Genpact (G) Risk Analysis

Our industry is increasingly competitive, highly fragmented and subject to rapid change. We compete for business with a variety of companies, including large multinational firms that provide consulting, technology and/or managed services, offshore business process service providers in low-cost locations like India, in-house global capability centers of existing or potential clients, software services companies that also provide managed services or advanced technology solutions, smaller, niche companies that compete with us in a specific geographic market, industry or service area, emerging advanced technology and AI-native companies, and accounting firms that also provide consulting or other business process services. Some of our competitors have greater financial, marketing, technological or other resources and larger client bases than we do, and may expand their service offerings more quickly or at a lower cost and compete more effectively for clients and employees than we do. Some of our competitors have more established reputations and client relationships in our markets than we do. In addition, some of our competitors who do not have global delivery capabilities may expand their delivery centers to the countries in which we are located, which could result in increased competition for employees and could reduce our competitive advantage. Consolidation activity may also result in new competitors with greater scale, a broader footprint or vertical integration that makes them more attractive to clients as a single provider of integrated products and services. In addition, concurrent use by many clients of multiple professional service providers requires us to be continuously competitive on the quality, scope and pricing of our offerings or face a reduction or elimination of our business. Competitors have also in the past and will likely in the future be willing to take on more risk or offer more favorable pricing to enter the market or increase market share, or competitors may offer alternative commercial models that are more favorable to clients than ours. If we are not able to supply clients with services or solutions that they deem superior and successfully apply our business models with market-level pricing, we may lose business to competitors and face downward pressure on gross margins and profitability. Any inability to compete effectively would materially adversely affect our business, results of operations and financial condition. Our competitiveness also depends on our ability to continue to develop and implement services and solutions that anticipate and respond to rapid and continuing changes in technology to serve the evolving needs of our clients. See the Risk Factor titled "Our business depends on generating and maintaining ongoing, profitable client demand for our services and solutions, and a significant reduction in such demand or an inability to respond to or compete in the rapidly evolving technological environment could materially affect our results of operations" for additional information. New services or technologies offered by our competitors, partners or new market participants, including AI-native technology start-ups and other companies that can scale rapidly to focus on or disrupt certain markets and provide new or alternative services, solutions or delivery models, may make our offerings less differentiated or less competitive by comparison, which may adversely affect our results of operations. Certain technology companies, including some of our partners, are increasingly able to offer services related to their AI, software, platform, cloud migration and other solutions, or are developing AI, software, platform, cloud migration and other solutions that require integration services to a lesser extent or replace them in their entirety. These more integrated services and solutions may represent more attractive alternatives to clients than some of our services and solutions, which may materially adversely affect our competitive position and our results of operations. Our relationships with our third-party alliance partners, who supply us with necessary components to the services and solutions we offer our clients, are also critical to our ability to provide many of our services and solutions that address client demands. Some of our third-party alliance partners are also clients or suppliers for our internal operations. There can be no assurance that we will be able to maintain such relationships or that such components will be available on the expected timelines or for anticipated prices. Among other things, such alliance partners may in the future decide to compete with us, form exclusive or more favorable arrangements with our competitors or otherwise reduce our access to their products, thereby impairing our ability to provide the services and solutions demanded by clients. Any performance failure on the part of our alliance partners, or the discontinuance by such alliance partners of services that we have relied on them to perform for our clients, could delay our performance or require us to engage alternative third parties to perform the services at our cost or to perform them ourselves, any of which could deprive us of potential revenue or adversely impact our profitability. Increased competition may result in lower prices and volumes, higher costs, and lower profitability. Any inability to compete effectively, including as a result of any of the factors described above, would adversely affect our business, results of operations and financial condition.

Global macroeconomic conditions affect our business, our clients' businesses and the markets we serve. Volatile, negative or uncertain economic conditions in our significant markets have in the past and could in the future undermine business confidence and cause our clients to reduce, delay or cancel their spending on projects with us, which has negatively affected our business and may continue to do so in the future, including by making it more difficult for us to accurately forecast client demand and effectively build revenue and resource plans. Clients may reduce demand for services suddenly or with limited warning, which may cause us to incur extra costs where we have employed more personnel than client demand supports. Differing economic conditions and patterns of economic growth and contraction in the geographical regions in which we operate and the industries we serve have affected and may in the future affect demand for our services. Changing demand patterns from economic volatility and uncertainty could also have a significant negative impact on our results of operations. Our business is particularly susceptible to economic and political conditions in the markets where our clients or operations are concentrated. A material portion of our revenues is derived from our clients in North America - in particular the United States - and Europe, and weak or changing demand, or any other adverse economic, political or legal uncertainties or developments, in these markets could have a material adverse effect on our results of operations. The priorities of the current presidential administration, coupled with a consolidation of party control of both chambers of the U.S. Congress, have led to extensive new legislative, executive and regulatory initiatives in the United States and the roll-back of many initiatives of the previous presidential administration. These changes, especially in the areas of trade, tariff policy, taxation, immigration, technology regulation, and international relations, have magnified market uncertainty and volatility, and this volatility may intensify due to the speed, breadth, and evolving nature of the policy changes. These policy shifts impact our business and our clients' businesses in ways that are difficult to predict, may require operational adjustments, and could materially affect demand patterns, cost structures, and competitive dynamics in our or our clients' industries in unpredictable ways. In addition, broader global geopolitical tensions, including actual or anticipated military or political conflicts (such as the ongoing conflict between Russia and Ukraine, tensions across the Taiwan Strait, the Israel-Hamas conflict and broader instability in the Middle East), and actions that governments take in response, continue to create uncertainty and risks to our and our clients' businesses and have led to shifting global structures, relationships and trade flows. In response to the ongoing conflict between Russia and Ukraine, the United States and other countries in which we operate have imposed broad sanctions and may impose additional sanctions or other restrictive actions against governmental and other entities in Russia. We do not have employees or operations in Russia or Ukraine, but we have operations in surrounding countries, and we have clients that do business in Russia and Ukraine. Such clients may be adversely affected by the ongoing conflict and related sanctions and other governmental actions, which in turn could have an adverse impact on our revenues from such clients. Additionally, given the global nature of our operations and our exposure to clients in Europe and other regions, the broader macroeconomic impact of sanctions imposed on Russia and other macroeconomic impacts of the protracted conflict, including volatility in energy costs in Europe and related economic instability, could have an adverse impact on our business, profitability, results of operations and financial condition. We also have limited employees and operations in Israel, and while we have not experienced any material impacts to our operations in Israel to date, there can be no assurance that our operations there will not be materially adversely affected in the future. The impact of geopolitical conflicts, including those identified above, any further escalation or expansion and the broader geopolitical, economic, and other effects of such conflicts could also heighten the other risks identified in this Annual Report on Form 10-K. Beyond the specific conflicts identified, the growth of nationalism, protectionism, and populist movements has created an environment of increasing uncertainty that could lead to further deglobalization or a slowdown in cross-border commerce. These developments create unpredictability in client spending patterns, particularly among clients in certain sectors, and may reduce demand for cross-border and multinational projects or may reduce client spending on discretionary services or the types of services we provide generally. Additionally, inflationary pressures in the past few years have adversely affected our profitability and could continue to do so. Any protracted increase in inflation, especially if combined with weakening consumer confidence, would likely adversely impact our clients and could constrain their spending on discretionary projects, potentially affecting demand for our services. Broad-based and sustained inflation would also continue to increase the costs of operating our delivery centers. We have not been able to, and may in the future be unable to, fully offset these cost increases by raising prices for our services, particularly because our client agreements generally fix our pricing for periods of time. This has at times resulted in and could continue to result in downward pressure on our gross margins and operating income. Further, our clients may choose to reduce their business with us or cancel, defer or delay projects if we increase our pricing. If we are unable to successfully adjust pricing, reduce costs or implement other countermeasures, our profitability could be materially adversely affected.

Most of our revenues are denominated in U.S. dollars, with the remaining amounts largely in euros, UK pounds sterling, the Australian dollar, the Indian rupee and the Japanese yen. Most of our expenses are incurred and paid in Indian rupees, with the remaining amounts largely in U.S. dollars, Romanian lei, UK pounds sterling, Chinese renminbi, Philippine pesos, Polish zloty, euros, Mexican pesos, Costa Rican colón, Japanese yen, Canadian dollars, Malaysian ringgit, Guatemalan quetzals, Australian dollars, South African rand and Hungarian forint. As we expand our operations to new countries, we will incur expenses in other currencies. We report our financial results in U.S. dollars. The exchange rates between the Indian rupee, the euro and other currencies in which we incur costs or receive revenues, on the one hand, and the U.S. dollar, on the other hand, have changed substantially in recent years and may fluctuate substantially in the future. See Item 7A-"Quantitative and Qualitative Disclosures about Market Risk." Our results of operations have been adversely affected and could be further adversely affected by certain movements in exchange rates, particularly if the Indian rupee or other currencies in which we incur expenses appreciate against the U.S. dollar or if, as has occurred over the past year, the currencies in which we receive revenues, such as the euro, depreciate against the U.S. dollar. Although we take steps to hedge a substantial portion of our foreign currency exposures, there is no assurance that our hedging strategy will be successful or that the hedging markets will have sufficient liquidity or depth for us to implement our strategy in a cost-effective manner. In addition, in some countries, such as China, Costa Rica, India, Malaysia, the Philippines and Romania, we are subject to legal restrictions on hedging activities, as well as convertibility of currencies, which limits our ability to use cash generated in one country in another country and could limit our ability to hedge our exposures. Finally, our hedging policies only provide near term protection from exchange rate fluctuations. If the Indian rupee or other currencies in which we incur expenses appreciate against the U.S. dollar, we may have to consider additional means of maintaining profitability, including by increasing pricing, which may or may not be achievable. See also Item 7-"Management's Discussion and Analysis of Financial Condition and Results of Operations-Overview-Net Revenues-Foreign exchange gains (losses), net."

We depend in large part on our relationships with clients and our reputation for high-quality solutions and services to generate revenue and secure future engagements. Most of our client contracts contain service level and performance requirements, including requirements relating to the quality of our solutions and services. Failure to consistently meet client requirements, whether due to: (a) natural or other disasters, telecommunications failures, power or water shortages, extreme weather conditions (whether as a result of climate change or otherwise), medical epidemics, pandemics or other contagious diseases, or other natural or manmade disasters or catastrophic events; (b) breach of or incursion into our computer systems (for example, through a ransomware attack); (c) other systems failure, including due to aged IT systems or infrastructure; or (d) errors made by our employees or intentional misuse of client information or systems by our employees in the course of delivering services to our clients have in the past and could in the future disrupt a client's business and result in a reduction in our revenues, clients terminating their business relationships with us and/or a claim for damages against us. Additionally, we could incur liability if a process we manage for a client were to result in internal control failures or impair our client's ability to comply with its own internal control requirements. We are also subject to actual and potential claims, lawsuits, investigations and proceedings outside of errors and omissions claims. For example, we engage in trust and safety services on behalf of clients, including content moderation, which could have a negative impact on our employees performing such services due to the nature of the materials they review. These types of services have been the subject of negative media coverage as well as litigation, and we may face adverse judgments or settlements or damage to our brand or reputation as a result of our provision of these services. Under our MSAs with our clients, our liability for breach of our obligations is generally limited to actual damages suffered by the client and is typically capped at an agreed amount. These limitations and caps on liability may be unenforceable or otherwise may not protect us from liability for damages. In addition, certain liabilities, such as claims of third parties for which we may be required to indemnify our clients or liability for breaches of confidentiality, are generally not limited under those agreements. Our MSAs are governed by laws of multiple jurisdictions, therefore the interpretation of such provisions, and the availability of defenses to us, may vary, which may contribute to the uncertainty as to the scope of our potential liability. Although we have commercial general liability insurance coverage, the coverage may not continue to be available on acceptable terms or in sufficient amounts to cover one or more large claims and our insurers may disclaim coverage as to any future claims. The successful assertion of one or more large claims against us that exceed available insurance coverage, or changes in our insurance policies (including premium increases or the imposition of large deductible or co-insurance requirements), could have a material adverse effect on our reputation, business, results of operations and financial condition. It is also possible that future results of operations or cash flows for any particular quarterly or annual period could be materially adversely affected by an unfavorable resolution of these matters. In addition, these matters divert management and personnel resources away from operating our business. Even if we do not experience significant monetary costs, there may be adverse publicity or social media attention associated with these matters that could result in reputational harm, either to us directly or to the industries or geographies we operate in, that may materially adversely affect our business, client or employee relationships. Further, defending against these claims can involve potentially significant costs, including legal defense costs.

AI and other advanced technologies are having, and are expected to continue to have, a significant impact on client preferences and market dynamics in our industry, and our ability to effectively compete in this space will be critical to our financial performance. We are increasingly applying AI and other advanced technologies, including generative AI and autonomous agentic AI, to our services and solutions, to how we deliver services to our clients and to our own internal operations. We are also creating new offerings to implement AI and other advanced technology solutions for our clients. We have made significant investments in our AI and other advanced technology capabilities and will continue to incur significant development and operational costs to support these efforts. There is no assurance that we will realize the anticipated benefits from these investments. The market for AI and other advanced technology and services is highly competitive and rapidly evolving. We face significant competition from our traditional competitors as well as other third parties, including those that are new to the market or our industry, as well as our own clients, who may develop their own AI-related capabilities. We may be unable to deliver anticipated efficiencies from our AI-enabled solutions and services, and we may be unable to bring AI-enabled products and solutions to market as effectively, or with the same speed or in the same volumes, as our competitors, which may harm our client relationships and competitive position. In addition, as these technologies evolve, we expect that some services that we currently perform for our clients will be replaced, in whole or in part, by AI, including generative AI and agentic solutions, or other forms of automation, and clients may not accept new pricing or commercial models reflecting the value of AI-enabled solutions. Each of the foregoing may lead to reduced demand for our services, adversely affect our employee utilization rate or harm our ability to obtain favorable pricing or other terms for our services, any of which could have a material adverse effect on our business, results of operations and financial condition. Leveraging AI and other advanced technology capabilities for our internal functions and operations also presents additional risks, costs, and challenges, including those discussed in these risk factors. The development, adoption, and use of AI and other advanced technologies continue to rapidly evolve. AI algorithms may be flawed, and datasets may be insufficient or contain biased information, which could result in outputs that are unexpected, of low quality or that implicate intellectual property, privacy, export control or safety risks. Ineffective or inadequate AI development, monitoring or deployment practices by us, our clients, or third parties with whom we do business could result in unintended consequences, such as disclosure of sensitive information, infringement of third-party intellectual property rights, violation of laws related to recruitment and hiring, or other incidents that impair the acceptance of AI solutions or cause harm to individuals or society. These deficiencies and other failures of AI systems could subject us to competitive harm, regulatory action, legal liability including litigation, and brand or reputational harm. Some AI capabilities present ethical issues, and we may be unsuccessful in identifying or resolving issues before they arise. If we enable or offer AI products or solutions or implement AI capabilities in our internal operations that are controversial because of their impact on human rights, privacy, employment, or other social, economic, or political issues, we may experience brand or reputational harm, financial or legal liability or increased employee attrition. Additionally, the use of AI and other advanced technology by us or our partners may create new or exacerbate existing cybersecurity vulnerabilities, including vulnerabilities not currently known or novel risk vectors that may not be immediately identifiable. The uncertainty around the safety and security of new and emerging AI applications requires continued significant investment in monitoring, validation and implementation of governance processes and controls across the AI lifecycle, including relating to security, accuracy, bias, and other variables to ensure alignment with industry standards and meet client expectations. These efforts can be complex, resource-intensive, could adversely impact our profitability, may not sufficiently address risks and may cause decreased demand for our services or harm to our business, results of operations, financial condition, or reputation. While we have in place policies and mechanisms designed to ensure that we use AI responsibly, these efforts may be insufficient to identify and mitigate AI-related risks. AI technology and services require access to high-quality datasets, foundation models, and other AI system components. We currently rely, in part, on third parties to provide these components. In the future, we may face difficulties acquiring the necessary rights from third parties due to market competition and other factors. Failures or discontinuation by cloud/software partners or loss of rights to third-party data needed for our services, including AI solutions, could delay delivery, require costly re-engineering, or limit competitiveness. These challenges could hinder our ability to develop, implement or maintain AI technologies, or may increase the costs of doing so. To overcome this, we may need to invest in alternative strategies, such as forming alliances or developing our own resources. In addition, the legal and regulatory landscape surrounding AI technologies is rapidly evolving, uncertain and varies significantly by jurisdiction, including in the areas of intellectual property, cybersecurity, employment, privacy and data protection. Authorities where we operate are applying, or considering applying, laws and regulations related to intellectual property, cybersecurity, export controls, privacy, data security, data protection and employment to AI and automated decision-making, or general legal frameworks on AI, such as the EU AI Act, which entered into force in 2024 and parts of which became applicable in 2025. Compliance with new or changing laws, regulations, industry standards or ethical requirements and expectations relating to AI, the eventual scope and extent of which are currently unknown and which may vary or conflict across jurisdictions or between different courts or regulators, may impose significant operational costs requiring us to change our service offerings or business practices, or may limit or prevent our ability to develop, deploy, or use AI technologies in our own operations or our client offerings. Failure to keep pace with this evolving landscape may result in legal liability, increased regulatory scrutiny and oversight, regulatory action, or brand and reputational harm. In addition, the SEC is increasingly focused on AI-related disclosures, in particular how companies disclose their AI usage, business strategy, and risk, and has targeted companies that exaggerated their AI capabilities. If we fail to accurately represent our AI capabilities or if we overstate the benefits of our AI offerings, we could face SEC enforcement actions, securities litigation, reputational harm, or loss of investor confidence.

Our success depends in part on certain methodologies, practices, tools and technical expertise we utilize in designing, developing, implementing and maintaining applications and other proprietary intellectual property rights. Our success also depends on our ability to develop and protect intellectual property rights in our AI-enabled solutions, including proprietary AI models, algorithms, and methodologies. In order to protect our rights in these various intellectual properties, we rely upon a combination of nondisclosure and other contractual arrangements as well as patent, trade secret, copyright and trademark laws. We also generally enter into confidentiality agreements with our employees, consultants, vendors, clients and potential clients, partners and potential partners, and limit access to and distribution of our proprietary information. We operate across multiple jurisdictions with varying intellectual property frameworks, including evolving AI-specific regulations. While international treaties such as the Berne Convention provide certain baseline protections, the regulatory landscape governing AI and intellectual property is rapidly evolving. The U.S. Patent and Trademark Office and Copyright Office continue issuing guidance on AI-related inventions, and patentability questions involving machine-generated outputs remain unsettled. There can be no assurance that the laws, rules, regulations and treaties in effect in the United States, India and the other jurisdictions in which we operate and the contractual and other protective measures we take, are adequate to protect us from misappropriation or unauthorized use of our intellectual property, or that such laws will not change. We may not be able to detect unauthorized use and take appropriate steps to enforce our rights, and any such steps may not be successful. Infringement by others of our intellectual property, including the costs of enforcing our intellectual property rights, may have a material adverse effect on our business, results of operations and financial condition. In addition, we may not be able to prevent others from using our data and proprietary information to compete with us. Existing trade secret, copyright and trademark laws offer only limited protection. Further, the laws of some foreign countries may not protect our data and proprietary information at all. If we have to resort to legal proceedings to enforce our rights, the proceedings could be burdensome, protracted, distracting to management and expensive and could involve a high degree of risk and be unsuccessful. Although we do not believe that our solutions or services infringe the intellectual property rights of others, claims may nonetheless be successfully asserted against us in the future. Our use of AI and generative AI technologies may expose us to intellectual property claims related to the data used to train AI models incorporated into our solutions and services. We may face claims that AI models we use were trained on copyrighted materials without authorization, or that outputs from our solutions or services infringe third-party copyrights or other intellectual property rights. The complexity and limited transparency of many AI models may make it difficult to fully understand AI system behavior or anticipate unintended infringement. Our development and deployment of agentic AI systems present novel intellectual property risks. The autonomous nature of these systems may result in outputs or actions that infringe third-party IP rights in ways that are difficult to predict or prevent, and liability frameworks for autonomous AI-generated infringement remain unclear. The costs of defending any infringement claims could be significant, and any successful claim may require us to modify, discontinue or rename any of our services. Additionally, if commercially available AI technologies become unavailable or more costly due to changing law or litigation, or if competitors develop more effective IP strategies for their AI technologies, obtain broader IP protection, or more successfully navigate the evolving IP landscape for AI-generated content, our competitive position may be materially harmed. The costs of developing, implementing, and defending our AI-related intellectual property portfolio may be substantial and may not yield anticipated returns. Any liability arising from unintentional infringement, or the costs of developing an IP strategy that sufficiently addresses the IP-related risks of our advanced technology solutions, could have a material adverse effect on our business, reputation, results of operations and financial condition.

In providing our services and solutions to clients, we often collect, process and store proprietary, personally identifying or other sensitive or confidential client and other third-party data. In addition, we collect, process and store data regarding our employees and contractors. As a result, we are subject to numerous data protection and privacy laws and regulations designed to protect this information in the countries in which we operate as well as the countries of residence of the persons whose data we process. We have established security measures and internal controls designed to prevent the inadvertent or intentional exposure or loss of personally identifiable information and other sensitive or confidential data. We regularly assess the adequacy of and make improvements to such security measures and controls. However, if any person, including any of our current or former employees or contractors, negligently disregards or intentionally breaches our or our clients' established security policies, measures and controls with respect to client, third-party or Genpact protected data or if we do not adapt to changes in data protection legislation, we could be subject to significant litigation, monetary damages, regulatory enforcement actions, fines and/or criminal prosecution in one or more jurisdictions. Unauthorized parties have attempted, and we expect will continue to attempt, to gain access to our systems and facilities, as well as those of our clients and third-party service providers, through various means, including hacking, social engineering, phishing, and attempting to fraudulently induce individuals (including employees, service providers, and our clients) into disclosing usernames, passwords, payment card information, or other sensitive information, which may in turn be used to access our information technology systems. Additionally, our employees and contractors have in the past engaged, and may in the future engage, in fraudulent conduct or other conduct that violates our client contracts or our internal controls or policies, whether intentionally or inadvertently. We have experienced security incidents due to the actions of our employees or contractors, though none of these incidents has had a material impact on our operations or financial results. The threat of incursions into our information systems and technology infrastructure has increased in recent years as the sophistication of threat actors who have hacked, attacked, held for ransom or otherwise disrupted information systems of other companies and misappropriated or disclosed data has increased. Threat actors are also increasingly focused on gaining access to a target's systems though supply chain channels and taking advantage of the proliferation of technology platform vulnerabilities disclosed by software companies to exploit the vulnerabilities before patches are applied. Additionally, threat actors are increasingly using AI and generative AI capabilities to enhance their attack techniques, including by creating deepfakes, exploitation code or automated social engineering. We could also be impacted by cyberattacks by nation states or other organizations arising out of geopolitical tensions or conflicts. Certain types of cyberattacks could harm us even if our systems are left undisturbed. For example, attacks may be designed to deceive employees or service providers into providing credentials or other access mechanisms to our or our clients' systems to a hacker. We may be unable to anticipate the techniques used by threat actors to infiltrate our systems and may fail to detect or timely detect when an incursion has occurred or to implement adequate preventative and responsive measures, including in the case of threats that are designed to remain dormant or undetectable until launched against a target. Additionally, in the event of a ransomware or other attack involving data theft and encryption, we could face delays in the recovery of data, or a partial or total loss of data, in the event of a lack of adequate backups or recovery processes or a compromise of our backups or backup systems. The steps we have taken to protect our information systems and data security may be inadequate. Actual or perceived breaches of our security, whether through breach of our computer systems, systems failure (including due to aged IT systems or infrastructure or system misconfigurations) or otherwise, could influence the market perception of the effectiveness of our security measures and, as a result, our reputation could be harmed and we could lose existing or potential clients. Media or other reports of perceived breaches or weaknesses in our systems, products or networks could also adversely impact our brand and reputation and materially affect our business. Our clients, suppliers, subcontractors, and other third parties with whom we do business, including in particular cloud service providers and software vendors, generally face similar or greater cybersecurity threats, and we must rely on the safeguards adopted by these third parties. We and our clients rely on third-party cloud, software, and open-source components, and vulnerabilities or failures in those supply chains (including "zero-day" exploits) may introduce or amplify risk, trigger client and regulatory claims, and increase remediation costs. If these third parties do not have adequate safeguards or their safeguards fail, it might result in breaches of our systems or applications, unauthorized access to or disclosure of our and our clients' confidential data or a disruption in our services. In addition, the products, services and software that we use and provide to our clients, or the third-party components of such products, services and software, sometimes contain or introduce cybersecurity threats or vulnerabilities to our and our clients' information technology networks, intentionally or unintentionally. We are regularly alerted to vulnerabilities in third-party technology components we use in our business that create risks in our environments. We typically are not aware of such vulnerabilities until we receive notice from the third parties who have discovered the exposure, and our responses to such vulnerabilities may not be adequate or prompt enough to prevent their exploitation. Our clients' proprietary, sensitive, or confidential information could also be compromised by a cybersecurity attack affecting us, or their systems could be disabled or disrupted as a result of such an attack. Our clients, regulators, or other third parties may attempt to hold us liable, through contractual indemnification clauses or directly, for any such losses or damages resulting from such an attack. We may also be liable to our clients or others for damages caused by disclosure of confidential information or system failures. Many of our contracts do not limit our potential liability for breaches of confidentiality. We may also be subject to civil actions and criminal prosecution by governments or government agencies for breaches relating to such data. Our insurance coverage or indemnification protections for breaches or mismanagement of such data may not be adequate to cover all costs related to data loss, cybersecurity attacks, or disruptions resulting from such events, or they may not continue to be available on reasonable terms or in sufficient amounts to cover one or more large claims against us and our insurers may disclaim coverage as to any future claims. The impact of these cybersecurity attacks, data losses, and other security breaches cannot be predicted, but any such attack, loss or breach could disrupt our operations and the operations of our clients, suppliers, subcontractors, or other third parties. Incidents of this type have in the past and may in the future require significant management attention and resources and have in the past and may in the future result in the loss of revenues from clients. These incidents could also result in regulatory fines and penalties, financial liability, significant remediation costs, and reputational harm among our clients and the public, any of which could have a material adverse impact on our financial condition, results of operations, or liquidity. While we have developed and implemented security measures and internal controls designed to prevent, detect and respond to cyber and other security threats and incidents and to recover data compromised in such incidents, such measures cannot guarantee security and may not be successful in preventing security breaches, detecting or effectively responding to such breaches, recovering data compromised or lost, or restoring operations in a timely manner. In the ordinary course of business, we are subject to regular incursion attempts from a variety of sources, and we have experienced security incidents, including from cyber threat actors, as a result of attack techniques such as phishing, social engineering, vulnerability exploitation and malware. To date such incidents have not had a material impact on our operations or financial results. However, there is no assurance that such impacts will not be material in the future. Additionally, our hybrid working model, which includes a high number of employees working remotely, has reduced our ability to enforce physical security controls and monitor employee conduct and has increased the risk that our employees will engage in impermissible or careless conduct, which could give rise to reputational harm and legal liability. Our inability to enforce physical security controls and monitor our employees working remotely also increases the risk of security incidents. Virtual hiring and remote work can also increase risks of candidate fraud, moonlighting, training and cultural integration challenges, as well as inadvertent local tax or employment law non-compliance due to unreported employee location changes. Measures we have taken in the remote work environment to implement suitable additional controls and educate our employees on the importance of cybersecurity, data loss prevention and related best practices may not prevent data breaches, the occurrence of which could have a material adverse impact on our business, reputation, financial condition, and results of operations.

We are in the midst of a multi-year process of implementing a complex new enterprise resource planning system ("ERP"), which is a major undertaking that will replace most of our existing operating and financial systems. An ERP system is used to maintain financial records, enhance data security and operational functionality and resiliency, and provide timely information to management related to the operation of a business. The ERP implementation requires the integration of the new ERP with existing information systems and business processes. Our ERP planning and implementation has required and will continue to require, investment of significant capital and human resources,requiring the attention of members of our management team. Any deficiencies in the design, or delays or issues encountered in the implementation, of the new ERP could result in significantly greater capital expenditures and employee time and attention than currently contemplated, and could adversely affect our ability to operate our business, including effective management of our invoicing and accounts receivable and collections processes, file timely reports with the SEC or otherwise affect the proper and efficient operation of our controls. If the system as implemented, or after necessary investments, does not result in our ability to maintain accurate books and records, our financial condition, results of operations, and cash flows could be materially adversely impacted. Additionally, conversion from our old system to the new ERP may also cause inefficiencies until the ERP is stabilized and mature. The implementation of our new ERP will require new procedures and many new controls over financial reporting. If we are unable to adequately plan, implement and maintain procedures and controls relating to our ERP, our ability to produce timely and accurate financial statements or comply with applicable regulations could be impaired and impact the effectiveness of our internal controls over financial reporting. All of the above could result in harm to our reputation or our clients, as well as expose us to regulatory actions or claims, any of which could materially impact our business, results of operations, financial condition and stock price.

Our profitability is largely a function of how efficiently we utilize our assets and the pricing that we are able to obtain for our solutions and services. Our utilization rates are affected by a number of factors, including our ability to transition employees from completed projects to new assignments, hire and assimilate new employees, forecast demand for our services, match our employees' skills with client demand, manage attrition as well as our need to devote time and resources to training, professional development and other typically non-chargeable activities. The prices we are able to charge for our solutions and services are affected by a number of factors, including our clients' perceptions of our ability to add value, competition, introduction of new services and technologies (including generative and agentic AI) or products by us or our competitors, our ability to accurately estimate, recognize and sustain revenues from client engagements, margins and cash flows over long contract periods and macroeconomic and political conditions. Therefore, if we are unable to price appropriately or manage our asset utilization levels, there could be a material adverse effect on our business, results of operations and financial condition. Our profitability is also a function of our ability to control our costs and improve our efficiency. As we increase the number of our employees and grow our business, we may not be able to manage the significantly larger and more geographically diverse workforce that may result and our profitability may decrease or may not improve. New taxes may also be imposed on our services, such as sales taxes or service taxes, which could affect our competitiveness as well as our profitability. Additionally, we may fail to appropriately estimate our costs in agreeing to provide new or novel services with unique pricing arrangements or service delivery requirements.