H World Group (HTHT) Risk Analysis

Our business involves collecting and retaining large volumes of internal and customer data, including credit card numbers and other personal information as our various information technology systems enter, process, summarize and report such data. We also maintain information about various aspects of our operations as well as regarding our employees. The integrity and protection of our customer, employee and company data is critical to our business. Our customers and employees expect that we will adequately protect their personal information.  We are required by applicable laws to keep strictly confidential of the personal information that we collect, and to take adequate security measures to safeguard such information. The Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (general data protection regulation, "GDPR"), imposes certain requirements on the processing of personal data relating to natural persons. GDPR requirements will apply both to companies established in the EU and to companies, such as us, that are not established in the EU but process personal data of individuals who are in the EU (and in the European Economic Area subject to the enactment of implementation procedures), where the processing activities relate to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU; or (b) the monitoring of their behavior as far as their behavior takes place within the EU. See "item 4. Information on the Company - 4.B. Business Overview - Regulation - Regulation on Information Protection on Networks." Compliance with the GDPR will be a rigorous and time-intensive process that may increase our cost of doing business, and the failure to comply with the GDPR could expose us to sanctions from both a financial and business operations perspective. In addition, in case of control, non-compliance with the GDPR may expose us to damage to our reputation. On February 1, 2013, China's first set of personal data protection guidelines, the Guidelines for Personal Information Protection in Information Security Technology Public and Commercial Service Systems, came into effect, which set forth detailed personal information protection requirements on data collection, data processing, data transfer and data creation. Although these guidelines are voluntary and non-binding, we believe that growing regulatory oversight of data privacy in China is inevitable. In addition, Amendment 7 to the PRC Criminal Law  prohibits institutions, companies and their employees in the telecommunications and other industries from selling or otherwise illegally disclosing a citizen's personal information obtained during the course of performing duties or providing services or obtaining such information through theft or other illegal ways. On November 7, 2016, the Standing Committee of the PRC National People's Congress issued the Cyber Security Law of the PRC, which became effective on June 1, 2017. Pursuant to the Cyber Security Law of the PRC, providers of network products and services shall provide security maintenance for their products and services and shall comply with provisions regarding the protection of personal information as stipulated under the relevant laws and regulations. Moreover, the Provisions on Protection of Personal Information of Telecommunication and Internet Users is the specific regulation governing the collection, use, disclosure and security of personal information. Complying with these PRC laws and regulations may cause us to incur substantial costs or require us to change our business practices. See "Item 4. Information on the Company - B. Business Overview - Regulation - Regulation on Information Protection on Networks". While we take various measures to comply with all applicable data privacy and protection laws and regulations,  our current security measures and those of our third-party service providers may not be adequate for the protection of our customer, employee or company data. In addition, computer hackers, foreign governments or cyber terrorists may attempt to penetrate our network security and our website. Unauthorized access to our proprietary internal and customer data may be obtained through break-ins, sabotage, breach of our secure network by an unauthorized party, computer viruses, computer denial-of-service attacks, employee theft or misuse, breach of the security of the networks of our third-party service providers, or other misconduct. Because the techniques used by computer programmers who may attempt to penetrate and sabotage our proprietary internal and customer data change frequently and may not be recognized until launched against a target, we may be unable to anticipate these techniques. Unauthorized access to our proprietary internal and customer data may also be obtained through inadequate use of security controls. For instance, in August 2018, online reports alleged that we had become the subject of potential information leak. A proposed class action complaint was filed in the United States District Court in the Central District of California against us and our management alleging violations of the U.S. securities laws in relation to this possible data breach. This case was voluntarily dismissed by the plaintiffs on February 27, 2019. We may face similar litigations in the future. Any of such proceedings may harm our reputation and adversely affect our business and results of operations. The laws and regulations applicable to security and privacy are becoming increasingly important in China. Any theft, loss, fraudulent, unlawful use or disclosure of customer, employee or company data could harm our reputation or result in remedial and other costs, liabilities, fines or lawsuits.

The lodging industry is subject to fluctuations in revenues due to seasonality and national or regional special events. The seasonality of our business may cause fluctuations in our quarterly operating results. Generally, the first quarter, in which both the New Year and Spring Festival holidays fall, accounts for a lower percentage of our annual revenues than other quarters of the year. We typically have a lower RevPAR in the fourth quarter, as compared to the second and third quarters, due to reduced travel activities in the winter. In addition, national or regional special events that attract large numbers of people to travel may also cause fluctuations in our operating results in particular for the hotel locations where those events are held. For example, the 2016 G20 Hangzhou summit led to the decreased occupancy rates for our hotels in Hangzhou in September 2016. The 19th National Congress of the Communist Party of China led to the increased occupancy rates for our hotels in Beijing in October 2017. Therefore, you should not rely on our operating or financial results for prior periods as an indication of our results in any future period. As our revenues may vary from quarter to quarter, our business is difficult to predict and our quarterly results could fall below investor expectations, which could cause our ADS price to decline. Furthermore, the ramp-up process of our new hotels can be delayed during the low season, which may negatively affect our revenues and profitability.

Our financial and operating performance may be adversely affected by epidemics, adverse weather conditions, natural disasters and other catastrophes, particularly in locations where we operate a large number of hotels. Our business could be materially and adversely affected by the outbreak of swine influenza, avian influenza, severe acute respiratory syndrome or other epidemics. In recent years, there have reports on the occurrences of avian influenza in various parts of China, including hundreds of confirmed human deaths. Any prolonged recurrence of such contagious disease or other adverse public health developments in China may have a material and adverse effect on our operations. For example, if any of our employees or customers is suspected of having contracted any contagious disease while he or she has worked or stayed in our hotels, we may under certain circumstances be required to quarantine our employees that are affected and the affected areas of our premises. Losses caused by epidemics, adverse weather conditions, natural disasters and other catastrophes, including earthquakes or typhoons, are either uninsurable or too expensive to justify insuring against in China. In the event an uninsured loss or a loss in excess of insured limits occurs, we could lose all or a portion of the capital we have invested in a hotel, as well as the anticipated future revenues from the hotel. In that event, we might nevertheless remain obligated for any financial commitments related to the hotel. Similarly, war (including the potential of war), terrorist activity (including threats of terrorist activity), social unrest and heightened travel security measures instituted in response, travel-related accidents, as well as geopolitical uncertainty and international conflict, will affect travel and may in turn have a material adverse effect on our business and results of operations. In addition, we may not be adequately prepared in contingency planning or recovery capability in relation to a major incident or crisis, and as a result, our operational continuity may be adversely and materially affected and our reputation may be harmed.

We develop all of our leased and owned hotels directly. Our involvement in the development of properties presents a number of risks, including construction delays or cost overruns, which may result in increased project costs or forgone revenue. We may be unable to recover development costs we incur for projects that do not reach completion. Properties that we develop could become less attractive due to market saturation or oversupply, and as a result we may not be able to recover development costs at the expected rate, or at all. Furthermore, we may not have available cash to complete projects that we have commenced, or we may be unable to obtain financing for the development of future properties on favorable terms, or at all. If we are unable to successfully manage our hotel development to minimize these risks, our growth strategy and business prospects may be adversely affected.

The success of our business depends in part upon our continued ability to use our brands, trade names and trademarks to increase brand awareness and to further develop our products. The unauthorized reproduction of our trademarks could diminish the value of our brands and their market acceptance, competitive advantages or goodwill. In addition, we consider our proprietary information systems and operational system to be key components of our competitive advantage and our growth strategy. As of December 31, 2018, we have received copyright registration certificates for 63 of our major proprietary information systems and for our operating system. However, none of our other proprietary information system have been patented, copyrighted or otherwise registered as our intellectual property. Monitoring and preventing the unauthorized use of our intellectual property is difficult. The measures we take to protect our brands, trade names, trademarks and other intellectual property rights may not be adequate to prevent their unauthorized use by third parties. Furthermore, the application of laws governing intellectual property rights in China and abroad is evolving and could involve substantial risks to us. In particular, the laws and enforcement procedures in the PRC are uncertain and do not protect intellectual property rights to the same extent as do the laws and enforcement procedures in the United States and other developed countries. If we are unable to adequately protect our brands, trade names, trademarks and other intellectual property rights, we may lose these rights and our business may suffer materially. We may also be subject to claims for infringement, invalidity, or indemnification relating to third parties' intellectual property rights. Such third party claims may be time-consuming and costly to defend, divert management attention and resources, or require us to enter into licensing agreements, which may not be available on commercially reasonable terms, or at all.

Our ability to provide consistent and high-quality services and to monitor our operations on a real-time basis throughout our hotel group depends on the continued operation of our information technology systems, including our web property management, central reservation and customer relationship management systems. Certain damage to or failure of our systems could interrupt our inventory management, affect the manner of our services in terms of efficiency, consistency and quality, and reduce our customer satisfaction. Our technology platform plays a central role in our management of inventory, revenues, loyalty program and franchisees. We also rely on our website, call center and mobile application to facilitate customer reservations. Our systems remain vulnerable to damage or interruption as a result of power loss, telecommunications failures, computer viruses, fires, floods, earthquakes, interruptions in access to our toll-free numbers, hacking or other attempts to harm our systems, and other similar events. Our servers, which are maintained in Shanghai, may also be vulnerable to break-ins, sabotage and vandalism. Some of our systems are not fully redundant, and our disaster recovery planning does not account for all possible scenarios. Furthermore, our systems and technologies, including our website and database, could contain undetected errors or "bugs" that could adversely affect their performance, or could become outdated and we may not be able to replace or introduce upgraded systems as quickly as our competitors or within budgeted costs for such upgrades. If we experience frequent, prolonged or persistent system failures, our quality of services, customer satisfaction, and operational efficiency could be severely harmed, which could also adversely affect our reputation. Steps we take to increase the reliability and redundancy of our systems may be costly, which could reduce our operating margin, and there can be no assurance that whatever increased reliability may be achievable in practice or would justify the costs incurred. In addition, we collaborate with various business partners, such as airlines, in our day-to-day operations, and our ability to provide satisfactory services to customers also depend on the maintenance and efficacy of such business partners' systems, such as the maintenance of networks with necessary speed, bandwidth, and stability. If any of our business partners' systems encounter errors, "bugs" or other problems, our ability to effectively provide our services may be adversely affected, our reputation may be harmed, and we may also face customer complaints and be subject to fines and other penalties from competent authorities.