Clarivate (CLVT) Risk Factors

We have incorporated, and may continue to incorporate, AI in our products and services and this incorporation of AI in our business and operations may become more significant over time. The use of generative AI, a relatively new and emerging technology in the early stages of commercial use, exposes us to additional risks, such as damage to our reputation, competitive position, and business, and additional costs. While generative AI may help provide more tailored or personalized experiences or output, if the content, analyses, or recommendations produced by any of our products or services that use or incorporate generative AI are, or are perceived to be, deficient, inaccurate, biased, unethical, or otherwise flawed, our reputation, competitive position, and business may be materially and adversely affected. Additionally, if any of our employees, contractors, vendors, or service providers use any third-party software incorporating AI in connection with our business or the services they provide to us, it may lead to the inadvertent disclosure or incorporation of our confidential, sensitive, or proprietary information into publicly available training sets which may impact our ability to realize the benefit of, or adequately maintain, protect, and enforce our intellectual property or sensitive or confidential information, harming our competitive position and business. Our ability to mitigate risks associated with disclosure of our proprietary, sensitive, or confidential information, including in connection with the use of AI, will depend on our implementation, maintenance, monitoring, and enforcement of appropriate technical and administrative safeguards, policies, and procedures governing the use of AI in our business. Any output created by us using generative AI may not be subject to copyright protection, which may adversely affect our or our customers' intellectual property rights in, or ability to commercialize or use, any such content. In addition, the use of AI may result in cybersecurity incidents that implicate the personal data of users of our AI tools or technologies. Furthermore, our competitors, customers, or other third parties may incorporate AI into their products more quickly or more successfully than us, which could impair our ability to compete effectively. If any third-party AI tools are trained using or otherwise leverage any of our proprietary data or data sets, our competitive advantage may be impaired, and our ability to commercialize our own AI tools or such data and data sets may be undermined, damaging our operations and business. The increasing use of generative AI by third parties may also negatively impact the integrity of our own proprietary data, data sets, and content databases if and to the extent that any invalid, inaccurate, biased, or otherwise flawed data produced by any such AI systems may inadvertently be incorporated in our proprietary data, data sets, or content databases, negatively affecting our reputation, relationship with publishers, and the value of our proprietary data, data sets, or content databases. As generative AI and other AI tools are relatively new, sophisticated and evolving quickly, we cannot predict all of the risks that may arise from our current or future use of AI in our business. We expect that the incorporation of AI in our business will require additional resources, including the incurrence of additional costs, to develop and maintain our AI-related products and services, to minimize potentially harmful or unintended consequences, to maintain or extend our competitive position, and to address any ethical, reputational, technical, operational, legal, or competitive issues which may arise and our customers may not accept or be able to pay a premium for advanced AI capabilities in certain of the markets in which we operate. Any of the foregoing and any similar issues, whether actual or perceived, could negatively impact our customers' experience and diminish the perceived quality and value of our products and services. As a result, the challenges presented with our use of AI could adversely affect our business, financial condition, and results of operations.

Our reputation and ability to attract, retain, and serve our customers is dependent upon the reliable performance and security of our computer systems and those of third parties that we utilize in our operations to collect, store, use, and otherwise process public records, IP, and proprietary, confidential, and sensitive data, including personal data. We expend significant resources to develop and secure our computer systems, IP, and proprietary, confidential, or sensitive data, including personal data, but they may be subject to damage or interruption from natural disasters, terrorist attacks, power loss, Internet and telecommunications failures, and cybersecurity risks such as cyberattacks, ransomware attacks, social engineering (including phishing attacks), computer viruses, denial of service attacks, physical or electronic break-ins, and similar disruptions from foreign governments, state-sponsored entities, hackers, organized cybercriminals, cyber terrorists, and individual threat actors (including malicious insiders), any of which may see their effectiveness further enhanced in the future by the use of AI. We have implemented certain systems and processes designed to thwart such threat actors and otherwise protect our computer systems and proprietary, confidential, or sensitive data, including personal data; however, the systems and processes we have adopted may not be effective, and, similar to many other global multinational companies, we have experienced and may continue to experience cyber-threats, cyberattacks and other attempts to breach the security of our systems or gain unauthorized access to our proprietary, confidential or sensitive data, including personal data. Any fraudulent, malicious, or accidental breach of our computer systems or data security protections (including due to malicious insiders or inadvertent employee errors) could result in unintentional disclosure of, or unauthorized access to, customer, vendor, employee, or our own confidential, proprietary sensitive data or other protected information, which could potentially result in additional costs to enhance security or to respond to such incidents, lost sales, violations of privacy or other laws, notifications to individuals, penalties, or litigation. Any failure of our computer systems, disruption to our operations, or unauthorized access to any of our computer systems or those of third parties upon whom we rely or with whom we partner, including our cloud computing and other service providers, vendors, contractors, and consultants, could result in, among other things, significant expense to repair, replace, or remediate such systems, equipment, or facilities, a loss of customers, legal or regulatory claims, and proceedings or fines and adversely affect our business and results of operations. Additionally, while we generally perform cybersecurity due diligence on our key vendors, service providers, contractors and consultants, if any of these third parties fail to adopt or adhere to adequate cybersecurity practices, or in the event of a breach, incident, disruption, or other compromise of their networks, computer systems, or applications, our or our customers' proprietary, confidential, or sensitive data, including personal data, may be improperly lost, destroyed, modified, accessed, used, disclosed, or otherwise processed, which could subject us to claims, demands, proceedings, and liabilities. We do not have control over the operations of the facilities of the third-party cloud computing service or other key vendors, service providers, contactors, and consultants that we use. This, coupled with the fact that we cannot easily switch our computing operations and other computer systems to other service providers, means that any disruption of or interference with our use of our current third-party cloud computing service, or the services provided by our other vendors, service providers, contractors, and consultants could disrupt our operations, and our business could be adversely impacted. Although we may have contractual protections with our third-party vendors, service providers, contractors and consultants, any actual or perceived security breach, incident, or disruption could harm our reputation and brand, expose us to potential liability, or require us to expend significant resources on cybersecurity in responding to any such actual or perceived compromise, breach, incident, or disruption and negatively impact our business. Any contractual protections we may have from our third-party vendors, service providers, contractors, and consultants may not be sufficient to adequately protect us from any such liabilities and losses, and we may be unable to enforce any such contractual protections.

Our products and services include "open source" software, and we may incorporate additional open source software in the future. Open source software is generally freely accessible, usable, and modifiable. Certain open source licenses may, in certain circumstances, require us to: (i) offer our products or services that incorporate the open source software for no cost; (ii) make available source code for modifications or derivative works we create based upon, incorporating, or using the open source software and (iii) license such modifications or derivative works under the terms of the particular open source license or otherwise unfavorable terms. The terms of many open source licenses to which we are subject have not been interpreted by U.S. or foreign courts, and there is a risk that open source licenses could be construed in a manner that imposes unanticipated conditions or restrictions on our ability to provide or distribute our products or services. While we try to insulate our proprietary software, including our AI tools, from the effects of such open source license provisions, we cannot guarantee that we will be successful, that all open source software is reviewed prior to use in our products, that our developers have not incorporated open source software into our products in potentially disruptive ways, or that they will not do so in the future. If an author or other third party that distributes open source software we use were to allege that we had not complied with the conditions of one or more of these licenses, we could be required to incur significant legal expenses defending against such allegations. If such third parties are successful, we could be subject to liability, be required to make our proprietary software source code available under an open source license, purchase a license (which, if available, could be costly), or cease offering the implicated products or services unless and until we can re-engineer them to avoid infringement. This re-engineering process could require significant additional research and development resources, and we may not be able to complete it successfully on a timely basis, or at all. We could also be subject to suits by parties claiming ownership of what we believe to be open source software. Any litigation could be costly for us to defend, and adversely affect our business, financial condition, and results of operations. In addition to risks related to open source license requirements, use of certain open source software may pose greater risks than use of third-party commercial software, since open source licensors generally do not provide warranties or controls on the origin of software or other contractual protections regarding infringement claims or the quality of the code, including with respect to security vulnerabilities. Moreover, some open source projects have known security and other vulnerabilities and architectural instabilities, or are otherwise subject to security attacks due to their wide availability, and are provided on an "as-is" basis. There is typically no support available for open source software, and we cannot ensure that the authors of such open source software will implement or push updates to address security risks or will not abandon further development and maintenance. Further, our use of any AI tools that use or incorporate any open source software may heighten any of the foregoing risks. Any of these risks could be difficult to eliminate or manage, and, if not addressed, could adversely affect our business, financial condition, and results of operations.

The markets for our products and services are highly competitive and are subject to rapid technological changes and evolving customer demands and needs. We compete on the basis of various factors, including the quality of content embedded in our databases, customers' perception of our products relative to the value that they deliver, user interface of the products and the quality of our overall offerings. Many of our principal competitors are established companies that have substantial financial resources, recognized brands, technological expertise and market experience, and these competitors sometimes have more established positions in certain product lines and geographies than we do. We also compete with smaller and sometimes newer companies, some of which are specialized with a narrower focus than our company, and with other Internet services companies and search providers. New and emerging technologies, including without limitation, AI, can also have the impact of allowing start-up companies to enter the market more quickly than they would have been able to in the past. In addition, some of our competitors combine competing products with complementary products as packaged solutions, which could pre-empt use of our products or solutions and some of our customers may decide to independently develop certain products and services. If we fail to compete effectively, our financial condition and results of operations would be adversely affected.

Our ability to attract and retain customers is affected by external perceptions of our brand and reputation. Failure to protect the reputation of our brands may adversely impact our credibility as a trusted source of content and may have a negative impact on our business. In addition, in certain jurisdictions we engage sales agents in connection with the sale of certain of our products and services. Poor representation of our products and services by agents, or entities acting without our permission, could have an adverse effect on our brands, reputation, and business.

We use AI, including machine learning and generative AI, in our business. To the extent that we do not have sufficient rights to use any data or other material or content produced by generative AI in our business, if we inadvertently expose third-party data or other material or content to AI, or if we experience cybersecurity incidents in connection with our use of AI, it could adversely affect our reputation and expose us to legal liability or regulatory risk, including with respect to third-party intellectual property, privacy, publicity, contractual, or other rights. The regulatory framework for AI and similar technologies, and automated decision making, is changing rapidly. New laws and regulations, or the interpretation of existing laws and regulations, in any of the jurisdictions in which we operate may affect our ability to leverage AI and may expose us to legal and regulatory risks, government enforcement, or civil suits and may result in increases in our operational and development expenses that impact our ability to develop, earn revenue from, or utilize any products or services incorporating AI. As the regulatory framework for machine learning technology, generative AI, and automated decision making evolves, our business, financial condition, and results of operations may be adversely affected. It is possible that new laws and regulations will be adopted in both U.S. and non-U.S. jurisdictions, such as the European Union's ("EU") proposed Artificial Intelligence Act, which, if enacted, would have a material impact on the way AI is regulated in the EU, including significant fines for violations related to offering prohibited AI systems or data governance, high-risk AI systems and for supplying incorrect, incomplete, or misleading information to EU and member state authorities. It is also possible that existing laws and regulations may be interpreted in ways that would affect the operation of our business, including our data analytics products and services and the way in which we use AI and similar technologies in our business. We may not be able to adequately anticipate or respond to these evolving laws and regulations, and we may need to expend additional resources to adjust our products or services in certain jurisdictions if applicable legal frameworks are inconsistent across jurisdictions. Furthermore, in the U.S., a number of civil lawsuits have been initiated related to AI, which may, among other things, require us to limit the ways in which our AI tools and technologies are trained, refined, or implemented, and may affect our ability to develop products or services using or incorporating AI. While AI-related lawsuits to date have generally focused on certain foundational AI service providers and LLMs, our use of any output produced by generative AI may expose us to claims, including without limitation related to the permitted uses of certain content, increasing our risks of liability. In addition, because these technologies are themselves highly complex and rapidly developing, it is not possible to predict all of the legal or regulatory risks that may arise relating to our use of such technologies. The costs related to any litigation and to comply with such laws or regulations could be significant and would increase our operating expenses, which could adversely affect our business, financial condition, and results of operations.

In the ordinary course of business, we collect, store, use, and transmit certain types of information that are subject to different laws and regulations. In particular, data security and data protection laws and regulations that we are subject to often vary significantly by jurisdiction. For example, in the U.S., there are numerous federal, state, and local privacy, data protection, and cybersecurity laws, rules, and regulations governing the collection, storage, transmission, use, and other processing of personal data and Congress has considered, and continues to consider, many proposals for additional comprehensive national data privacy and cybersecurity legislation. At the state level, we are subject to laws, rules, and regulations, such as the California Consumer Privacy Act (as amended by the California Privacy Rights Act (collectively, "CCPA")), which imposes requirements, including disclosure requirements, access rights, opt out rights, and the right to request deletion of personal information, on covered companies that process California consumers' personal information and provides for civil penalties for violations as well as a private right of action for certain data breaches. A number of other states have enacted, or are in the process of enacting or considering, similar comprehensive state-level privacy, data protection, and cybersecurity laws, rules, and regulations, creating the potential for a patchwork of overlapping but different state laws. In addition, all 50 states have laws that require the provision of notification for security breaches of personal information to affected individuals, state officers, or others. Possible consequences for non-compliance with these various state laws include enforcement actions in response to rules and regulations promulgated under the authority of federal agencies and state attorneys general and legislatures and consumer protection agencies. Outside of the United States, an increasing number of laws, rules, regulations, and industry standards apply to privacy, data protection, and cybersecurity, such as the EU's General Data Protection Regulation ("GDPR") and the UK's Data Protection Act 2018 as supplemented by the GDPR as implemented into UK law (collectively, "UK GDPR"), both of which impose similar, stringent data protection requirements. The GDPR and UK GDPR are wide-ranging in scope and impose numerous additional requirements on companies that process personal data, including imposing special requirements in respect of the processing of personal data, requiring that consent of individuals to whom the personal data relates is obtained in certain circumstances, requiring additional disclosures to individuals regarding data processing activities, requiring that safeguards are implemented to protect the security and confidentiality of personal data, creating mandatory data breach notification requirements in certain circumstances, and requiring that certain measures (including contractual requirements) are put in place when engaging third-party processors. The GDPR and UK GDPR also provide individuals with various rights in respect of their personal data, including rights of access, erasure, portability, rectification, restriction, and objection. Failure to comply with the GDPR and the UK GDPR can result in significant fines and other liability. While the UK GDPR currently imposes substantially the same obligations as the GDPR, the UK GDPR will not automatically incorporate changes to the GDPR going forward, which creates a risk of divergent parallel regimes and related uncertainty, along with the potential for increased compliance costs and risks for affected businesses. Legal developments in the European Economic Area ("EEA") and the UK, including rulings from the Court of Justice of the European Union, have also created complexity and uncertainty regarding processing and transfers of personal data from the EEA and the UK to the United States and other countries outside the EEA and the UK that have not been determined by the relevant data protection authorities to provide an adequate level of protection for privacy rights. Data security and data protection laws and regulations are continuously evolving and there are currently a number of legal challenges to the validity of EU mechanisms for adequate data transfers such as the EU-US Data Privacy Framework and the European Commission's Standard Contractual Clauses. Although we have implemented policies and procedures that are designed to ensure compliance with applicable privacy and data security laws, rules and regulations, the efficacy and longevity of these policies and procedures remains uncertain, and if our privacy or data security measures fail to comply with applicable current or future laws and regulations, including, without limitation, the EU ePrivacy Regulation, GDPR, UK GDPR and CCPA as well as those of other countries such as India's Digital Personal Data Protection Act 2023, we will likely be required to modify our data collection or processing practices and policies in an effort to comply with such laws and regulations, and we could be subject to increased costs, fines, litigation, regulatory investigations, and enforcement notices requiring us to change the way we use personal data or our marketing practices or other liabilities such as compensation claims by individuals affected by a personal data breach, as well as negative publicity and a potential loss of business. Additionally, we may be bound by contractual requirements applicable to our collection, storage, transmission, use, and other processing of proprietary, confidential, and sensitive data, including personal data, and may be bound or asserted to be bound by, or voluntarily comply with, self-regulatory or other industry standards relating to these matters.

Our future success depends to a large extent on the continued service of our employees, including our experts in research and analysis, as well as colleagues in sales, marketing, product development, critical operational roles, and management, including our executive officers. We must maintain our ability to attract, motivate, and retain highly qualified employees in our respective segments in order to support our customers and achieve business results. In addition, as the world evolves in the wake of the COVID-19 pandemic, we have begun to adopt and implement return to office plans for our workforce. Certain of our employees who have benefited from the ability to work remotely may be resistant to calls to return to the office. To the extent plans we adopt are more restrictive than those of others in our industry, our ability to attract and retain talent may be materially and adversely affected. The loss of the services of key personnel and our inability to recruit effective replacements or to otherwise attract, motivate, or retain highly qualified personnel could have a material adverse effect on our business, financial condition, and operating results.

Substantially all our products and services are developed using data, information or services obtained from third-party providers and public sources or are made available to our customers or are integrated for our customers' use through information and technology solutions provided by third-party service providers. We have commercial relationships with third-party providers whose capabilities complement our own and, in some cases, these providers are also our competitors. The priorities and objectives of these providers, particularly those that are our competitors, may differ from ours, which may make us vulnerable to unpredicted price increases and unfavorable licensing terms. Agreements with such third-party providers periodically come up for renewal or renegotiation, and there is a risk that such negotiations may result in different rights and restrictions which could impact our customers' use of the content. From time to time, we may also receive notices from third parties claiming infringement by our products and services of third-party patent and other IP rights and as the number of products and services in our markets increases and the functionality of these products and services further overlaps with third-party products and services, we may become increasingly subject to claims by a third party that our products and services infringe on such party's IP rights. Moreover, providers that are not currently our competitors may become competitors or be acquired by or merge with a competitor in the future, any of which could reduce our access to the information and technology solutions provided by those companies. Any of the foregoing risks may be exacerbated by our use of AI, or that of our competitors or third-party service providers. If we do not maintain, or obtain the expected benefits from, our relationships with third-party providers or if a substantial number of our third-party providers or any key service providers were to withdraw their services, we may be less competitive, our ability to offer products and services to our customers may be negatively affected, and our results of operations could be adversely impacted.

We have international operations and, accordingly, our business is subject to risks resulting from differing legal and regulatory requirements, political, social and economic conditions and unforeseeable developments in a variety of jurisdictions. Our international operations are subject to the following risks, among others: - political instability;- international hostilities (including the ongoing war between Russia and Ukraine and related sanctions, the ongoing war between Israel and Hamas, the renewed tensions between Serbia and Kosovo, and related negative economic impacts), military actions, terrorist or cyber-terrorist activities, natural disasters, pandemics, and infrastructure disruptions;- China's domestic policy and increased preference for nationalized content;- differing economic cycles and adverse economic conditions;- unexpected changes in regulatory environments and government interference in the economy and the possibility that the U.S. could default on its debt obligations;- high inflationary pressures and consistently high interest rates;- differing labor regulations in locations where we have a significant number of employees;- foreign exchange controls and restrictions on repatriation of funds;- fluctuations in currency exchange rates;- insufficient protection against product piracy and differing protections for IP rights;- varying regulatory and legislative frameworks regarding the use and implementation of AI;- varying attitudes towards censorship and the treatment of information service providers by foreign governments, particularly in emerging markets;- various trade restrictions (including trade and economic sanctions and export controls prohibiting or restricting transactions involving certain persons and certain designated countries or territories) and anti-corruption laws (including the U.S. Foreign Corrupt Practices Act and the UK Bribery Act 2010);- possible difficulties in enforcing a U.S. judgment against us or our directors and officers residing outside the United States, or asserting securities law claims outside of the United States; and - protecting your interests as a shareholder due to the differing rights of shareholders under Jersey law, where we are incorporated. Our overall success as a global business depends, in part, on our ability to anticipate and effectively manage these risks, and there can be no assurance that we will be able to do so without incurring unexpected costs. If we are not able to manage the risks related to our international operations, our business, financial condition and results of operations may be materially affected. In addition, the international scope of our business operations subjects us to multiple overlapping tax regimes that can make it difficult to determine what our obligations are in particular situations, and relevant tax authorities may interpret rules differently over time. These tax regimes may relate to corporate income taxes, withholding taxes on remittances, payments by our partnerships or subsidiaries, withholding taxes on share-based compensation, and adverse tax consequences of a U.S. person exceeding a particular ownership threshold in our ordinary shares, among other issues. If any tax authority were to dispute a position we have taken or may take in the future and successfully proceed against us, this could adversely affect our cash flows and financial position, and the amounts we could be required to pay may be significant.