcare claims. Penalties for failure to comply with a requirement of HIPAA vary significantly depending on the nature of violation and could include civil monetary or criminal penalties. HIPAA also authorizes state attorneys general to file suit on behalf of their residents. Courts are able to award damages, costs and attorneys' fees related to violations of HIPAA in such cases. While HIPAA does not create a private right of action allowing individuals to sue us in civil court for violations of HIPAA, its standards have been used as the basis for duty of care in state civil suits such as those for negligence or recklessness in the misuse or breach of PHI. In addition, HIPAA mandates that HHS conduct periodic compliance audits of HIPAA-covered entities or business associates for compliance with the HIPAA Privacy and Security Standards. It also tasks HHS with establishing a methodology whereby harmed individuals who were the victims of breaches of unsecured PHI may receive a percentage of the Civil Monetary Penalty fine paid by the violator. HIPAA further requires that patients be notified of any unauthorized acquisition, access, use or disclosure of their unsecured PHI that compromises the privacy or security of such information, with certain exceptions related to unintentional or inadvertent use or disclosure by employees or authorized individuals. HIPAA specifies that such notifications must be made "without unreasonable delay and in no case later than 60 calendar days after discovery of the breach." If a breach affects 500 patients or more, it must be reported to HHS without unreasonable delay, and HHS will post the name of the breaching entity on its public web site. Breaches affecting 500 patients or more in the same state or jurisdiction must also be reported to the local media. If a breach involves fewer than 500 people, the covered entity must record it in a log and notify HHS at least annually. Numerous other U.S. federal and state laws, such as the CCPA, protect the confidentiality, privacy, availability, integrity, and security of PII, including PHI. These laws in many cases are more restrictive than, and may not be preempted by, the HIPAA rules and may be subject to varying interpretations by courts and government agencies, creating complex compliance issues for us and our providers and business associates and potentially exposing us to additional expense, adverse publicity and liability. Among other things, the CCPA gives California residents expanded data privacy rights, allowing consumers to opt out of certain data sharing with third parties, provides a private cause of action for data breaches, imposes additional obligations such as data minimization and storage limitations; on covered businesses; and forms a dedicated privacy regulator in California, the California Privacy Protection Agency, to implement and enforce the law. The CCPA marked the beginning of a trend toward more stringent state data privacy legislation in the United States, which may result in significant costs to our business, damage our reputation, and require us to amend our business practices, and could adversely affect our business, especially to the extent the specific requirements vary from those and other existing laws. Four such laws, in Virginia, Colorado, Connecticut, and Utah, have taken effect in 2023, and at least three more laws in Montana, Texas and Oregon are scheduled to take effect in 2024. Similar laws have been proposed in other states and at the federal level. If passed, such laws may have potentially conflicting requirements that would make compliance challenging. In addition, in response to such laws, we may need to update and/or change our data collection practices, which may be costly, time-consuming, and present potential liability while we adapt to comply with such legislation. New health information standards, whether implemented pursuant to HIPAA, state or federal legislative action or otherwise, could have a significant effect on the manner in which we must handle healthcare related data, and the cost of complying with standards could be significant. If we do not comply with existing or new laws and regulations related to PHI, we could be subject to criminal or civil sanctions. Because of the extreme sensitivity of the personal information, including PHI, that we store and transmit, the security features of our technology platform are very important. We also contract with third parties for important aspects of the storage and transmission of beneficiary information, and thus rely on those third parties to manage functions that have material cyber-security risks. We attempt to address these risks by requiring subcontractors who handle beneficiary information to sign business associate agreements contractually requiring those subcontractors to adequately safeguard personal health data to the same extent that applies to us and in some cases by requiring such subcontractors to undergo third-party security examinations. However, we cannot ensure that these contractual measures and other safeguards will adequately protect us from the risks associated with the storage and transmission of such information on our behalf by our subcontractors. If our security measures, some of which are managed by third parties, or those of the third parties with whom we contract, are breached or fail, unauthorized persons may be able to obtain access to sensitive provider and beneficiary data, including HIPAA-regulated PHI. As a result, our reputation could be severely damaged, adversely affecting PCP and beneficiary confidence. Beneficiaries may curtail their use of or stop using our services including the use of telehealth, or our number of beneficiaries could decrease, which would cause our business to suffer. In addition, we could face litigation, damages for contract breach, penalties and regulatory actions for violation of HIPAA and other applicable laws or regulations and significant costs for remediation, notification to individuals and for measures to prevent future occurrences. Any potential security breach could also result in increased costs associated with liability for stolen assets or information, repairing system damage that may have been caused by such breaches, incentives offered to business partners in an effort to maintain our business relationships after a breach and implementing measures to prevent future occurrences, including organizational changes, deploying additional personnel and protection technologies, training employees and engaging third-party experts and consultants. While we maintain insurance covering certain security and privacy damages and claim expenses, we may not carry insurance or maintain coverage sufficient to compensate for all liability. In any event, insurance coverage would not address the reputational damage that could result from a security incident. We also publish statements to our beneficiaries that describe how we handle and protect personal information. Any failure or perceived failure by us to maintain posted privacy policies that are accurate, comprehensive and fully implemented, and any violation or perceived violation of our privacy-, data protection-, or information security obligations to providers, beneficiaries, or other third parties could result in claims of deceptive practices brought against us. That could lead to significant liabilities and consequences, including, without limitation, governmental investigations or enforcement actions, costs of responding to investigations, defending against litigation, settling claims and complying with regulatory or court orders, all of which could have material impacts on our revenues and results of operations. Furthermore, the Federal Trade Commission and many state attorneys general continue to enforce federal and state consumer protection laws against companies for online collection, use, dissemination, and security practices that appear to be unfair or deceptive. There are also a number of legislative proposals in the United States, at both the federal and state level, that could impose new obligations or liability for copyright infringement by third parties violating those laws. We cannot yet determine the impact that future laws, regulations, and standards may have on our business.

We believe that developing widespread brand recognition and maintaining and enhancing our reputation is critical to our relationships with existing providers and beneficiaries, and to our ability to attract new providers and beneficiaries to our platform and offerings. The promotion of our brand may require us to make substantial investments, and we anticipate that, as our market becomes increasingly competitive, these marketing initiatives may become increasingly difficult and expensive. Brand promotion and marketing activities may not be successful or yield increased revenue, and to the extent that these activities yield increased revenue, the increased revenues may not offset the expenses we incur, and our results of operations could be harmed. In addition, any factor that diminishes our reputation or that of our management, including failing to meet the expectations of our providers or beneficiaries, could harm our reputation and brand and make it substantially more difficult for us to attract new providers or beneficiaries. If we do not successfully develop widespread brand recognition and maintain and enhance our reputation, our business may not grow and we could lose our relationships with providers or beneficiaries, which would harm our business, financial condition, and results of operations.

Breaches of our security measures or those of our third-party service providers or other cyber security incidents could result in unauthorized access to our sites, networks, systems, and accounts; unauthorized access to, and misappropriation of, individuals' personal identifying information, personal health information, or other confidential or proprietary information of ourselves, our beneficiaries, or other third parties; viruses, worms, spyware, or other malware being served from our platform, networks, or systems; deletion or modification of content or the display of unauthorized content on our platform; the loss of access to critical data or systems through ransomware, destructive attacks or other means; and business delays, service or system disruptions or denials of service. If any of these breaches of security should occur, we cannot guarantee that recovery protocols and backup systems will be sufficient to prevent data loss, or the interruption, disruption, or malfunction of our operations, including with respect to telehealth services. As a result, we could incur costs relating to breach remediation, deployment of additional personnel and protection technologies, and response to governmental investigations and media inquiries and coverage; be required to engage third-party experts and consultants; and face litigation, regulatory action, and other potential liabilities. Our reputation and brand could be damaged, our business may suffer, and we could be required to expend significant capital and other resources to alleviate problems caused by such breaches. Actual or anticipated security breaches or attacks may cause us to incur increasing costs, including costs to deploy additional personnel and protection technologies, train employees, and engage third-party experts and consultants. Certain of our third-party service providers provide technology-related services and/or store or have access to our data and may not have effective controls, processes, or practices to protect our information from loss, unauthorized disclosure, unauthorized use or misappropriation, cyberattacks or other data security incidents. A vulnerability in such service providers' software or systems, a failure in their safeguards, policies or procedures, or a cyber-attack or other data security incident affecting any of these third parties result in harm our business. Any compromise or breach of our security measures, or those of our third-party service providers, could violate applicable privacy, data protection, data security, network and information systems security, and other laws, and cause significant legal and financial exposure, adverse publicity, and a loss of confidence in our security measures. These factors could have a material adverse effect on our business, results of operations, and financial condition. We devote significant resources to protect against security breaches, and we may need to devote significantly more resources in the future to address problems caused by breaches, including notifying affected subscribers and responding to any resulting litigation. Any such use of resources diverts resources from the growth and expansion of our business.

We rely on cloud service providers, such as Amazon Web Services and Google Cloud, to provide the cloud computing infrastructure that we use to host our platform, products, and many of the internal tools we use to operate our business. While we control and have access to our servers, we do not control the operation of the facilities where the servers are located. While we have a long-term commitment with these cloud service providers, and our platform, products, and internal tools use computing, storage capabilities, bandwidth, and other services provided by these cloud services providers, the services providers have no obligation to renew their agreements with us on commercially reasonable terms, or at all, upon the expiration of such commitment. Any significant disruption of, limitation of our access to, or other interference with, our use of these cloud service providers could negatively impact our operations and could materially harm our business. In addition, any transition of the cloud services currently provided by these cloud service providers to another cloud services provider would require significant time and expense and could disrupt or degrade delivery of our platform. Our business relies on the availability of our platform and products for our beneficiaries and provider users, and we may lose beneficiaries and provider users if they are not able to access our platform or encounter difficulties in doing so. The level of service provided by cloud service providers could affect the availability or speed of our platform, which may also impact the usage of, and our provider users' satisfaction with, our platform and could materially harm our business and reputation. If cloud service providers increase pricing terms, terminate or seek to terminate our contractual relationship, establish more favorable relationships with our competitors, or change or interpret their terms of service or policies in a manner that is unfavorable with respect to us, or if we are unable to renew any agreement on commercially reasonable terms, we may be required to transfer our servers and other infrastructure to a different service provider, and our business, results of operations, and financial condition could be harmed. This may result in significant additional costs and possible services interruptions. Additionally, if our cloud service providers are unable to keep up with our growing needs for capacity, this could have an adverse effect on our business. For example, a rapid expansion of our business could cause the service levels provided by our cloud service providers to fail or experience delays. Any changes or disruptions in our cloud service providers' service levels could adversely affect our reputation or result in lengthy interruptions in our services and negatively affect our business.

Our business may be affected by conditions and trends in the financial markets and general economic and political conditions. The global economy, including credit and financial markets, has experienced extreme volatility and disruptions, higher cost of human capital, geopolitical uncertainty and instability, including heightened rates of inflation, higher interest rates, changes in tax policy and uncertainty about economic stability. The U.S. federal government and other governments may reduce funding for health care or other programs or make changes that adversely affect the number of persons eligible for certain programs, the services provided to enrollees in such programs and premiums we can charge. Any of these factors could have a material adverse effect on our businesses, results of operations, and cash flows. In addition, the failure of the U.S. federal government to manage its fiscal matters or to raise or further suspend the debt ceiling, and changes in the amount of federal debt, may negatively impact the economic environment, curtail spending on health and health care related matters and adversely impact our results of operations. Furthermore, on August 16, 2022, the U.S. enacted the Inflation Reduction Act of 2022, which, among other things, may significantly impact the health insurance industry. We are continuing to determine the potential effects that this legislation and others may have on our business and operating results. Any such volatility and disruptions, or a general sustained economic downturn or other developments, may have adverse consequences on us or on our third party relationships (including relationships with vendors and health care providers).

We have direct operations in Hong Kong and Canada, as well as contracted operations in other countries including the Philippines, Colombia, India, the UK, Mexico, New Zealand, Uruguay and the Dominican Republic. We may in the future expand our operations to other countries. Substantially all of our software research and development is performed internationally, by internal resources and a variety of offshore vendors in locations such as Hong Kong and India. While these arrangements may lower operating costs, they also subject us to the uncertain political climates, including political unrest and uncertainty in Hong Kong, such as Hong Kong national security law and other developments, and potential disruptions in international trade, including export control laws (such as deemed export restrictions applicable to software) and any amendments to those laws, as well as potentially increased data security and privacy risks and local economic and labor conditions. If we are unable to leverage our full software development team, this may result in decreased ability to innovate and maintain Clover Assistant and carry out health plan data operations, which may in turn lead to adverse effects on our business, financial conditions and results of operations. Additionally, we conduct certain of our call center operations in the Philippines and work with a company in India for claims processing and coding. Our oversight aimed at ensuring adherence to applicable quality and compliance standards may be more difficult with vendor companies located outside of the United States and may both make it more difficult for us to achieve our operational objectives and expose us to additional liability. Countries outside of the United States may be subject to relatively higher degrees of political and social instability and may lack the infrastructure to withstand political unrest or natural disasters. The occurrence of natural disasters, pandemics, or political or economic instability in these countries or regions could interfere with work performed by these labor sources or could result in our having to replace or reduce these labor sources. Our vendors in other countries could potentially shut down suddenly for any reason, including financial problems or personnel issues. Such disruptions could decrease efficiency, increase our costs, and have an adverse effect on our business and results of operations. The practice of utilizing labor based in foreign countries has come under increased scrutiny in the United States. Governmental authorities, including CMS, could seek to impose financial costs or restrictions on foreign companies providing services to customers or companies in the United States. Governmental authorities may attempt to prohibit or otherwise discourage us from sourcing services from offshore labor. In addition, insurance carriers may require us to use labor based in the United States for regulatory or other reasons. To the extent that we are required to use labor based in the United States, we may face increased costs as a result of higher-priced United States-based labor. Compliance with applicable U.S. and foreign laws and regulations, such as import and export requirements, anti-corruption laws, tax laws, foreign exchange controls, data privacy and data localization requirements, labor laws, and anti-competition regulations, increases the costs of doing business in foreign jurisdictions. Although we have implemented policies and procedures to comply with these laws and regulations, a violation by our employees, contractors, or agents could nevertheless occur. In some cases, compliance with the laws and regulations of one country could violate the laws and regulations of another country. Violations of these laws and regulations could materially adversely affect our brand, growth efforts, and business. Furthermore, fluctuations or weakness of the U.S. dollar in relation to the currencies used in these foreign countries may also reduce the savings achievable through our strategy of contracting out certain services and could have an adverse effect on our business, financial condition, and results of operations. Our failure to successfully manage our international operations and the associated risks effectively could limit the future growth of our business.