Cerence (CRNC) Risk Analysis

The confidentiality and security of our information, and that of third parties, is critical to our business. In particular, our services involve the transmission, use, and storage of customers' and their customers' information, which may be confidential or contain personally identifiable information. Our internal computer systems and those of our current or future service providers, contractors and consultants are vulnerable to damage from computer viruses, unauthorized access, natural disasters, terrorism, war and telecommunication and electrical failures. Attacks on information technology systems are increasing in their frequency, levels of persistence, sophistication and intensity, and they are being conducted by increasingly sophisticated and organized groups and individuals with a wide range of motives and expertise. The prevalent use of mobile devices also increases the risk of data security incidents. While we maintain a broad array of information security and privacy measures, policies and practices, our networks may be breached through a variety of means, resulting in someone obtaining unauthorized access to our information, to information of our customers or their customers, or to our intellectual property; disabling or degrading service; or sabotaging systems or information. In addition, hardware, software, systems, or applications we develop or procure from third parties may contain defects in design or manufacture or other problems that could unexpectedly compromise information security. Unauthorized parties may also attempt to gain access to our systems or facilities, or those of third parties with whom we do business, through fraud or other forms of deceiving our employees, contractors, and vendors. Because the techniques used to obtain unauthorized access, or to sabotage systems, change frequently and generally are not recognized until launched against a target, we may be unable to anticipate these techniques or to implement adequate preventative measures. While we have not experienced any material system failure, accident or security breach to date, if such an event were to occur and cause interruptions in our operations or the operations of third-party service providers, contractors and consultants, it could result in significant reputational, financial, legal, regulatory, business or operational harm. Any cybersecurity or data privacy incident or breach may result in: - loss of revenue resulting from the operational disruption;- loss of revenue or increased credit loss expense due to the inability to invoice properly or to customer dissatisfaction resulting in collection issues;- loss of revenue due to loss of customers;- material remediation costs to recreate or restore systems;- material investments in new or enhanced systems in order to enhance our information security posture;- cost of incentives offered to customers to restore confidence and maintain business relationships;- reputational damage resulting in the failure to retain or attract customers;- costs associated with potential litigation or governmental investigations, enforcement actions or regulatory fines;- claims by third parties asserting that we have breached our privacy, confidentiality, data security or similar obligations;- costs associated with any required notices of a data breach;- costs associated with the potential loss of critical business data;- difficulties enhancing or creating new products due to loss of data or data integrity issues; and - other consequences of which we are not currently aware of but will discover through the remediation process. In addition, our liability insurance may not be sufficient in type or amount to cover us against claims related to security breaches, cyberattacks and other related breaches. While we expect to continue to incur significant costs to continuously enhance our information security measures to defend against the threat of cybercrime, there can be no assurance that such measures will successfully prevent service interruptions, data security incidents and other security breaches. Any cybersecurity or data privacy incidents could have a material adverse effect on our business, results of operations and financial condition.

Because we operate worldwide, our business is subject to risks associated with doing business internationally. We generate most of our international revenue in Europe and Asia, and we anticipate that revenue from international operations will increase in the future. In addition, some of our products are developed outside the United States. We conduct a significant portion of the development of our voice recognition and natural language understanding solutions in Canada and Germany. We also have significant research and development resources in Belgium, China, India, Italy, and the United Kingdom. We are exposed to fluctuating exchange rates of foreign currencies, including the euro, British pound, Canadian dollar, Chinese RMB, Japanese yen, Indian rupee and South Korean won. Accordingly, our future results could be harmed by a variety of factors associated with international sales and operations, including: - adverse political and economic conditions, or changes to such conditions, in a specific region or country;- trade protection measures, including tariffs and import/export controls, imposed by the United States and/or by other countries or regional authorities such as China, Canada or the European Union;- the impact on local and global economies of the United Kingdom leaving the European Union;- changes in foreign currency exchange rates or the lack of ability to hedge certain foreign currencies;- compliance with laws and regulations in many countries, including with respect to data protection, anticorruption, labor relations, tax, foreign currency, anti-competition, import, export and trade regulations, and any subsequent changes in such laws and regulations;- geopolitical turmoil, including terrorism and war, such as the ongoing conflicts in Ukraine and the Middle East;- changing data privacy regulations and customer requirements to locate data centers in certain jurisdictions;- evolving restrictions on cross-border investment, including recent enhancements to the oversight by the Committee on Foreign Investment in the United States pursuant to the Foreign Investment Risk Preview Modernization Act and substantial restrictions on investment from China;- changes in applicable tax laws;- difficulties in staffing and managing operations in multiple locations in many countries;- longer payment cycles of foreign customers and timing of collections in foreign jurisdictions; and - less effective protection of intellectual property than in the United States.

Our business depends on, and is directly affected by, the output and sales of the global automotive industry and the use of automobiles by consumers. Pandemics or disease outbreaks, such as COVID-19, have disrupted, and may continue to disrupt, global automotive industry customer sales and production volumes. Vehicle production initially decreased significantly in China, which was first affected by COVID-19, then Europe and also the United States. Subsequent events resulted in the shutdown of manufacturing operations in China, Europe and the United States, and even though manufacturing operations have resumed, the capacity of such global manufacturing operations remains uncertain. More recently, we have seen, and anticipate that we will continue to see, supply chain challenges in the automotive industry related to semiconductor devices that are used in automobiles. As a result, we have experienced, and may continue to experience, difficulties in entering into new contracts with our customers, a decline in revenues resulting from the decrease in the production and sale of automobiles by our customers, the use of automobiles, increased difficulties in collecting payment obligations from our customers and the possibility customers will stall or not continue existing projects. These all may be further exacerbated by the global economic downturn that resulted from the pandemic which could further decrease consumer demand for vehicles or result in the financial distress of one or more of our customers.

Our businesses are subject to income taxation in the United States, as well as in many tax jurisdictions throughout the world. Tax rates in these jurisdictions may be subject to significant change. If our effective tax rate increases, our operating results and cash flow could be adversely affected. Our effective income tax rate can vary significantly between periods due to a number of complex factors including: - projected levels of taxable income;- pre-tax income being lower than anticipated in countries with lower statutory rates or higher than anticipated in countries with higher statutory rates;- increases or decreases to valuation allowances recorded against deferred tax assets;- tax audits conducted and settled by various tax authorities;- adjustments to income taxes upon finalization of income tax returns;- the ability to claim foreign tax credits;- the repatriation of non-U.S. earnings for which we have not previously provided for income taxes;- changes in tax laws and their interpretations in countries in which we are subject to taxation; and - changes to assessments of uncertain tax positions. We regularly evaluate the need for a valuation allowance on deferred tax assets, considering historical profitability, projected future taxable income, the expected timing of the reversals of existing temporary differences and tax planning strategies. This analysis is heavily dependent upon our current and projected operating results. A decline in future operating results could provide substantial evidence that a full or partial valuation allowance for deferred tax assets is necessary, which could have a material adverse effect on our results of operations and financial condition.

Privacy and data security have become significant issues in the U.S., Europe and in many other jurisdictions where we conduct or may in the future conduct our operations. The regulatory framework for the collection, use, safeguarding, sharing and transfer of information worldwide is rapidly evolving and is likely to remain uncertain for the foreseeable future. Globally, virtually every jurisdiction in which we operate has established its own data security and privacy frameworks with which we must comply. Notably, for example, on May 25, 2018, the European General Data Protection Regulation 2016/679, which is commonly referred to as GDPR, took effect. The GDPR applies to any company established in the European Economic Area ("EEA") as well as any company outside the EEA that collects or otherwise processes personal data in connection with the offering of goods or services to individuals in the EEA or the monitoring of their behavior. The GDPR enhances data protection obligations for processors and controllers of personal data, including, providing information to individuals regarding data processing activities, implementing safeguards to protect the security and confidentiality of personal data, providing notification of data breaches, requirements to conduct data protection impact assessments and taking certain measures when engaging third-party processors. The GDPR imposes additional obligations and risk upon our business and substantially increases the penalties to which we could be subject in the event of any non-compliance. Failure to comply with the requirements of the GDPR may result in potential fines. The GDPR also confers a private right of action on data subjects and nonprofit organizations, acting subject to a mandate granted by the data subject, to lodge complaints with supervisory authorities, seek judicial remedies, and obtain compensation for damages resulting from violations of the GDPR. Further, European data protection laws also prohibit the transfer of personal data from the EEA and Switzerland to third countries that are not considered to provide adequate protections for personal data, including the U.S., unless certain measures are in place. The European Commission has issued standard contractual clauses for data transfers from controllers or processors in the EU (or otherwise subject to the GDPR) to controllers or processors established outside the EU. The new standard contractual clauses require exporters to assess the risk of a data transfer on a case-by-case basis, including an analysis of the laws in the destination country. Further, the EU and United States have adopted its adequacy decision for the EU-U.S. Data Privacy Framework ("Framework"), which entered into force on July 11, 2023. This Framework provides that the protection of personal data transferred between the EU and the United States is comparable to that offered in the EU. This provides a further avenue to ensuring transfers to the United States are carried out in line with GDPR. There has been an extension to the Framework to cover Swiss transfers to the United States. The Framework could be challenged like its predecessor frameworks. This complexity and the additional contractual burden increase our overall risk exposure. There may be further divergence in the future, including with regard to administrative burdens. In addition, we are subject to Swiss data protection laws, including the Federal Act on Data Protection, or the FADP. While the FADP provides broad protections to personal data, on September 25, 2020, the Swiss federal Parliament enacted a revised version of the FADP, which became effective September 1, 2023. The new version of the FADP aligns Swiss data protection law with the GDPR. Further, in addition to existing European data protection law, a further European Union regulation is being proposed. The proposed regulation, known as the Regulation on Privacy and Electronic Communications, or ePrivacy Regulation, would replace the current ePrivacy Directive. New rules related to the ePrivacy Regulation are likely to include enhanced consent requirements in order to use communications content and communications metadata, as well as obligations and restrictions on the processing of data from an end-user's terminal equipment. The new ePrivacy Regulation is expected to have the same penalty regime as the GDPR. Negotiations for the ePrivacy Regulation are still ongoing as of the date of this report, and there is no final text or date for entry into force. Once agreed, the ePrivacy Regulation will come into force in two years from the twentieth day following its publication. As another prominent example, we are also subject to data protection regulation in the UK. Following the UK's withdrawal from the EU on January 31, 2020 and the end of the transitional arrangements agreed between the UK and EU as of January 1, 2021, the GDPR has been incorporated into UK domestic law. United Kingdom-based organizations doing business in the European Union will need to continue to comply with the GDPR. Although the UK is regarded as a third country under the EU's GDPR, the European Commission recognizes the UK as providing adequate protection under the EU GDPR and, therefore, transfers of personal data originating in the EU to the UK remain unrestricted. Like the EU GDPR, the UK GDPR restricts personal data transfers outside the UK to countries not regarded by the UK as providing adequate protection. The UK government has confirmed that personal data transfers from the UK to the EEA remain free flowing. The Information Commissioner's Office, or ICO, has recently introduced new mechanisms for international transfers of personal data originating from the UK (an International Data Transfer Agreement, or IDTA, along with a separate addendum to the EU SCCs). There has also been an extension to the Framework to cover UK transfers to the United States. We will be required to implement these new safeguards when conducting restricted cross-border data transfers and doing so will require significant effort and cost. In addition to European data protection requirements, we face a growing body of privacy and data security requirements in the United States. At the legislative level, the CCPA, which became operative on January 1, 2020 and broadly defines personal information, gives California residents expanded privacy rights and protections, and provides for civil penalties for violations and a private right of action for data breaches. Additionally, the CPRA, a ballot initiative approved in November 2020, which went into effect on January 1, 2023 significantly modified the CCPA, including by expanding consumers' rights and establishing a new state agency that has authority to implement and enforce the CCPA. Numerous other states have passed comparable legislation and many others are considering proposals for similar broad consumer privacy laws. Moreover, other states have enacted privacy laws with a more limited scope, such as the state of Washington which has enacted legislation that is focused on health privacy and a small number of states have enacted laws that target biometric privacy. Furthermore, the United States Federal Trade Commission and many state attorney generals are interpreting existing federal and state consumer protection laws as imposing standards for the online collection, use, dissemination, and security of data. The regulatory framework governing the collection, processing, storage, use and sharing of certain information, particularly financial and other personal data, is rapidly evolving and is likely to continue to be subject to uncertainty and varying interpretations. In addition to new and strengthened laws and regulations in the U.S., European Union, and United Kingdom, many foreign jurisdictions have passed new laws, strengthened existing laws, or are contemplating new laws regulating personal data. For example, we are subject to stringent privacy and data protection requirements in many countries including Singapore and Japan. Additional jurisdictions with stringent data protection laws include Brazil and China. We also continue to see jurisdictions, such as Russia, imposing data localization laws, which under Russian laws require personal information of Russian citizens to be, among other data processing operations, initially collected, stored, and modified in Russia. Preparing for and complying with the evolving application of these laws has required and will continue to require us to incur substantial operational costs and may interfere with our intended business activities, inhibit our ability to expand into certain markets or prohibit us from continuing to offer services in those markets without significant additional costs. It is possible that these laws may impose, or may be interpreted and applied to impose, requirements that are inconsistent with our existing data management practices or the features of our services and platform capabilities. Any failure or perceived failure by us, or any third parties with which we do business, to comply with our posted privacy policies, changing consumer expectations, evolving laws, rules and regulations, industry standards, or contractual obligations to which we or such third parties are or may become subject, may result in actions or other claims against us by governmental entities or private actors, the expenditure of substantial costs, time and other resources, may cause our customers to lose confidence in our solutions, harm our reputation, expose us to litigation, regulatory investigations and resulting liabilities including reimbursement of customer costs, damages, penalties or fines imposed by regulatory agencies; and require us to incur significant expenses for remediation.