CrowdStrike Holdings (CRWD) Risk Factors

The market for security and IT operations solutions is intensely competitive, fragmented, and characterized by rapid changes in technology, customer requirements, industry standards, increasingly sophisticated attackers, and by frequent introductions of new or improved products or services to combat security threats. We expect to continue to face intense competition from current competitors, as well as from new entrants into the market. If we are unable to anticipate or react to these challenges, our competitive position could weaken, and we could experience a decline in revenue or reduced revenue growth, and loss of market share that would adversely affect our business, financial condition, and results of operations. Our ability to compete effectively depends upon numerous factors, many of which are beyond our control, including, but not limited to: - product capabilities, including performance and reliability, of our Falcon platform, including our cloud modules, services, and features compared to those of our competitors;- our ability, and the ability of our competitors, to improve existing products, services, and features, or to develop new ones to address evolving customer needs;- our ability to attract, retain, and motivate talented employees;- our ability to establish and maintain relationships with channel partners and direct customers;- the strength of our sales and marketing efforts;- the strength of our reputation and brand, including the impact to our reputation and brand as a result of the July 19 Incident; and - acquisitions or consolidation within our industry, which may result in more formidable competitors. Our competitors include the following by general category: - legacy antivirus product providers who offer a broad range of approaches and solutions including traditional signature-based anti-virus protection;- alternative endpoint security providers who generally offer a mix of on-premise and cloud-hosted products that rely heavily on malware-only or application whitelisting techniques;- network security vendors who are supplementing their core perimeter-based offerings with endpoint or cloud security solutions;- cloud security vendors, including those who focus on public cloud infrastructure and services;- identity security vendors that seek to identify and secure user accounts and related activities; and - professional service providers who offer cybersecurity response services. Many of our competitors have greater financial, technical, marketing, sales, and other resources, greater name recognition, longer operating histories, and a larger base of customers than we do. They may be able to devote greater resources to the development, promotion, and sale of services than we can, and they may offer lower pricing than we do. Further, they may have greater resources for research and development of new technologies, the provision of customer support, and the pursuit of acquisitions. Our larger competitors have substantially broader and more diverse product and services offerings as well as routes to market, which allows them to leverage their relationships based on other products or incorporate functionality into existing products to gain business in a manner that discourages users from purchasing our platform, including our cloud modules. Conditions in our market could change rapidly and significantly as a result of technological advancements, including with respect to AI. Our competitors may more successfully incorporate AI into their products, gain or leverage superior access to certain AI technologies, and achieve higher market acceptance of their AI solutions. Conditions in our market could also change rapidly and significantly due to partnering or acquisitions by our competitors or continuing market consolidation. Some of our competitors have recently made acquisitions of businesses or have established cooperative relationships that may allow them to offer more directly competitive and comprehensive solutions than were previously offered and adapt more quickly to new technologies and customer needs. These competitive pressures in our market or our failure to compete effectively may result in price reductions, fewer orders, reduced revenue and gross margins, increased net losses and loss of market share. Further, competitors that specialize in providing protection from a single type of security threat may be able to deliver these targeted security products to the market quicker than we can or convince organizations that these limited products meet their needs. Even if there is significant demand for cloud-based security solutions like ours, if our competitors include functionality that is, or is perceived to be, equivalent to or better than ours in legacy products that are already generally accepted as necessary components of an organization's IT security architecture, we may have difficulty increasing the market penetration of our solutions. Furthermore, even if the functionality offered by other security and IT operations providers is more limited than the functionality of our platform, organizations may elect to accept such limited functionality in lieu of adding products from additional vendors like us. If we are unable to compete successfully, or if competing successfully requires us to take aggressive pricing or other actions, our business, financial condition, and results of operations would be adversely affected.

In order for us to maintain or improve our results of operations, it is important that our customers renew their subscriptions for our Falcon platform when existing contract terms expire, and that we expand our commercial relationships with our existing customers by selling additional cloud modules and by deploying to more endpoints in their environments. Our customers have no obligation to renew their subscription for our Falcon platform after the expiration of their contractual subscription period, which is generally one year, and in the normal course of business, some customers have elected not to renew. In addition, customers that previously signed multi-year subscription contracts may renew for shorter contract subscription lengths, and customers may cease using certain cloud modules altogether. Even if customers choose to renew their subscription of certain cloud modules, they may decline to purchase additional cloud modules or choose not to consolidate onto our Falcon platform. Our customer retention and expansion may decline or fluctuate as a result of a number of factors, including our customers' satisfaction with our services, our pricing, customer security and networking issues and requirements, our customers' spending levels, decreases in the number of endpoints to which our customers deploy our solutions, mergers and acquisitions involving our customers, industry developments, competition, the impact of the July 19 Incident, and general economic and geopolitical conditions. If our efforts to maintain and expand our relationships with our existing customers are not successful, our business, results of operations, and financial condition may materially suffer.

Our revenue recognition is difficult to predict because of the length and unpredictability of the sales cycle for our Falcon platform. Customers often view the subscription to our Falcon platform as a significant strategic decision and, as a result, frequently require considerable time to evaluate, test and qualify our Falcon platform prior to entering into or expanding a relationship with us. Large enterprises and government entities in particular often undertake a significant evaluation process that further lengthens and adds uncertainty to our sales cycle. In addition, uncertain economic conditions may lead to additional scrutiny of budgets by current and prospective customers, which has resulted in, for example, longer sales cycles for products and services, and may result in shifting demand for IT products and services, and slower adoption of new technologies. We have also experienced, and expect to continue to experience, longer sales cycles in connection with the July 19 Incident. Our direct sales team develops relationships with our customers, and works with our channel partners on account penetration, account coordination, sales and overall market development. We spend substantial time and resources on our sales efforts without any assurance that our efforts will produce a sale. Security solution purchases are frequently subject to budget constraints, multiple approvals and unanticipated administrative, processing and other delays. As a result, it is difficult to predict whether and when a sale will be completed. The failure of our efforts to secure sales after investing resources in a lengthy sales process could adversely affect our business and results of operations.

We believe our intellectual property is an essential asset of our business, and our success and ability to compete depend in part upon protection of our intellectual property rights. We rely on a combination of patent, copyright, trademark and trade secret laws, as well as confidentiality procedures and contractual provisions, to establish and protect our intellectual property rights in the United States and abroad, all of which provide only limited protection. The efforts we have taken to protect our intellectual property may not be sufficient or effective, and our trademarks, copyrights and patents may be held invalid or unenforceable. Moreover, we cannot assure you that any patents will be issued with respect to our currently pending patent applications in a manner that gives us adequate defensive protection or competitive advantages, or that any patents issued to us will not be challenged, invalidated or circumvented. We have filed for patents in the United States and in certain non-U.S. jurisdictions, but such protections may not be available in all countries in which we operate or in which we seek to enforce our intellectual property rights, or may be difficult to enforce in practice. For example, many foreign countries have compulsory licensing laws under which a patent owner must grant licenses to third parties. In addition, many countries limit the enforceability of patents against certain third parties, including government agencies or government contractors. In these countries, patents may provide limited or no benefit. Moreover, we may need to expend additional resources to defend our intellectual property rights in these countries, and our inability to do so could impair our business or adversely affect our international expansion. Our currently issued patents and any patents that may be issued in the future with respect to pending or future patent applications may not provide sufficiently broad protection or they may not prove to be enforceable in actions against alleged infringers. We may not be effective in policing unauthorized use of our intellectual property, and even if we do detect violations, litigation or technical changes to our products may be necessary to enforce our intellectual property rights. Protecting against the unauthorized use of our intellectual property rights, technology and other proprietary rights is expensive and difficult, particularly outside of the United States. Any enforcement efforts we undertake, including litigation, could be time-consuming and expensive and could divert management's attention, which could harm our business and results of operations. Further, attempts to enforce our rights against third parties could also provoke these third parties to assert their own intellectual property or other rights against us, or result in a holding that invalidates or narrows the scope of our rights, in whole or in part. The inability to adequately protect and enforce our intellectual property and other proprietary rights could seriously harm our business, results of operations and financial condition. Even if we are able to secure our intellectual property rights, we cannot assure you that such rights will provide us with competitive advantages or distinguish our services from those of our competitors or that our competitors will not independently develop similar technology, duplicate any of our technology, or design around our patents.

We incorporate novel uses of AI technologies, including generative AI, into our products and operations, such as our Falcon platform. AI is complex and rapidly evolving, and we face significant competition from other companies who may incorporate AI into their products more quickly or more successfully than us, as well as an evolving regulatory landscape. The introduction of AI, and particularly generative AI, a relatively new and emerging technology in the early stages of commercial use, into new or existing products, and our operations, may result in new or enhanced governmental or regulatory scrutiny, litigation, confidentiality, ethical concerns, or other complications that could adversely affect our business, reputation, or financial results. For example, generative AI has been known to produce a false or "hallucinatory" interferences or output, and certain generative AI uses machine learning and predictive analytics, which may be flawed, insufficient, of poor quality, reflect unwanted forms of bias, or contain other errors or inadequacies, any of which may not be easily detectable. Our customers or others may rely on or use this flawed content to their detriment, which may expose us to brand or reputational harm, competitive harm, and/or legal liability. In addition, the use of AI by other companies has resulted in, and may in the future result in, data breaches and cybersecurity incidents that implicate the personal information of AI users. Further, the use of AI presents emerging ethical and social issues, and if we enable or offer solutions that draw scrutiny or controversy due to their perceived or actual impact on customers or on society as a whole, we may experience brand or reputational harm, competitive harm, and/or legal liability. The technologies underlying AI and its uses are subject to a variety of laws and regulations, including intellectual property, privacy, data protection cybersecurity, consumer protection, competition, and equal opportunity laws and regulations, and are expected to be subject to new laws and regulations or new applications of existing laws and regulations. AI is the subject of ongoing review by various U.S. governmental and regulatory agencies, and various U.S. states and other foreign jurisdictions are applying, or are considering applying, their cybersecurity and data protection laws to AI or are considering general legal frameworks for AI. For example, in Europe, the EU's AI Act was published in the Official Journal of the EU on July 12, 2024 and entered into force on August 1, 2024. The AI Act establishes, among other things, a risk-based governance framework for regulating AI systems in the EU by categorizing AI systems, based on the risks associated with such AI systems' intended purposes, as creating unacceptable or high risks, with all other AI systems being considered low risk. This regulatory framework is expected to have a material impact on the way AI is regulated in the EU and beyond. As further indication of a trend in increased regulatory and legislative oversight of the use and development of AI, in 2024, California enacted a range of laws regulating the use and development of AI, which generally relate to transparency, privacy and fairness, among other concerns. As a fast-evolving and complicated technology subject to significant government attention, AI-related legislation and regulation may be developed and apply to AI in unexpected ways. We may not be able to anticipate how to respond to or comply with these rapidly evolving frameworks, and we may need to expend resources to adjust our offerings in certain jurisdictions if the legal frameworks are inconsistent across jurisdictions. The cost to comply with such frameworks could be significant and may increase our operating expenses. Additionally, if we do not have sufficient rights to use the data or other material or content on which our AI technologies rely, we may incur liability through the violation of applicable laws or regulations, third-party intellectual property, privacy or other rights, or contracts to which we are a party. Further, any content or other output created by our use of AI-powered tools may not be subject to copyright protection, which may adversely affect our ability to enforce our intellectual property rights. Because AI technology itself is highly complex and rapidly developing, it is not possible to predict all of the legal, operational or technological risks that may arise relating to the use of AI.

We are required to comply with stringent, complex and evolving laws, rules, regulations and standards in many jurisdictions, as well as contractual obligations, relating to data privacy and security. Ensuring compliance with such requirements may increase operating costs, impact our data processing practices and policies and the development of new products or services, and reduce operational efficiency, any of which could adversely affect our business and operations. In the United States, there are numerous federal, state and local data privacy and security laws, rules, and regulations governing the collection, sharing, use, retention, disclosure, security, transfer, storage and other processing of personal information, including federal and state data privacy and security laws, data breach notification laws, and data disposal laws. For example, at the federal level, we are subject to, among other laws and regulations, the rules and regulations promulgated under the authority of the Federal Trade Commission (which has the authority to regulate and enforce against unfair or deceptive acts or practices in or affecting commerce, including acts and practices with respect to data privacy and security), as well as the Electronic Communication Privacy Act, the Computer Fraud and Abuse Act, the Health Insurance Portability and Accountability Act, and the Gramm Leach Bliley Act. The United States Congress also has considered, is currently considering, and may in the future consider, various proposals for comprehensive federal data privacy and security legislation, to which we may become subject if passed. At the state level, we are subject to laws and regulations such as the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the "CCPA"). The CCPA broadly defines personal information and gives California residents expanded privacy rights and protections, such as affording them the right to access and request deletion of their information and to opt out of certain sharing and sales of personal information. The CCPA provides for severe civil penalties and statutory damages for violations and a private right of action for certain data breaches that result in the loss of unencrypted personal information. This private right of action is expected to increase the likelihood of, and risks associated with, data breach litigation. Numerous other states have also enacted, or are in the process of enacting or considering, comprehensive state-level data privacy and security laws, rules, and regulations that share similarities with the CCPA. Moreover, laws in all 50 U.S. states require businesses to provide notice under certain circumstances to consumers whose personal information has been disclosed as a result of a data breach. Internationally, virtually every jurisdiction in which we operate has established its own data privacy and security legal framework with which we must comply. For example, we are required to comply with the European Union ("EU") General Data Protection Regulation ("GDPR") and its equivalent in the U.K. ("U.K. GDPR"), which impose stringent obligations regarding the collection, control, use, sharing, disclosure and other processing of personal data and create mandatory breach notification requirements under certain circumstances. While the GDPR and U.K. GDPR remain substantially similar for the time being, the U.K. government has announced that it would seek to chart its own path on data protection and reform its relevant laws, including in ways that may differ from the GDPR. While these developments increase uncertainty with regard to data protection regulation in the U.K., even in their current, substantially similar form, the GDPR and U.K. GDPR can expose businesses to divergent parallel regimes that may be subject to potentially different interpretations and enforcement actions for certain violations and related uncertainty. Failure to comply with the GDPR or the U.K. GDPR can result in significant fines and other liability, including, under the GDPR, fines of up to EUR 20 million (or GBP 17.5 million under the U.K. GDPR) or four percent (4%) of annual global revenue, whichever is greater. European data protection authorities have already imposed fines for GDPR violations of up to, in some cases, hundreds of millions of Euros. Legal developments in the European Economic Area ("EEA") have created complexity and uncertainty regarding processing and transfers of personal data from the EEA to the United States and other so-called third countries outside the EEA, including in the context of website cookies. Similar complexities and uncertainties also apply to transfers from the U.K. to third countries. While we have taken steps to mitigate the impact on us, such as implementing the European Commission's standard contractual clauses ("SCCs") and the U.K.'s international Data Transfer Agreement (or the U.K.'s international data transfer addendum that can be used with the SCCs), the efficacy and longevity of these mechanisms remains uncertain. On July 10, 2023, the European Commission adopted an adequacy decision concluding that the U.S. ensures an adequate level of protection for personal data transferred from the EU to the U.S. under the recently adopted EU-U.S. Data Privacy Framework (followed on October 12, 2023 with the adoption of an adequacy decision in the U.K. for the U.K.-U.S. Data Bridge); however, such new adequacy decision has been challenged in EU courts, and is likely to face additional challenges. Moreover, although the U.K. currently has an adequacy decision from the European Commission, such that SCCs are not required for the transfer of personal data from the EEA to the U.K., that decision will sunset in June 2025 unless extended and it may be revoked in the future by the European Commission if the U.K. data protection regime is reformed in ways that deviate substantially from the GDPR. The EU has also proposed legislation that would regulate non-personal data and establish new cybersecurity standards, and other countries, including the U.K., may similarly do so in the future. If we are otherwise unable to transfer data, including personal data, between and among countries and regions in which we operate, it could affect the manner in which we provide our services, the geographical location or segregation of our relevant systems and operations, and could adversely affect our financial results. While we have implemented new controls and procedures designed to comply with the requirements of the GDPR, U.K. GDPR and the data privacy and security laws of other jurisdictions in which we operate, such procedures and controls may not be effective in ensuring compliance or preventing unauthorized transfers of personal data. Moreover, while we strive to publish and prominently display privacy policies that are accurate, comprehensive, and compliant with applicable laws, rules regulations and industry standards, we cannot ensure that our privacy policies and other statements regarding our practices will be sufficient to protect us from claims, proceedings, liability or adverse publicity relating to data privacy and security. Although we endeavor to comply with our privacy policies, we may at times fail to do so or be alleged to have failed to do so. If our public statements about our use, collection, disclosure and other processing of personal information, whether made through our privacy policies, information provided on our website, press statements or otherwise, are alleged to be deceptive, unfair or misrepresentative of our actual practices, we may be subject to potential government or legal investigation or action, including by the Federal Trade Commission or applicable state attorneys general. Our compliance efforts are further complicated by the fact that data privacy and security laws, rules, regulations and standards around the world are rapidly evolving, may be subject to uncertain or inconsistent interpretations and enforcement, and may conflict among various jurisdictions. In many jurisdictions, enforcement actions and consequences for non-compliance with data privacy and security laws, rules, regulations, standards, certifications, contractual requirements or other obligations are rising. Data subjects may also have a private right of action, as well as support from consumer privacy advocates or organizations, to lodge complaints with supervisory authorities, seek judicial remedies and obtain compensation for damages resulting from violations of applicable data privacy and security laws, rules and regulations. In addition, privacy advocates and industry groups have proposed, and may propose in the future, self-regulatory standards that may legally or contractually apply to us or be alleged to apply to us. Any failure or perceived failure by us or any third parties with which we do business to comply with applicable privacy policies, data privacy or security laws, rules, regulations, standards, certifications or contractual obligations, or any compromise of security that results in unauthorized access to, or unauthorized loss, destruction, use, modification, acquisition, disclosure, release, transfer or other processing of personal information, may result in requirements to modify or cease certain operations or practices, the expenditure of substantial costs, time and other resources, proceedings or actions against us, legal liability, governmental investigations, enforcement actions, claims, fines, judgments, awards, penalties, sanctions and costly litigation (including class actions). There also has been increased regulatory scrutiny from the SEC with respect to adequately disclosing risks concerning cybersecurity and data privacy. Such scrutiny from the SEC increases the risk of investigations into the cybersecurity practices, and related disclosures, of companies within its jurisdiction. Any of the foregoing could harm our reputation, distract our management and technical personnel, increase our costs of doing business, adversely affect the demand for our products and services, and ultimately result in the imposition of liability, any of which could have a material adverse effect on our business, financial condition and results of operations.

We are expanding our international operations and staff to support our business in international markets. We generally conduct our international operations through wholly-owned subsidiaries and are or may be required to report our taxable income in various jurisdictions worldwide based upon our business operations in those jurisdictions. Our intercompany relationships are subject to complex transfer pricing regulations administered by taxing authorities in various jurisdictions. The amount of taxes we pay in different jurisdictions may depend on the application of the tax laws of the various jurisdictions, including the United States, to our international business activities, changes in tax rates, new or revised tax laws or interpretations of existing tax laws and policies, and our ability to operate our business in a manner consistent with our corporate structure and intercompany arrangements. The relevant taxing authorities may disagree with our determinations as to the income and expenses attributable to specific jurisdictions. If such a disagreement were to occur, and our position was not sustained, we could be required to pay additional taxes, interest and penalties, which could result in one-time tax charges, higher effective tax rates, reduced cash flows and lower overall profitability of our operations. We are subject to federal, state, and local income, sales, and other taxes in the United States and income, withholding, transaction, and other taxes in numerous foreign jurisdictions. Significant judgment is required in evaluating our tax positions and our worldwide provision for taxes. During the ordinary course of business, there are many activities and transactions for which the ultimate tax determination may be uncertain. In addition, our tax obligations and effective tax rates could be adversely affected, among other things, by (i) changes in the relevant tax, accounting and other laws, regulations, principles and interpretations, including increases in corporate tax rates and greater taxation of international income and changes relating to income tax nexus, (ii) recognizing tax losses or lower than anticipated earnings in jurisdictions where we have lower statutory rates and higher than anticipated earnings in jurisdictions where we have higher statutory rates, (iii) changes in foreign currency exchange rates, or (iv) changes in the valuation of our deferred tax assets and liabilities. We may be audited in various jurisdictions, and such jurisdictions may assess additional taxes, sales taxes and value added taxes against us. Although we believe our tax estimates are reasonable, the final determination of any tax audits or litigation could be materially different from our historical tax provisions and accruals, which could have an adverse effect on our results of operations or cash flows in the period or periods for which a determination is made. In addition, the Organization for Economic Cooperation and Development ("OECD") has published proposals covering a number of issues, including country-by-country reporting, permanent establishment rules, transfer pricing rules, tax treaties and taxation of the digital economy. On October 8, 2021, the OECD/G20 inclusive framework on Base Erosion and Profit Shifting (the "Inclusive Framework") published a statement updating and finalizing the key components of a two-pillar plan on global tax reform originally agreed on July 1, 2021, and a timetable for implementation by 2023. The timetable for implementation has since been extended to 2024 and, with respect to certain components of the plan, to 2025. Under Pillar Two, the Inclusive Framework has agreed on a global minimum corporate tax rate of 15% for companies with revenue above €750 million, calculated on a jurisdictional basis. While substantial work remains to be completed by the OECD and national governments on the implementation of these proposals, future tax reform resulting from these developments may result in changes to long-standing tax principles, which could adversely affect our effective tax rate or result in higher cash tax liabilities. On February 1, 2023, the U.S. Financial Accounting Standards Board ("FASB") indicated that they believe the minimum tax imposed under Pillar Two is an alternative minimum tax, and, accordingly, deferred tax assets and liabilities associated with the minimum tax would not be recognized or adjusted for the estimated future effects of the minimum tax but would be recognized in the period incurred. In addition, the OECD's proposed solution envisages new international tax rules and the removal of all Digital Services Taxes ("DST"). Notwithstanding this, some countries, in the European Union and beyond, continue to operate existing DST regimes to capture tax revenue on digital services more immediately. Such laws may increase our tax obligations in those countries or change the manner in which we operate our business. We have analyzed jurisdictional Pillar Two regulations, as well as the OECD Model Rules, and have assessed no material Pillar Two impact on the income tax provision for the nine months ended October 31, 2024.

Our future success is substantially dependent on our ability to attract, retain, and motivate the members of our management team and other key employees throughout our organization. In particular, we are highly dependent on the services of George Kurtz, our President and Chief Executive Officer, who is critical to our future vision and strategic direction. We rely on our leadership team in the areas of operations, security, research and development, marketing, sales, support and general and administrative functions. Although we have entered into employment agreements with our key personnel, our employees, including our executive officers, work for us on an "at-will" basis, which means they may terminate their employment with us at any time. Leadership transitions can be inherently difficult to manage. In particular, they can cause operational and administrative inefficiencies, and could impact relationships with key customers and vendors. If Mr. Kurtz, or one or more of our key employees, or members of our management team resigns or otherwise ceases to provide us with their service, our business could be harmed.

We rely on a limited number of suppliers for several components of the equipment we use to operate our cloud platform and provide services to our customers. We generally purchase these components on a purchase order basis, and do not have long-term contracts guaranteeing supply. Our reliance on these suppliers exposes us to risks, including reduced control over production costs and constraints based on the then current availability, terms and pricing of these components. If we experience disruption or delay from our suppliers, we may not be able to obtain supplies or components from alternative suppliers on a timely basis or on terms that are favorable to us, if at all. The technology industry has experienced widespread component shortages and delivery delays, including as a result of geopolitical tensions, public health crises and natural disasters. While we have taken steps to mitigate our supply chain risk, supply chain disruptions and delays could nevertheless adversely impact our operations by, among other things, causing us to delay opening new data centers, delay increasing capacity or replacing defective equipment at existing data centers, and experience increased operating costs.

On July 19, 2024, we released a content configuration update for our Falcon sensor that resulted in system crashes for certain Windows systems (the "July 19 Incident"). We have incurred, and expect to continue to incur, significant costs and expenses related to the incident, including in connection with remediation efforts, customer and partner relations, measures taken to address the damage to our reputation, and other measures taken in response to the incident. Our management and other personnel are devoting significant time and resources to address the impacts of the July 19 Incident. We may also hire additional personnel to assist with our ongoing efforts. Any real or perceived failure, by us or the third-party service providers we engage, to remediate and respond to the July 19 Incident could adversely impact our business. While we are investing in enhancements to software resiliency, testing and customer controls following the July 19 Incident, we cannot guarantee that such enhancements will be effective, or that our products do not have or will not have defects, errors, or vulnerabilities. The July 19 Incident has harmed, and is expected to continue to harm, our business, sales, customer and partner relations, and our reputation. As a result of the incident, certain of our existing or prospective customers have elected to, and may in the future elect to, defer purchasing decisions relating to our products and services or not purchase our products and services at all. Customers have also decided, and may in the future decide, to terminate or not renew their agreements with us. The July 19 Incident has negatively impacted, and may in the future negatively impact, our existing or prospective partners' ability or willingness to promote our products or services. Certain of our competitors have aggressively approached our current and prospective customers and partners to attempt to capitalize on the incident, and may continue to do so. Furthermore, we have agreed to, and expect to agree to in the future, provide incentives in connection with our commercial arrangements with our customers, including subscription period extensions, discounts or promotional modules. The July 19 Incident has received negative media coverage and harmed our reputation and brand. If we are unable to regain the trust of our current and prospective customers and partners, or if negative media coverage and publicity continues, our reputation and brand may suffer further, exacerbating the effects discussed herein. These factors may result in harm to our business, results of operations and financial condition. We are party to a number of legal proceedings relating to the July 19 Incident, such as lawsuits filed by or on behalf of third parties, including securities litigation brought on behalf of certain purchasers of our Class A common stock, derivative litigation asserting claims against certain officers and directors, and putative class actions brought by individual consumers. We have also received inquiries from governmental authorities and other third parties, and governmental authorities may seek to impose undertakings, injunctive relief, consent decrees or other penalties, which could, among other things, materially increase our expenses or otherwise require us to alter how we operate our business. Third parties, including governmental authorities, may take certain actions in response to the July 19 Incident that may negatively impact our business and operations and may result in additional costs and expenses relating to compliance, product development or other matters. Some customers and other third parties claiming to have been impacted by the incident have asserted claims against us or otherwise communicated their intent to seek indemnification or compensation from us. Additional claims may also be asserted by or on behalf of customers, customers' insurers, partners, stockholders or others seeking monetary damages or other relief. These lawsuits, claims and inquiries are resulting, and are expected to result in the future, in the incurrence of significant costs and expenses, the diversion of management's attention from the operation of our business and other negative impacts on our business and operations. While we maintain insurance policies that may cover certain costs, claims and liabilities in connection with the July 19 Incident, we expect that our insurance coverage will not cover all costs, claims and liabilities actually incurred, and we cannot be certain that our insurance will continue to be available to us on commercially reasonable terms, or at all, or that any insurer will not deny coverage as to any future claim. The successful assertion of one or more large claims against us that exceed available insurance coverage, or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could have a material adverse effect on our business, including our financial condition, results of operations and reputation.