CoreCivic (CXW) Risk Analysis

We are subject to complex and evolving U.S. federal and state privacy laws and regulations, which sometimes conflict among the various jurisdictions where we do business. For example, we are subject to HIPAA, which requires us to protect the privacy and security of individually identifiable health information, known as "protected health information" and recognize individual rights related to understanding and controlling how health information is used or disclosed. Various states have passed laws pertaining to the processing of personal data that require companies, including us, to provide new disclosures and options to such persons about data collection, use and sharing practices. Some of these laws are already in effect, while others will go into effect during 2025. HIPAA and state laws require us to report data breaches to affected individuals, government regulators, and in certain cases involving large breaches, the media. Further, the U.S. federal government and a significant number of additional states are considering expanding or passing privacy laws in the near term. We are also subject to increasing legal requirements with respect to the use of artificial intelligence and machine learning applications and tools (including in relation to hiring and employment practices) and biometric information. These legal requirements are rapidly changing and are subject to uncertain application, interpretation and enforcement standards. Our current or future use of artificial intelligence or machine learning tools in our business operations could expose us to new or additional costs and risks, including the potential introduction of new vulnerabilities or cybersecurity risks within our information technology systems and the potential inadvertent or unauthorized release of confidential or protected health information resulting from the use (whether or not authorized) of artificial intelligence or machine learning tools by our employees, contractors, agents, representatives or affiliates. In addition, the artificial intelligence tools we may incorporate into certain aspects of our operations may not generate the intended efficiencies and may impact our business results. The increasingly complex, restrictive and rapidly evolving regulatory environment at the federal and state level related to data privacy and data protection, including with respect to protected health information and the use of artificial intelligence, may require significant continued effort and cost, changes to our business and data processing practices and impact our ability to obtain and use data. These laws provide for civil penalties for violations, and some confer a private right-of-action to certain individuals for data breaches. Federal and state regulatory bodies, including the Federal Trade Commission and the California Privacy Protection Agency are engaging in enforcement investigations and actions with respect to privacy and data protection. There is no assurance that our security controls, training of employees on data privacy and data security, and policies, procedures and practices will prevent the improper use or disclosure of personal data. Our inability to adapt or comply with such legal requirements, or the improper use or disclosure of personal data in violation of data privacy laws could harm our reputation, cause loss of consumer confidence, subject us to government enforcement actions, or result in private litigation against us, which could result in loss of revenue, increased costs, liability for monetary damages, fines and/or criminal prosecution, all of which could have a material adverse impact on our business, financial position, results of operations and cash flows.

The success of our business depends in large part on the ability and experience of our senior management. The unexpected loss of any of these persons could materially adversely affect our business and operations. In addition, the services we provide are labor-intensive. The success of our business, and our ability to satisfy the staffing and operational performance requirements of our contracts, require that we attract, hire, develop and retain sufficient qualified personnel. When we are awarded a facility management contract or open a new facility, we must hire operating management, correctional officers, and other personnel. Our inability to hire sufficient qualified personnel on a timely basis, or experiencing excessive turnover or the loss of significant personnel at existing facilities, could adversely affect our business and operations. These risks may be intensified in the future if the federal government seeks to activate multiple idle facilities to carry out the immigration policies implemented under President Trump's second presidential administration. Many of our contracts include specific staffing requirements, and our failure to satisfy such requirements may result in the imposition of financial penalties or loss of contract. We have experienced labor shortages and wage pressures in many markets across the country, and have provided wage increases to remain competitive. The challenges of recruiting and retaining staff has been and could continue to be exacerbated by the current labor market. Further, we have incurred incremental expenses to help ensure sufficient staffing levels under unique and challenging working conditions. These incremental investments have enabled us to increase overall staffing levels when necessary. We achieved higher staffing levels during 2024 when compared to 2023 and, correspondingly, we were able to reduce our use of temporary incentives by $12.8 million as we continued to see improvement in our attraction and retention of facility staff in this challenging labor market. We believe these investments in our workforce have positioned us to manage the increased number of residents we began to experience when the remaining occupancy restrictions caused by the COVID-19 pandemic, most notably Title 42, were removed. We continued to invest in staffing resources during 2024, which has resulted in additional compensation and incremental expenses, and we expect to continue to invest in staffing resources, which may result in additional compensation and incremental expenses. Incremental expenses include, but may not be limited to, incentive payments to our front-line and field staff, temporary employee housing expenses and other travel related reimbursements, additional paid time off, off-cycle wage increases in certain markets to remain competitive, and registry nursing expenses. As the labor market improves and labor shortages and wage pressures are alleviated, we expect to further reduce our reliance on these temporary incentives. While we have achieved recent successes, the benefits of our investments in staffing may not be sustained, and labor shortages could intensify again in the future, especially if multiple facility activations are required in certain geographical areas creating a higher demand for labor, which could adversely affect our results of operations, financial condition and cash flows.

We compete with government entities and other private operators on the basis of bed availability, cost, quality and range of services offered, experience in designing, constructing, and managing facilities, and reputation of management and personnel. While there are barriers to entering the market for the ownership and management of correctional, detention, and residential reentry facilities, these barriers may not be sufficient to limit additional competition. In addition, our government customers may assume the management of a facility that they own and we currently manage for them upon the termination of the corresponding management contract or, if such customers have capacity at their facilities, may take offenders and residents currently cared for in our facilities and transfer them to government-run facilities. Since we are paid on a per diem basis with no minimum guaranteed occupancy under most of our contracts, the loss of such offenders and residents, and the resulting decrease in occupancy, would cause a decrease in our revenues and profitability.

Components of our business depend significantly on effective information systems and technologies, some of which are provided and/or maintained by third parties. As with any organization that relies on technology to deliver products and services, we face a variety of technology-related risks that could materially impact our operations, financial performance, and reputation. As a matter of course, we may store, transmit, or process the personal information of offenders, employees and other persons as required to provide our services and such personal information or other data may be hosted or exchanged with our government partners and other third-party providers. In response to these risks, we employ industry standard administrative, technical and physical safeguards designed to meet data protection and availability requirements; however, specific examples of risks we face include: - Cybersecurity threats: Our systems and data are subject to the potential for cyberattacks including unauthorized access, data breaches, and malicious software. Any such incidents could result in the loss of sensitive information, significant operational disruptions, legal liability, and reputational harm. - Technology infrastructure failures: Our reliance on complex technology infrastructure creates risks associated with potential failure of hardware, software, or network components. Such failures could lead to loss of customer trust and incur significant recovery costs. - Rapid technological changes: The rapid paces of technological advancements may render our current technologies obsolete or less competitive. We must continually invest in and adopt technology to meet evolving market demands and customer expectations or requirements. Failure to do so may adversely affect our market position. - Third-party vendor risks: We depend on third-party vendors for critical technology services, including cloud storage, data processing, and software development. Any disruption in service, cyberattack or failure on the part of these vendors could impact our ability to operate effectively and meet customer needs. - Regulatory compliance: Our industry sector is subject to a variety of regulations concerning data privacy, cybersecurity, and technology usage. Non-compliance with these regulations, whether existing or new, could lead to legal penalties, reputational damage, and operational restrictions. - Intellectual property loss: Our ability to protect our technological innovation and proprietary information is critical. Infringement on our intellectual property rights or failure to adequately protect our technologies may lead to competitive disadvantages and financial losses. - User adoption and experience: The success of our technology solutions relies on user adoption and satisfaction. If our technologies fail to meet user expectations or if we encounter significant resistance to new technologies, our growth and revenue may be adversely affected. - Force majeure: Unforeseeable circumstances or circumstances beyond our controls such as geopolitical conflicts, natural disasters, etc. may cause significant operational disruptions, which could result in material recovery costs or loss of customer confidence. The current cybersecurity threat environment presents increased risk for all companies, including companies in our industry. We, our employees, government partners, and third parties are regularly the target of cyberattacks and other attempts to breach, or gain unauthorized access to, our information systems and databases. Moreover, given the current cybersecurity threat environment, we expect the volume and intensity of cyberattacks and attempted intrusions to continue to increase in the future. Cybersecurity threats and techniques used in cyberattacks may be pervasive, sophisticated and difficult to prevent, including, computer viruses, malicious or destructive code (such as ransomware), social engineering (including phishing, vishing and smishing), denial of service or information or security breach tactics that could result in disruptions to our business and operations, unauthorized disclosure, release, gathering, monitoring, misuse, loss or destruction or theft of confidential, proprietary or other information, including intellectual property of ours, our employees or of third parties. Cyberattacks are carried out on a worldwide scale and by a growing number of cyber actors, including organized crime groups, hackers, terrorist organizations, extremist parties, hostile foreign governments, state-sponsored actors, activists, disgruntled employees and other third parties. For example, several well-known companies have recently disclosed high-profile security breaches involving sophisticated and highly targeted attacks on their company's infrastructure or their customers' data, which were not recognized or detected until after such companies had been affected notwithstanding the preventive measures they had in place. In addition, since Russia's invasion of Ukraine and the conflict in Israel and the surrounding areas, many companies have experienced heightened cybersecurity risks. Cybersecurity threats and the techniques used in cyberattacks change, develop and evolve rapidly, including from emerging technologies, such as advanced forms of artificial intelligence, machine learning and quantum computing by making fraud detection more difficult, particularly with detection devices that use voice recognition or authentication. Further, the information systems of third parties upon which we rely in connection with our business, such as vendors, suppliers, government partners, and other third-party service providers, could be comprised in a manner that adversely affects us and our information systems. Additionally, the failure of our employees to exercise sound judgment and vigilance when targeted by social engineering or other cyberattacks may increase our vulnerability. There is no assurance that the security measures we take to reduce the risk of such incidents and protect our systems will be sufficient. Any cyberattack, data breach, security breach, or other security incident resulting in the interruption, delay, compromise or failure of our services or information systems, or the misappropriation, loss, or other unauthorized disclosure of personal data or confidential information, including confidential information about our employees or those entrusted to our care, or other proprietary information, including intellectual property, whether by us directly, our vendors, our employees, our government partners, those entrusted to our care, or our third-party service providers, could damage our reputation, expose us to the risks of litigation and liability, result in significant monetary penalties and/or regulatory actions for violation of applicable laws or regulations, disrupt our business and result in significant costs for investigation and notification regarding the incident and remedial measures to prevent future occurrences and mitigate past violations, result in lost business, or otherwise adversely affect our results of operations. Moreover, any significant cybersecurity incident could require us to devote significant management time and resources to address such incident, interfere with our pursuit of other important business strategies and initiatives, and cause us to incur additional expenditures, which could be material. There is no assurance that any remedial actions will meaningfully limit the success of future attempts to breach our information systems, particularly because malicious actors are increasingly sophisticated and utilize tools and techniques specifically designed to circumvent security measures, avoid detection and obfuscate forensic evidence, which means that we may be unable to identify, investigate or remediate effectively or in a timely manner. Although we maintain cybersecurity insurance covering certain security and privacy damages and claim expenses, we may not carry insurance or maintain coverage sufficient to compensate for all liability and in any event, insurance coverage would not address the reputational damage that could result from a security incident.