8X8 (EGHT) Risk Analysis

If we are found to be infringing the intellectual property rights of any third-party in lawsuits or proceedings that may be asserted against us, we could be subject to monetary liabilities for such infringement, which could be material. We could also be required to refrain from using, manufacturing, or selling certain products or using certain processes, either of which could have a material adverse effect on our business and operating results. Our broad range of current and former technology, including IP telephony systems, digital and analog circuits, software, and semiconductors, increases the likelihood that third parties may claim infringement by us of their intellectual property rights. We have received and may continue to receive in the future, notices of claims of infringement, misappropriation, or misuse of other parties' proprietary rights. There can be no assurance that we will prevail in these discussions and actions or that other actions alleging infringement by us of third-party patents will not be asserted or prosecuted against us. Furthermore, lawsuits like these may require significant time and expense to defend, may divert management's attention away from other aspects of our operations and, upon resolution, may have a material adverse effect on our business, results of operations, financial condition, and cash flows.

Our business operations, from our internal and service operations to research and development activities, sales and marketing efforts and customer and partner communications, depend on our ability to protect our network from interruption by damage from hackers, social engineering and phishing, ransomware, and malicious code or software, including vulnerabilities in our network infrastructure such as firewalls, switches and routers, or similar disruptive problems or other events beyond our control. Individuals or entities have attempted, and will attempt, to penetrate our network security, and that of our platform, and try to cause harm to our business operations, including by misappropriating our proprietary information or that of our customers, employees and business partners or causing interruptions of our products and platform. In particular, cyberattacks and other malicious internet-based activity continue to increase in frequency and in magnitude both generally and specifically against us and other cloud-service providers. Ransomware attacks, including those perpetrated by organized criminal threat actors, nation-states, and nation-state-supported actors, are becoming increasingly prevalent and severe and can lead to significant interruptions in our operations, loss of data and income, reputational harm, and diversion of funds. Geopolitical tensions and events, such as the war between Russia and Ukraine, may create heightened risks to us and our vendors, business partners, and consultants of cyber-attacks from nation-state actors or their affiliated entities, including attacks that could materially disrupt our systems and operations, supply chain, and ability to provide our services. For example, a recent Oracle Cloud Infrastructure (OCI) security breach highlighted the risks posed by third-party providers. In this particular incident, there was no impact on 8x8's operations or services. However, it served as an important reminder of the need for continuous assessment and monitoring across the entire 8x8 ecosystem to maintain a robust security posture. We continue to implement new technological measures to prevent, detect, and contain such intrusions as well as build and strengthen ongoing employee awareness, education and training, but we cannot guarantee we will be able to prevent, detect or contain all future cyber intrusions, nor can we guarantee that our backup systems, regular data backups, security protocols, denial or disruption of service (DDoS) mitigation, and other procedures that are currently in place, or may be in place in the future, will be adequate to prevent significant damage, system failure, or data loss. While we have not been subject to cybersecurity incidents that have materially affected our results of operations or financial condition to date, actual or perceived security gaps or security compromises experienced in our industry or by our competitors, our customers, a third party with whom we work, or us could cause us to experience adverse consequences, which could be material in the future, such as government enforcement actions (for example, investigations, fines, penalties, audits, and inspections); additional reporting requirements and/or oversight; restrictions on processing sensitive data (including personal information); litigation (including class claims); indemnification obligations; negative publicity; reputational harm; monetary fund diversions; diversion of management attention; interruptions in our operations (including availability of data); financial loss; and other similar harms. Inherent in our provision of services are the storage, processing, and transmission of our customers' data, which may include confidential and sensitive information and that confidential or sensitive information may be stored or transmitted by means not designed for confidential or sensitive information, such as the processing or storing of protected health information or payment card information in free-form text fields provided for other purposes. This exposes us to significant cybersecurity risks, including data breaches and unauthorized data access, which could compromise customer trust and subject us to financial and legal penalties. Customers may use our services to store, process, and transmit a wide variety of confidential and sensitive information, such as credit card, bank account, and other financial information, proprietary information, trade secrets, or other data that may be protected by sector-specific laws and regulations, like intellectual property laws, laws addressing the protection of personally identifiable information (or personal data in the EU), as well as the Federal Communications Commission's, or the FCC's, customer proprietary network information, or CPNI, rules. We also face the risk of changes in cybersecurity laws and regulations which could impose additional compliance costs or challenges. Additionally, we closely monitor legislative developments to swiftly adapt our practices, ensuring ongoing compliance and protection against emerging threats. We may be the target of direct or indirect cyber threats and security breaches, given the nature of the information that we store, process, and transmit and the fact that we provide communications services to a broad range of businesses. To the extent that state-sponsored incidents of cybersecurity breaches increase due to geopolitical tensions, this risk may continue to increase. In addition, we use third-party vendors, which in some cases have access to our data and our customers' data. Despite the implementation of security measures by us or our vendors, our computing devices, infrastructure, or networks, or our vendors' computing devices, infrastructure, or networks may be vulnerable to hackers, social engineering and phishing, ransomware, and malicious code or software, or similar disruptive problems due to a security vulnerability in our or our vendors' infrastructure or network, or our vendors, customers, employees, business partners, consultants, or other internet users who attempt to invade our or our vendors' public and private computers, tablets, mobile devices, software, data networks, or voice networks. We also continue to incorporate AI solutions and features into our platform, which may result in security incidents or otherwise increase cybersecurity risks. Further, AI technologies may be used in connection with certain cybersecurity attacks, resulting in heightened risks of security breaches and incidents. If there is a security vulnerability in our or our vendors' infrastructure or networks that is successfully targeted, we could face increased costs, liability claims, government investigations, fines, penalties or forfeitures, class action litigation, reduced revenue, or harm to our reputation or competitive position. We also rely on various third-party service providers to operate our platform and deliver our products, including network service providers, internet service providers, telecommunications carriers, providers of cloud infrastructure and cloud communications, and third-party technology and intellectual property. Our service providers (or their sub-service providers) have in the past experienced, and may in the future experience, security breaches and incidents, including unauthorized access or inadvertent disclosures, that have exposed and may expose or make available to threat actors our data or that of our customers. Even when our systems are not compromised, if our service providers experience breaches or incidents that impact our data or our customers' data, then our reputation, customer trust, business, results of operations and financial condition could be adversely affected. Laws, regulations, and enforcement actions relating to security and privacy of information continue to evolve. For example, in 2023, the SEC adopted cybersecurity risk management and disclosure rules, which require the disclosure of information pertaining to cybersecurity incidents and cybersecurity risk management, strategy, and governance. Additionally, we are closely monitoring the development of rules and guidance that may apply to us, including, for example, pursuant to the Cyber Incident Reporting for Critical Infrastructure Act of 2022. The FCC formed the Privacy and Data Protection Task Force that focuses on approaches to data breaches and data security vulnerabilities, which may result in future privacy rulemaking and enforcement initiatives. We have incurred and expect to continue to incur significant expenses to prevent security incidents. Determining whether a cybersecurity incident is notifiable or reportable may not be straightforward and may be costly and could lead to negative publicity, loss of customer or partner confidence in the effectiveness of our security measures, diversion of management's attention, governmental investigations, and the expenditure of significant capital and other resources to respond to or alleviate problems caused by the actual or perceived security breach. It is possible that, in order to support changes to applicable laws and to support our expansion of sales into new geographic areas or into new industry segments, we will need to change or enhance our cybersecurity systems, which may make it more expensive to operate in certain jurisdictions and may also increase the risk of our non-compliance with such changing laws and regulations.

The functionality and popularity of our cloud software solutions depends, in part, on our ability to integrate our services with third-party applications and platforms, including enterprise resource planning, customer relations management, human capital management, workforce management, and other proprietary application suites. Third-party providers of applications and application program interfaces may change the features of their applications and platforms, restrict our access to their applications and platforms or alter the terms governing use of their applications and application program interfaces and access to those applications and platforms in an adverse manner. Such changes could functionally limit or terminate our customers' ability to use these third-party applications and platforms in conjunction with our services, which could negatively impact our offerings and harm our business. If we fail to integrate our software with new third-party back-end enterprise applications and platforms used by our customers, we may not be able to offer the functionality that our customers need, which would negatively impact our ability to generate revenue and adversely impact our business. Our services also allow our customers to use and manage our cloud software solutions on smartphones, tablets, and other mobile devices. As new smart devices and operating systems are released, we may encounter difficulties supporting these devices and services, and we may need to devote significant resources to the creation, support, and maintenance of our mobile applications. In addition, if we experience difficulties in the future integrating our mobile applications into smartphones, tablets, or other mobile devices or with certain communication platforms, such as Microsoft Teams, or if problems arise with our relationships with providers of mobile operating systems, such as those of Apple Inc. or Alphabet Inc., our future growth and our results of operations could suffer.

Our future business success, particularly to attract and support larger customers and expand into international markets, depends on our indirect sales channels. These channels consist of master agents and subagents, independent software vendors, system integrators, value-added resellers, and internet service providers, among others. We typically contract directly with the end customer and use these channel partners to identify, qualify and manage prospects throughout the sales cycle, although we also have arrangements with partners who purchase our services for resale to their own customers. As our business with master- and sub-agent partners has increased, we have seen our commission payments to these partners become an increasing portion of our sales and marketing expenses. Our future success depends upon our ability to develop and maintain successful relationships with these business partners, many of whom also market and sell services of our competitors, and our ability to increase the portion of sales opportunities they refer to us. To do so, we must continue to offer services that have quality, price, features, and other elements that compare favorably to those of competing services, ensure our partners are adequately trained and knowledgeable about our services, and provide sufficient incentives for these partners to sell our services in preference to those of our competitors while maintaining a cost-effective agency structure. If we are unable to persuade our existing business partners to increase their sales of our services or to build successful partnerships with new organizations, or if our channel partners are unsuccessful in their marketing and sales efforts, we may not be able to grow our business and increase our revenue at the rate we predict, or at all, and our business may be materially adversely affected.

Our increased emphasis on profitability and cash flow generation may not be successful. We intend to reduce our total costs as a percentage of revenue, primarily impacting our sales and marketing expenses. There can be no assurances that our cost reduction initiatives will result in the cost savings that we anticipate as a percentage of our revenue and will not have unintended or unforeseen consequences, including a further reduction in revenue. We have experienced a reduction in revenue recently, which may have resulted from our cost reduction initiatives.

The applicability of state and local taxes, fees, surcharges or similar taxes to our services is complex, ambiguous, and subject to interpretation and change. In the United States, for example, we collect state and local taxes, fees, and surcharges based on our understanding of the applicable laws in the relevant jurisdiction. The taxing authorities may challenge our interpretation of the laws and may assess additional taxes, penalties, and interests, which could have adverse effects on the results of operations and, to the extent we pass these through to our customers, demand for our services. Additionally, the applicability of sales and use, value added, or similar taxes may differ between services such as unified communication, voice, video, contact center, and platform communications so that the obligations to collect taxes from customers may vary between services and between companies such that we may be obligated to collect taxes at a higher rate that other services from our competitors, thereby impacting customer demand for our services. We currently file more than 1,500 state and local tax returns monthly. Periodically, we have received inquiries from state and municipal taxing agencies with respect to the remittance of state or local taxes, fees, or surcharges. Currently, several jurisdictions are conducting audits of 8x8; in the event our positions are unsuccessful, we may be subject to tax payments, interest, and penalties in excess of those that we have accrued for. As of March 31, 2025, we have paid or accrued for state or local taxes, fees, and surcharges that we believe are required to be remitted.

We rely on third-party network service providers to originate and terminate substantially all of the public switched telephone network calls using our cloud-based services. We leverage the infrastructure of third-party network service providers to provide telephone numbers, public switched telephone network call termination and origination services, and local number portability for our customers, rather than deploying our own network throughout the United States and internationally. We use the infrastructure of third-party network service providers, such as Equinix, Inc., and public cloud providers, including Amazon Web Services, Inc. and Oracle Corporation, to provide our cloud services over their networks rather than deploying our own network connectivity. These decisions have resulted in lower capital and operating costs for our business in the short-term but have reduced our operating flexibility and ability to make timely service changes. If any of these network service providers cease operations or otherwise terminate the services that we depend on or become unwilling to supply cost-effective services to us in the future, the delay in switching our technology to another network service provider, if available, and qualifying this new service provider could have a material adverse effect on our business, financial condition, or operating results. In addition, the rates we pay to our network service providers and other intermediaries may also change more rapidly than the change in pricing we charge our customers, which may reduce our profitability and increase the retail price of our service. Furthermore, increased cybersecurity threats to infrastructure or heightened geopolitical tensions in regions where these third parties operate could exacerbate these risks, potentially leading to further operational disruptions and financial losses. To the extent that we internally handle the origination and termination of public switched telephone network calls, which represent an increasing portion of the calls using our cloud-based services, we are subject to significant operational, technical, and regulatory risks. We are required to maintain infrastructure, systems, and capabilities for interconnection, routing, call quality management, compliance with telecommunications regulations, lawful intercept capabilities, and support for local number portability. Building and operating these systems requires specialized expertise, and any failure to effectively manage this infrastructure could result in service disruptions, degraded call quality, regulatory non-compliance, or increased costs. If our internally managed services do not perform as reliably or cost-effectively as anticipated, or if we encounter unforeseen complexities in operating telecommunications infrastructure at scale, we may experience increased customer churn, damage to our brand, and adverse financial impacts. Our ability to manage these telecommunications services successfully depends on the timely and efficient execution by our technical, operational and legal teams, as well as continued investments in infrastructure, personnel, and compliance capabilities. If we are unable to do so, our business, results of operations, and financial condition could be materially adversely affected.