Conmed (CNMD) Risk Analysis

The market for our products is characterized by rapidly changing technology.  Our future financial performance will depend in part on our ability to develop and manufacture new products on a cost-effective basis, to introduce them to the market on a timely basis, to fund studies and otherwise develop clinical data to support the efficacy of our products, and to have them accepted by surgeons and other healthcare professionals. Changes in the competitive landscape, including the development of new or competitive technologies may reduce or eliminate demand for our products and affect our financial performance. Our products also could be rendered obsolete or uneconomical by our failure to successfully develop or introduce new products and technologies, the inability to keep pace with technology, or the obsolescence of components for our existing product portfolio. In addition, many of our competitors are substantially larger with greater financial resources which may allow them to more rapidly develop or acquire new products. Additional factors that may result in delays of new product introductions or cancellation of our plans to manufacture and market new or existing products or which may impact adoption and market acceptance of our products include: - research and development delays or failures;- capital and other financial constraints;- delays or failures in securing regulatory approvals; and - the potential inability to secure clinical data demonstrating the efficacy of our products or to develop such data on a timely basis.

We rely extensively on information technology ("IT") systems for the storage, processing, and transmission of our electronic, business-related, information assets used in or necessary to conduct business.  We leverage our internal IT infrastructures, and those of our business partners or other third parties, to enable, sustain, and support our global business activities. In addition, we rely on networks and services, including internet sites, data hosting and processing facilities and tools and other hardware, software and technical applications and platforms, some of which are managed, hosted, provided and/or used by third-parties or their vendors, to assist in conducting our business. The data we store and process may include customer payment information, personal information concerning our employees, confidential financial information, and other types of sensitive business-related information. In limited instances, we may also come into possession of information related to patients of our physician customers. In addition, the laws and regulations governing security of data on IT systems and otherwise collected, processed, stored, transmitted, disclosed and disposed of by companies are evolving, adding another layer of complexity in the form of new requirements. We have made, and continue to make investments, seeking to address these threats, including monitoring of networks and systems, hiring of third party service providers with expertise in cybersecurity, employee training and security policies for employees and third-party providers. In addition, we currently maintain cybersecurity insurance, although the cost of cybersecurity insurance has been increasing and there can be no assurances that we will continue to maintain cybersecurity insurance at the same levels of coverage, or at all. Despite our security measures and those of third parties with whom we do business, our respective systems and facilities and those of our third-party vendors may be vulnerable to security incidents, disruptions, cyberattacks, ransomware, data breaches, viruses, phishing attacks and other forms of social engineering, denial-of-service attacks, third-party or employee theft or misuse and other negligent actions. Hackers, data thieves and rogue insiders are increasingly sophisticated and operate social engineering, such as phishing, and large-scale, complex automated attacks that can evade detection for long periods of time. Any breach of our or our service providers' network, or other vendor systems, may result in the loss of confidential business and financial data, misappropriation of our customers' or employees' personal information or a disruption of our business. Any of these outcomes could have a material adverse effect on our business, including unwanted media attention, impairment of our customer relationships, damage to our reputation, resulting in lost sales and consumers, fines, lawsuits, or significant legal and remediation expenses. We also may need to expend significant resources to protect against, respond to and/or redress problems caused by any breach. Insurance policies that may provide coverage with regard to such incidents may not cover any or all of the resulting financial losses. Our worldwide operations mean that we are subject to laws and regulations, including data protection and cybersecurity laws and regulations, in many jurisdictions. For example, the EU General Data Protection Regulation ("GDPR") requires us to manage personal data in the EU and may impose fines of up to four percent of our global revenue in the event of certain violations. In addition, legal requirements standards for cross-border personal data transfers from outside the U.S. are constantly changing, including the revisions made by the European Economic Area ("EEA") that require the use of revised Standard Contractual Clauses ("SCCs") for international data transfers from the EEA. The SCCs are required to be used for new agreements involving the cross-border transfer of personal data from the EEA and must be supplemented by an assessment and due diligence of the legal and regulatory landscape of the jurisdiction of the data importer, the channels used to transmit personal data and any sub-processors that may receive personal data. The UK has developed its own set of SCCs that must be used for transfers of personal data from the UK to the U.S. In July 2023, the European Commission determined that the Data Privacy Framework ("DPF"), a replacement for the invalidated EU-US Privacy Shield, ensures an adequate level of protection for EU personal data transferred to the U.S. Compliance with these changes and any future changes to data transfer or privacy requirements could potentially require us to make significant technological and operational changes, any of which could result in substantial costs, and failure to comply with applicable data protection and transfer or privacy laws requirements could subject us to fines or regulatory oversight. Likewise, the California Consumer Privacy Act ("CCPA") imposes obligations on companies that conduct business in California, and meet other requirements, with respect to the collection or sale of specified personal information. In November 2020, voters in the State of California approved the California Privacy Rights Act ("CPRA"), a ballot measure that amends and supplements the CCPA by, among other things, expanding certain rights relating to personal information and its use, collection, deletion, and disclosure by covered businesses. In addition, approximately 20 other states have adopted similar comprehensive privacy laws, which may require companies to change their practices for collecting and handling personal information. Compliance with the CCPA, the CPRA, and other state statutes, common law, or regulations designed to protect consumer, employee, or job applicant personal information could potentially require substantive technology infrastructure and process changes across many of our businesses. Any perceived failure to comply with these regulatory standards could subject us to legal and reputational risks. Misuse of or failure to secure personal information could also result in violation of data privacy laws and regulations, proceedings against the Company by governmental entities or others, damage to our reputation and credibility and could have a negative impact on revenues and profits. Further, there has been a developing trend of civil lawsuits and class actions relating to breaches of consumer data held by large companies or incidents arising from other cyber-attacks. Any data security breaches, cyber-attacks, malicious intrusions or significant disruptions could result in actions by regulatory bodies and/or civil litigation, any of which could materially and adversely affect our business, financial condition, results of operations, reputation or competitive position. Additionally, the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), including the expanded requirements under the Health Information Technology for Economic and Clinical Health Act of 2009, establish comprehensive standards with respect to the use and disclosure of protected health information ("PHI"). HIPAA imposes privacy and security obligations on covered entity health care providers, health plans, and health care clearinghouses, as well as their "business associates"-certain persons or entities that create, receive, maintain, or transmit PHI in connection with providing a specified service or performing a function on behalf of a covered entity. We are subject to HIPAA as a business associate. If we do not comply with the applicable requirements of HIPAA or applicable state privacy and security laws, we could be subject to criminal or civil sanctions that could adversely affect our financial condition. The costs of complying with privacy and security related legal and regulatory requirements are substantial and could have an adverse effect on our business. In addition, a security breach could require reporting to federal and state government entities, notification to affected individuals, expensive investigation and remediation and mitigation. Government agencies could, in their discretion, impose fines and penalties relating to the breach, which may have a material adverse effect on our business. The costs of protecting IT systems and data may increase, and there can be no assurance that these added security efforts will prevent all breaches of our IT systems or thefts of our data. We may also be exposed to potential disruption in operations, loss of customers, reputational, competitive and business harm, and significant costs from remediation, litigation and regulatory actions if our business continuity plans do not effectively address the following failures on a timely basis: - our IT systems are damaged or cease to function properly;- the networks or service providers we rely upon fail to function properly;- we fail to comply with an applicable law or regulation, such as the GDPR; or - we or one of our third-party providers suffer a loss or disclosure of our business or stakeholder information due to any number of causes ranging from catastrophic events or power outages to improper data handling or security breaches.

The ability of the FDA and foreign regulatory authorities to review and approve new products can be affected by a variety of factors, including government budget and funding levels, statutory, regulatory and policy changes, the FDA's or foreign regulatory authorities' ability to hire and retain key personnel and accept the payment of user fees, and other events that may otherwise affect the FDA's or foreign regulatory authorities' ability to perform routine functions. Average review times at the FDA and foreign regulatory authorities have fluctuated in recent years as a result. In addition, government funding of other government agencies that fund research and development activities is subject to the political process, which is inherently fluid and unpredictable. Disruptions at the FDA and other agencies may also slow the time necessary for new medical devices or modifications to approved medical devices to be reviewed and/or approved by necessary government agencies, which would adversely affect our business. For example, in recent years, the U.S. government has shut down several times and certain regulatory agencies, such as the FDA, have had to furlough critical employees and stop critical activities. In addition, the current U.S. presidential administration has issued certain policies and executive orders directed towards reducing the employee headcount and costs associated with U.S. administrative agencies, including the FDA, and it remains unclear the degree to which these efforts may limit or otherwise adversely affect the FDA's ability to conduct routine activities. If a prolonged government shutdown occurs, or if renewed global concerns, funding shortages or staffing limitations hinder or prevent the FDA or other regulatory authorities from conducting their regular inspections, reviews, or other regulatory activities, it could significantly impact the ability of the FDA or other such regulatory authorities to timely review and process our regulatory submissions, which could have a material adverse effect on our business.

Our business and facilities and those of our suppliers are subject to a number of federal, state, local and international laws and regulations governing environmental, social and governance ("ESG") matters. Governments, investors, customers, employees and other stakeholders have been increasingly focused on corporate responsibility practices and disclosures, and expectations in this area continue to rapidly evolve. Implementation of measures to meet ESG requirements and expectations involves risks and uncertainties, requires investments and depends in part on third party performance or data that is outside our control. The quickly evolving landscape could result in greater regulatory requirements or expectations of us and cause us to undertake costly initiatives to satisfy such new criteria. If we fail to comply with current or future ESG laws and regulations, we could be subject to fines or penalties, and/or be prohibited from selling our products in certain countries. Moreover, the increasing attention to corporate responsibility initiatives could also result in reduced demand for our products, reduced profits and increased litigation and exposure. If we are unable to satisfy evolving criteria, investors and other stakeholders may conclude that our policies and/or actions with respect to corporate responsibility matters are inadequate. If we fail or are perceived to have failed to comply with corporate responsibility laws and regulations, meet evolving expectations or accurately disclose our progress, we could face legal and regulatory proceedings and our reputation, business, financial condition and results of operations could be adversely impacted.

Our employees are our most important resource, and in many areas of the medical industry, competition for qualified personnel is intense. We seek to attract talented and diverse new employees and retain and motivate our existing employees. If we are unable to continue to attract or retain qualified employees, including our executives, our performance, including our competitive position, could be materially and adversely affected.

The market for our products is highly competitive and our customers have alternative suppliers.  Many of our competitors offer a range of products in areas other than those in which we compete, which may make such competitors more attractive to surgeons, hospitals, group purchasing organizations and others.  In addition, many of our competitors are large, technically competent firms with substantial assets.  Competitive pricing pressures or the introduction of new products by our competitors could have an adverse effect on our revenues.  See "Products" in Item 1 - Business for a further discussion of these competitive forces. Factors that may influence our customers' choice of competitor products include: - changes in surgeon preferences;- increases or decreases in healthcare spending related to medical devices;- our inability to supply products as a result of product recall, market withdrawal or back-order;- the introduction by competitors of new products or new features to existing products such as a replacement for AirSeal;- the introduction by competitors of alternative surgical technology; and - advances in surgical procedures, discoveries or developments in the healthcare industry.

We sell our products and services to hospitals, surgical centers, doctors and other healthcare providers, which receive reimbursement for the healthcare services provided to their patients from third-party payors, such as domestic and international government programs, private insurance plans and managed care programs. These third-party payors may deny reimbursement if they determine that a product or service used in a procedure was not in accordance with cost-effective treatment methods, as determined by the third-party payor, or was used for an unapproved indication. Third-party payors may also decline to reimburse for experimental procedures and products. In addition, third-party payors are increasingly attempting to contain healthcare costs by limiting both coverage and the level of reimbursement for medical products and services. If third-party payors deny or decline reimbursement, reduce reimbursement levels or change reimbursement models for our products, demand for our products may decline, or we may experience increased pressure to reduce the prices of our products, which could have a material adverse effect on our sales and results of operations. Our products are subject to regulation regarding quality and cost by the Centers for Medicare & Medicaid Services, as well as comparable state and non-U.S. agencies responsible for reimbursement and regulation of healthcare goods and services, including laws and regulations related to fair competition, kickbacks, false claims, self-referrals and healthcare fraud. Many states have similar laws that apply to reimbursement by state Medicaid and other funded programs as well as in some cases to all payors. In certain circumstances, insurance companies attempt to bring a private cause of action against a manufacturer for causing false claims. Any failure to comply with these laws and regulations could subject us or our officers and employees to criminal and civil financial penalties.

The results of our business are directly tied to the economic conditions in the healthcare industry and the broader economy as a whole. We believe that the healthcare industry will continue to be impacted by judicial decisions, increasing regulation, political and legal action at both the federal and state/local levels in the U.S. and internationally, and U.S. executive orders, and it is uncertain how such developments will affect our business.  We will continue to monitor and manage the impact of the overall economic environment on the Company. Market volatility and uncertainty related to inflation and its effects, which could potentially contribute to poor economic conditions, may contribute to or enhance some of the risks described herein. Any of these effects, or others that we are not able to predict, could adversely affect our business, financial condition or results of operations. Any deterioration in global economic conditions could also have material adverse effects on our business, financial condition or results of operations, even if our direct exposure to the affected region is limited. Global political trends could increase the probability of a deterioration in global economic conditions. In this regard, approximately 14% of our 2025 revenues were derived from the sale of capital products.  The sales of such products may be negatively impacted if hospitals and other healthcare providers are unable to secure the financing necessary to purchase these products or otherwise defer purchases.

Our manufacturing facilities or our suppliers' manufacturing facilities could be damaged or disrupted by, among other things, hurricanes, tornadoes, earthquakes, fires, droughts, extreme temperatures, flooding or other natural or man-made disasters, terrorist activity, interruption of utilities, epidemics, pandemics or public health crises (such as the COVID-19 pandemic). Such events may also cause broad and varied impacts to our business, including adverse impacts to our workforce and supply chain, manufacturing, sales activities, research and development, and regulatory workstreams, inflationary pressures and increased costs, schedule or production delays, market volatility and other financial impacts. If any of these events were to occur, our future results and performance could be adversely impacted. Although we have obtained property damage and business interruption insurance where we deem appropriate, a natural or man-made disaster or public health crisis in any of the areas where we or our suppliers conduct operations could result in a prolonged interruption of all or a substantial portion of our business. For example, the path of Hurricane Milton temporarily impacted our manufacturing facility in Largo, Florida. Any disruption resulting from these events could cause significant delays in shipments of products and the loss of sales and customers. We may not have insurance to adequately compensate us for any of these events. Shifts in weather patterns caused by climate change are expected to increase the frequency, severity or duration of certain adverse weather conditions and natural disasters, such as hurricanes, tornadoes, earthquakes, fires, droughts, extreme temperatures or flooding. These shifts could cause more significant business and supply chain interruptions, damage to our products and facilities as well as the infrastructure of hospitals, medical care facilities and other customers, reduced workforce availability, increased costs of raw materials and components, increased liabilities and decreased revenues than what we have experienced in the past from such events.

A significant portion of our revenues, approximately 44% of 2025 consolidated net sales, were to customers outside the U.S.  We have sales subsidiaries in a significant number of countries in Europe as well as Australia, Canada, China, Japan, and Korea.  In those countries in which we have a direct presence, our sales are denominated in the local currency and those sales denominated in local currency amounted to approximately 32% of our total net sales in 2025.  The remaining 12% of sales to customers outside the U.S. was on an export basis and transacted in U.S. dollars. Because a significant portion of our operations consist of sales activities in jurisdictions outside the U.S., our financial results may be affected by factors such as changes in foreign currency exchange rates or weak economic conditions in the markets in which we distribute products.  While we have a hedging strategy involving foreign currency forward contracts, our revenues and earnings are only partially protected from foreign currency translation if the U.S. dollar strengthens as compared with currencies such as the Euro.  Further, as of the date of this Annual Report on Form 10-K, we have not entered into any foreign currency forward contracts beyond 2027. Our international presence exposes us to certain other inherent risks, including: - imposition of limitations on conversions of foreign currencies into dollars or remittance of dividends and other payments by international subsidiaries;- imposition or increase of withholding and other taxes on remittances and other payments by international subsidiaries;- trade barriers and tariffs;- compliance with economic sanctions, trade embargoes, export controls, and the customs laws and regulations of the many countries in which we operate;- political risks, including political instability;- reliance on third parties to distribute our products;- hyperinflation in certain countries outside the U.S.; and - imposition or increase of investment and other restrictions by foreign governments. We cannot be certain that such risks will not have a material adverse effect on our business and results of operations.