Kyndryl Holdings Incorporation (KD) Risk Analysis

We are subject to numerous, evolving, and sometimes conflicting, legal regimes on matters as diverse as anticorruption, import/export controls, content requirements, cybersecurity, data governance and privacy, trade restrictions, tariffs, taxation, sanctions, immigration, internal and disclosure control obligations, securities regulation, anti-competition, anti-money-laundering, wage-and-hour standards, employment and labor relations, environmental, human rights, machine learning and AI. Further, we and the services we provide to customers may be impacted directly or indirectly by the development and enforcement of laws and regulations in the U.S. and globally that are specifically targeted at the technology and services sectors. As we expand our customer base and the scope of our offerings, both within the U.S. and globally, we may be further impacted by additional regulatory or other risks, including compliance with laws relating to corporate taxation, import, export and trade restrictions on technology and services. The global nature of our operations, including jurisdictions where legal systems may be less developed or understood by us, business practices and standards which deviate from international standards, and the diverse nature of our operations across a number of regulated industries, further increases the difficulty of compliance. Additionally, certain laws and regulations including the U.S. Foreign Corrupt Practices Act and the U.K. Bribery Act 2010 could make us responsible for acts of our employees, subcontractors, vendors, agents, alliance or joint venture partners, the companies we may acquire and their employees, subcontractors, vendors and agents, and other third parties with which we associate if they take actions that violate applicable anti-corruption laws or regulations (whether or not we participated or knew about the actions leading to the violations). Compliance with diverse legal requirements is costly and time-consuming and requires significant resources. New and changing laws can also adversely affect the Company's business by limiting the Company's ability to offer a service or feature to customers, imposing changes to the design of the Company's products and services, impacting customer demand for the Company's products and services, and requiring changes to the Company's supply chain and business. New and changing laws and regulations can also create uncertainty about how such laws and regulations will be interpreted and applied. Violations of one or more of these regulations in the conduct of our business could result in significant fines and penalties, disgorgement of profits, enforcement actions or criminal sanctions against us and/or our employees, contractors or agents, prohibitions on doing business, unfavorable publicity and damage to our reputation. Violations of these regulations in connection with the performance of our obligations to our customers also could result in liability for significant monetary damages and restrictions on our ability to effectively carry out our contractual obligations and thereby expose us to potential claims from our customers. Due to the varying degrees of development of the legal systems of the countries in which we operate, local laws may not be well developed or provide sufficiently clear guidance and may be insufficient to protect our rights. Changes in laws and regulations could also mandate significant and costly changes to the way we implement our services or could impose additional taxes on our services. Changes in laws and regulations, including expanding controls on imports and exports and sanctions resulting from geopolitical developments, could impact our business, including imposing limits on where we can conduct operations, parties with whom we can conduct business, and the nature of work that can be performed. Such changes may result in limitations on existing or future business operations in certain markets, and violations of such laws and regulations could result in significant fines, penalties and enforcement actions.

As a multinational company with customers and employees around the world, we are or may become involved as a party and/or may be subject to a variety of claims, demands, suits, investigations, tax matters and other proceedings that arise from time to time in the ordinary course of our business. In addition, our former Parent may obtain, or may seek to obtain, indemnity from us for judgments against it relating to events that occurred prior to the Separation pursuant to agreements put in place in connection with the Separation. The risks associated with known significant legal proceedings are described in more detail in Note 14 – Commitments and Contingencies in the financial statements elsewhere in this report. We believe that we have adopted appropriate risk management and compliance programs. Legal and compliance risks, however, will continue to exist, and additional legal proceedings and other contingencies, the outcome of which cannot be predicted with certainty, may arise from time to time.

We are subject to income taxes and withholding taxes in both the United States and numerous foreign jurisdictions. We calculate and provide for taxes in each tax jurisdiction in which we operate. Tax accounting often involves complex matters and requires our judgment to determine our worldwide provision for income taxes and other tax liabilities. Our provision for income taxes and cash tax liability in the future could be adversely affected by numerous factors including, but not limited to, income before taxes being lower than anticipated in countries with lower statutory tax rates and higher than anticipated in countries with higher statutory tax rates, changes in the valuation of deferred tax assets and liabilities, and changes in tax laws, regulations, accounting principles or interpretations thereof, which could adversely impact our results of operations and financial condition in future periods. The Organization for Economic Cooperation and Development (the "OECD") continues to issue guidelines that are different, in some respects, than long-standing international tax principles. Local country adoption of some or all of these rules may increase tax uncertainty and may adversely impact our income taxes. Furthermore, local country, state, provincial or municipal taxation may also be subject to review and potential override by regional, federal, national or similar forms of government, which may also adversely impact our income taxes. In addition, we are subject to periodic examinations of our domestic and foreign tax returns by taxing authorities in the jurisdictions in which we do business. While we regularly assess the likelihood of adverse outcomes resulting from these examinations in order to determine the adequacy of our provision for income taxes, there can be no assurance that the outcomes from these examinations will not have an adverse effect on the Company's provision for income taxes and cash flows.

We have customer agreements in place that include certain service-level commitments. If we are unable to meet such commitments, we may be contractually obligated to pay penalties or provide these customers with service credits for a portion of the service fees paid by our customers. However, we cannot be assured that our customers will accept these penalties or credits in lieu of other legal remedies that may be available to them. Our failure to meet our commitments could also result in customer dissatisfaction or loss and have an adverse effect on our business, reputation, financial condition and results of operations. In addition, as we work on projects to advance the digital transformations of our customers' businesses, the scale and complexity of these IT transformation projects present risks in management and execution. Our profitability depends on the ability of subcontractors, vendors and service providers to deliver their products and services in a timely manner, at the anticipated cost, and in accordance with the project requirements, as well as on our effective oversight of their performance. Certain customer work requires the use of unique and complex structures and alliances, some of which require us to assume responsibility for the performance of third parties whom we do not control. In addition, as the Company continues to identify opportunities to reduce its overall cost structure and increase operating efficiencies, including through site rationalization initiatives, if we do not effectively manage such efforts and our infrastructure capacity requirements, it could adversely impact our ability to effectively and efficiently deliver our services. Any of these factors could adversely affect our ability to perform and subject us to additional liabilities, which could have an adverse effect on our relationships with customers and on our results of operations.

Our commercial contracts are typically awarded on a competitive or "sole-source" basis. Our bids are priced upon, among other items, the expected cost to provide the services. We are dependent on our internal forecasts and predictions about our projects and the marketplace, and, to generate an acceptable return on our investment in these contracts, we must be able to accurately estimate our costs to provide the services required by the contract and to complete the contracts in a timely manner. We face a number of risks when pricing our contracts, as many of our projects entail the coordination of operations and workforces in multiple locations and utilizing workforces with different skill sets and competencies across geographically diverse service locations. In addition, revenues from a small portion of our contracts are recognized using the cost-to-cost method, which requires estimates of total costs at completion, fees earned on the contract, or both. This estimation process, particularly due to the technical nature of the services being performed and the long-term nature of certain contracts, is complex and involves significant judgment. Adjustments to original estimates are often required as work progresses, experience is gained and additional information becomes known, even though the scope of the work required under the contract may not change. Moreover, as inflation can increase both our labor and non-labor input costs, the profitability of our contracts could be negatively impacted if we are unable to adjust our pricing or costs to take inflation into account. Furthermore, if we fail to accurately estimate the effort, costs or time required to complete a contract, the profitability of our contracts may be materially and adversely affected. If we are not able to increase our margins as anticipated, we may not be able to meet key objectives to further our growth strategy.

Our competitors include incumbents that have expanded their offerings to migration and management of cloud-based environments; companies that use labor-based models and leverage talent pools primarily in lower-cost countries that have grown to offer a broad range of services with a worldwide presence; and advisory-focused system integrators specializing in bringing together disparate technology environments. Our competitiveness is based on factors including quality of services, technical skills and capabilities, industry knowledge and experience, financial value, ability to innovate and respond to rapid and continuing changes in technology to serve the evolving needs of our customers, intellectual property and methods, contracting flexibility, and speed of execution. If we are unable to compete based on such factors, our results of operations and business prospects could be harmed. This competition may decrease our revenue and place downward pressure on operating margins in our industry, particularly for contract extensions or renewals. As a result, we may not be able to maintain our current revenue and operating margins, or achieve favorable operating margins, for contracts extended or renewed in the future. If we fail to create and sustain an efficient and effective cost structure that scales with revenues during periods with declining revenues, our margins and results of operations may be adversely affected. Companies with whom we have alliances in certain areas are or may become competitors in other areas. In addition, companies with whom we have alliances also may acquire or form alliances with competitors, which could reduce their business with us. If we are unable to effectively manage these complicated relationships with alliance peers, our business and results of operations could be adversely affected.

Our customers include numerous governmental entities within and outside the United States, including foreign governments and U.S. state and local entities. Some of our agreements with these customers are subject to periodic funding approval or other government budgetary issues. Funding reductions, delays or work stoppages could adversely impact public sector demand for our services and can result in payment delays, payment reductions or contract terminations, any of which would have an adverse effect on our business, financial condition, results of operations and/or cash flows. Also, government contracts are generally subject to extensive and evolving procurement regulations and tend to have additional requirements beyond commercial contracts and, for example, may contain provisions providing for higher liability limits for certain losses and non-performance. Also, compliance violations in one state or locality could result in suspension or debarment as a governmental contractor, could incur civil and criminal fines and penalties, or could impact our ability to compete for new contracts, which could negatively impact our competitive position, results of operations, financial results and reputation.

Our ability to maintain or increase our revenues and profit may be impacted by a number of factors, including our ability to attract new customers, retain existing customers and sell additional, comparable or, in the case of accounts with substandard margins, services with greater gross margins to our customers. We may incur higher customer acquisition or retention costs as we seek to grow our customer base and expand our markets. Moreover, to the extent we are unable to retain and sell additional services to existing customers, including as part of our initiative to address existing accounts that have substandard margins, our revenue and results of operations may decrease. Our customer contracts typically have an average duration of over five years and, unless terminated, may be renewed or automatically extended on a month-to-month basis. Our customers have no obligation to renew their services after their initial contract periods expire, and any termination fees associated with an early termination may not be sufficient to recover our costs associated with such contracts. The loss of business from any of our major customers, whether by the cancellation of existing contracts, the failure to obtain new business or lower overall demand for our services, could adversely impact our revenue and results of operations.

Our reputation may be susceptible to damage by events such as significant disputes with customers, internal control deficiencies, delivery failures, cybersecurity incidents, government investigations or legal proceedings or actions of current or former customers, directors, employees, competitors, vendors, alliance partners or joint venture partners. If we fail to gain a positive reputation as leader in our field, or if our brand image is tarnished by negative perceptions, our ability to attract and retain customers and talent could be impacted.

Our ability to issue debt or enter into other financing arrangements on acceptable terms could be adversely affected if there is a material decline in the demand for our services or in the solvency of our customers or suppliers or if there are other significantly unfavorable changes in economic conditions. Volatility in the world financial markets could increase borrowing costs or affect our ability to access the capital markets. These conditions may adversely affect our credit ratings.

We are a globally integrated company doing business worldwide. Our results of operations have been and could in the future be affected by unfavorable, volatile or uncertain economic and geopolitical conditions and by macroeconomic changes, including recessions, inflation, currency fluctuations between the U.S. dollar and non-U.S. currencies, capital controls and adverse changes in trade relationships among those countries. Further, international trade disputes could create uncertainty. Tariffs, international trade sanctions and other controls on imports or exports resulting from these disputes could affect our ability to move goods and services across borders, or could impose added costs to those activities. Measures taken to date by us to mitigate these impacts could be made less effective should trade sanctions or tariffs change. In addition, any widespread outbreak of an illness, pandemic or other local or global health issue, natural disasters including those that could be related to climate change impacts, or uncertain political climates, international hostilities, geopolitical conflict or any terrorist activities, could adversely affect customer demand, our operations and supply chain, and our ability to source and deliver solutions to our customers. In the current macroeconomic environment, customers continue to balance short-term challenges and opportunities for transformation. While some customers have accelerated their digital transformation and increased their expenditures, the short-term priorities of other customers continue to be focused on operational stability, flexibility and cash preservation, and as such, we may experience some disruptions in transactional performance.

Our growth strategy depends in part on our ability to continue to develop and implement services and solutions that anticipate and respond to rapid and continuing changes in technology, offerings and industry standards to serve the evolving demands and needs of our customers. If we fail to respond and adapt successfully to technology developments and trends and customer demands in a timely or cost-effective manner or fail to effectively leverage new technologies into our services and solutions, or if our competitors or other third parties respond to such challenges more quickly or successfully than we do, the demand for our services and solutions may diminish. We have made and expect to continue to make investments in new technologies, including in AI and generative AI. We sometimes dedicate a significant amount of resources to our development efforts before knowing to what extent our investments will result in services and solutions the market will accept. The adoption and use of new technologies that are still in their early stages, such as AI and generative AI capabilities, involve significant risks and uncertainties. In addition, investments in technology systems, capabilities, talent and resources may not deliver the benefits or perform as expected, may be replaced or become obsolete more quickly than expected, or may reduce or replace some of our current services and offerings, which could result in operational difficulties or additional costs. If we do not sufficiently invest in new technologies and adapt to industry developments, if we are unable to commercialize them in our services and solutions, evolve, expand and scale them effectively with sufficient speed and versatility, or if we do not make the right strategic investments to respond to these developments and successfully drive innovation, our results of operations and our ability to develop and maintain a competitive advantage and to execute on our growth strategy could be negatively affected.

Our intellectual property rights may not prevent competitors from independently developing services similar to or duplicative of ours, nor can there be any assurance that the resources invested by us to protect our intellectual property will be sufficient or that our intellectual property portfolio will adequately deter misappropriation or improper use of our technology. Our ability to protect our intellectual property could also be impacted by changes to existing laws, legal principles and regulations governing intellectual property. Further, we rely on third-party intellectual property rights, open-source software and other third-party software in providing some of our services and solutions, and there can be no assurances that we will be able to obtain from third parties the licenses we need in the future or retain all of these intellectual property rights upon renewal, expiration or termination of such licenses. If we cannot obtain, renew or extend licenses to third-party intellectual property on commercially reasonable terms, or if we must obtain alternative or substitute technology or redesign services, our business may be adversely affected. Additionally, we cannot be sure that our services and solutions, or the solutions of others that we offer to our customers, do not infringe on the intellectual property rights of third parties (including competitors as well as non-practicing holders of intellectual property assets), and these third parties could claim that we, our customers or parties indemnified by us are infringing upon their intellectual property rights. As we expand our use of AI, there may be uncertainty regarding intellectual property ownership and license rights of AI algorithms and content generated by AI, and we may become subject to similar claims of infringement. In addition, we may be the target of aggressive and opportunistic enforcement of patents by third parties, including patent assertion entities and non-practicing entities. These claims, even if we believe they have no merit, could subject us to a temporary or permanent injunction or damages, harm our reputation, divert management attention and resources and cause us to incur substantial costs or prevent us from offering some services or solutions in the future. Even if we have an agreement providing for third parties to indemnify us for the foregoing claims, the indemnifying parties may be unwilling or unable to fulfill their contractual obligations.

We maintain information, including confidential and proprietary information, in digital form regarding our business and the business of our customers, business partners, vendors, employees, contractors and other third parties. We also rely on third-party vendors to provide certain digital services in connection with our business and our delivery of services to customers. There are numerous and evolving risks relating to cybersecurity, data governance and privacy, including risks originating from intentional acts of criminal hackers, nation states and hacktivists; from intentional and unintentional acts of customers, business partners, vendors, employees, contractors, competitors and other third parties; and from errors, vulnerabilities and omissions in infrastructure, technology products, services and solutions that we use, as well as the risks associated with the number of customers, business partners, vendors, employees, contractors and other third parties working remotely. Computer hackers and others routinely attempt to exploit and attack the security of technology products, services, systems and networks using a wide variety of methods, including ransomware or other malicious software and attempts to exploit vulnerabilities and flaws in hardware, software and infrastructure, technology products, services and solutions. Attacks also include social engineering to fraudulently induce customers, business partners, vendors, employees, contractors and other third parties to unwittingly disclose information, transfer funds or provide access to systems or data. We are at risk of security breaches not only of our own infrastructure, networks and services, but also those of customers, business partners, vendors, employees, contractors and other third parties. Cyber threats and attacks are increasing in number and sophistication and continually evolving, particularly with the expanding availability of AI and generative AI tools and technologies, making it more challenging to defend against certain threats, attacks and vulnerabilities that can persist undetected over extended periods of time. Our technology infrastructure, products, services and solutions, including other third-party systems and technologies that we use to deliver our services or maintain on behalf of our customers, may be used in critical Company, customer or third-party operations, and involve the storage, processing and transmission of sensitive data, including proprietary or confidential data, regulated data, personal information and intellectual property of employees, customers and others. These products, services and solutions are also used by customers in heavily regulated industries, including those in the financial services, healthcare, critical infrastructure and government sectors. Cybersecurity attacks or other security incidents relating to our technology infrastructure, products, services and solutions or those of our vendors could result in, for example, one or more of the following: unauthorized access to, disclosure, modification, misuse, loss or destruction of Company, customer or other third-party data or systems; theft or import or export of sensitive, regulated or confidential data including personal information and intellectual property; the loss of access to critical data or systems through ransomware, destructive attacks or other means; and business delays, service or system disruptions or denials of service. In the event of such actions, we, our customers and other third parties could be exposed to liability (whether contractual or otherwise), litigation, and regulatory or other government inquiries, enforcement actions, fines or penalties, as well as the loss of existing or potential customers, negative publicity, damage to brand and reputation, damage to our competitive position and other financial loss. The cost and operational consequences of responding to cybersecurity incidents and implementing remediation measures could be significant. In our industry, vulnerabilities in technology infrastructure, products, services and solutions are increasingly discovered, publicized and exploited, elevating the risk of attacks and the potential cost of response and remediation for us and our customers. The increasing number and sophistication of cyber threats, attacks and vulnerabilities, and the scale and complexity of our business and infrastructure, make it possible that certain threats, attacks or vulnerabilities will be undetected or unmitigated in time to prevent or minimize the impact on us or our customers. Cybersecurity risk to us and our customers also depends on factors such as the actions, practices and investments of customers, business partners, vendors, employees, contractors and other third parties. Cybersecurity attacks or other catastrophic events resulting in disruptions to or failures in power, information technology, communication systems or other critical infrastructure could result in interruptions or delays to Company, customer or other third-party operations or services, financial loss, injury or death to persons or property, potential liability, and damage to brand and reputation. Although, to date, we have not experienced a cybersecurity incident that has had a material adverse effect on us and we continuously take steps to mitigate cybersecurity risk across a range of functions, such measures cannot eliminate the risk entirely or provide absolute security. While we continue to monitor for, identify, investigate, respond to, remediate and develop plans to quickly recover from cybersecurity incidents, notwithstanding our efforts, we may experience a cybersecurity incident in the future that may have a material adverse impact on the Company. As we are a global enterprise, the regulatory environment with regard to cybersecurity, data governance, privacy, AI and other issues to which we are subject is increasingly complex and will continue to impact our business, including through increased risk, increased compliance costs, and expanded or otherwise altered compliance obligations. The enactment and expansion of cybersecurity, data governance, privacy, AI and other laws and regulations around the globe, including an increased focus on international data transfer mechanisms and supply chain management, the lack of harmonization of such laws and regulations, the increase in associated litigation and enforcement activity, the potential for damages, fines and penalties, and enacted or potential regulation of emerging and new technologies, such as AI and generative AI, will continue to result in increased compliance costs and increased risks. Any additional costs and penalties associated with increased compliance, enforcement and risk reduction could make certain offerings less profitable or increase the difficulty of bringing certain offerings to market.