Leidos Holdings (LDOS) Risk Factors

We derive a portion of our revenues from programs with the U.S. government and its agencies that are subject to security restrictions (e.g., contracts involving classified information and classified programs), which preclude the dissemination of information and technology that is classified for national security purposes under applicable law and regulation. In general, access to classified information, technology, facilities, or programs requires appropriate personnel security clearances, is subject to additional contract oversight and potential liability, and may also require appropriate facility clearances and other specialized infrastructure. In the event of a security incident involving classified information, technology, facilities, programs, or personnel holding clearances, we may be subject to legal, financial, operational and reputational harm. We are limited in our ability to provide information about these classified programs, their risks or any disputes or claims relating to such programs. As a result, investors have less insight into our classified business or our business overall. However, historically the business risks associated with our work on classified programs have not differed materially from those of our other government contracts.

We recognize revenue on our service-based contracts primarily over time as there is a continuous transfer of control to the customer throughout the contract as we perform the promised services, which generally requires estimates of total costs at completion, fees earned on the contract, or both. This estimation process, particularly due to the technical nature of the services performed, and the long-term nature of certain contracts, is complex and involves significant judgment. Adjustments to original estimates are often required as work progresses, experience is gained and additional information becomes known, even though the scope of the work required under the contract may not change. Any adjustment as a result of a change in estimate is recognized as events become known. Changes in the underlying assumptions, circumstances or estimates could result in adjustments that may adversely affect our future financial results. For a discussion of our use of estimates in the preparation of our consolidated financial statements, see "Critical Accounting Estimates" in "Item 7. Management's Discussion and Analysis of Financial Condition and Results of Operations" of this Report, "Note 3-Summary of Significant Accounting Policies" of the notes to the consolidated financial statements contained within this Annual Report on Form 10-K.

From time to time, we pursue strategic acquisitions, investments and joint ventures. We also may enter into relationships with other businesses to expand our products or our ability to provide services. These transactions require a significant investment of time and resources and may disrupt our business and distract our management from other responsibilities. Even if successful, these transactions could result in unfavorable public perception or reduce earnings for a number of reasons, including the amortization of intangible assets, impairment charges, adverse tax consequences, acquired operations that are not yet profitable, or the payment of additional consideration under earn-out arrangements if an acquisition performs better than expected. Acquisitions, investments and joint ventures pose many other risks that could adversely affect our reputation, operations, or financial results, including that: - we may not be able to identify, compete effectively for or complete suitable acquisitions and investments at prices we consider attractive;- we may not be able to accurately estimate the financial effect of acquisitions and investments on our business or realize anticipated synergies, business growth, or profitability and may be unable to recover investments in any such acquisitions and investments;- we may not be able to manage the integration process for acquisitions successfully, and the integration process may divert management time and focus from operating our business, including as a result of incompatible accounting, information management, or other control systems;- acquired technologies, capabilities, products, and service offerings, particularly those that are still in development when acquired, may not perform as expected, may have defects or may not be integrated into our business as expected;- we may have trouble retaining key employees and customers of an acquired business;- we may need to implement or improve controls, procedures and policies at a business that prior to the acquisition may have lacked sufficiently effective controls, procedures and policies, including those relating to financial reporting, revenue recognition or other financial or control deficiencies;- we may assume legal or regulatory risks, particularly with respect to smaller businesses that have immature business processes and compliance programs, or may be required to comply with additional laws and regulations or to engage in remediation efforts to cause the acquired company to comply with applicable laws and regulations, or result in liabilities resulting from the acquired company's failure to comply with applicable laws or regulations;- we may face litigation or material liabilities that were not identified or were underestimated as part of our due diligence or for which we are unable to receive a purchase price adjustment or reimbursement through indemnification, including intellectual property claims and disputes or claims from terminated employees, customers, former stockholders or other third parties, or there may be other unanticipated write-offs or charges;- we may be required to spend a significant amount of cash or to incur debt, resulting in limitations on other potential uses for cash, increased fixed payment obligations or covenants or other restrictions on us, or issue shares of our common stock or convertible debt, resulting in dilution of ownership;- we may not be able to influence the operations of our joint ventures effectively, or we may be exposed to certain liabilities if our joint venture partners do not fulfill their obligations; and - if our acquisitions, investments, or joint ventures fail, perform poorly, or their value is otherwise impaired for any reason, including contractions in credit markets and global economic conditions, our business and financial results could be adversely affected. In addition, we periodically divest businesses, including businesses that are no longer a part of our ongoing strategic plan. These divestitures similarly require a significant investment of time and resources, may disrupt our business, distract management from other responsibilities and may result in losses on disposal or continued financial involvement in the divested business, including through indemnification, guarantee or other financial arrangements, for a period of time following the transaction, which would adversely affect our financial results.

As a government contractor and a provider of information technology services operating in multiple regulated industries and geographies, we and our service providers, suppliers and subcontractors collect, store, transmit, and otherwise process personal, confidential, proprietary, and sensitive information, including protected health information, personnel information, personal information, classified information, controlled unclassified information, intellectual property and financial information, concerning our business, employees, and customers. Therefore, we are continuously exposed to unauthorized attempts to compromise access, release or otherwise compromise such information through cyber-attacks and other information security threats, including, among other things, physical break-ins, theft, denial-of-service attacks, worms, computer viruses, software bugs, malicious or destructive code, social engineering, phishing attacks and impersonating authorized users, credential stuffing, account takeovers, insider threats, malfeasance or improper access by employees or service providers, human error, fraud, use of AI, "bots" or other automation software, or other similar disruptions. We are also exposed to hackers who have requested "ransom" in exchange for not disclosing information or restoring access to information or systems. These techniques may be perpetrated by internal bad actors, such as employees or contractors, or by third parties (including traditional computer hackers, persons involved with well-funded organized crime or state-sponsored actors). Any electronic or physical break-in or other security breach or compromise of our information technology systems and networks or facilities, or those of our service providers, suppliers, joint ventures or subcontractors, may jeopardize the confidential integrity or availability of information, including personal, confidential, proprietary or sensitive information, stored or transmitted through these systems and networks or stored in those facilities. This could lead to disruptions in mission-critical systems, unauthorized access to or release of personal, confidential, proprietary, sensitive or otherwise protected information and corruption of data or systems. We could also be subject to operational downtimes, delays and other detrimental impacts on our operations or ability to provide products and services to our customers. We are also increasingly subject to customer-driven cybersecurity certification requirements, including but not limited to CMMC, which are expected to be necessary to win future contracts. Security incidents could also result in liability, trigger other obligations under such contracts, or increase the difficulty of winning future contracts. Many statutory requirements, both in the U.S. and abroad, also include different obligations for companies to provide notice of information security incidents involving certain types of information (including obligations to notify affected individuals and regulators in the event of cybersecurity breaches involving certain personal information), which could result from breaches of our service providers, our suppliers or subcontractors. Although we have implemented policies, procedures and controls designed to protect against, detect and mitigate these threats and attacks, we and our service providers, suppliers, joint ventures, and subcontractors have faced and continue to face advanced and persistent attacks on our information systems. We cannot guarantee that future incidents will not occur, and if an incident does occur, our incident response planning may not prove fully adequate. We may also not be able to mitigate its impacts successfully. Techniques used by others to gain unauthorized access to personal, confidential, proprietary, or sensitive information or disrupt systems and networks for economic or strategic gain are constantly evolving, increasingly sophisticated, increasingly difficult to detect and successfully defend against and may see their frequency increased, and effectiveness enhanced, by the use of AI. Further, cybersecurity risks maybe heightened as a result of ongoing global conflicts such as the military conflict between Russia and Ukraine and the related sanctions imposed by the United States and other countries, or the ongoing Israel/Hamas conflict and its regional effects. While we generally perform cybersecurity diligence on our key service providers, we do not control our service providers and our ability to monitor their cybersecurity is limited, so we cannot ensure the cybersecurity measures they take will be sufficient to protect any information we share with them. Due to applicable laws and regulations or contractual obligations, we may be held accountable for cybersecurity breaches or other information security incidents attributed to our service providers as they relate to the information we share with them. We seek to detect and investigate all information security incidents and to prevent their occurrence, prolongation, or recurrence. We continue to invest in and improve our threat protection, detection and mitigation policies, procedures and controls. In addition, we work with other companies in the industry and government participants on increased awareness and enhanced protections against information security and malicious insider threats. However, because of the evolving nature and sophistication of these security threats, which can be difficult to detect, there can be no assurance that our policies, procedures and controls, or those of our service providers, suppliers, or subcontractors, have protected against, detected, mitigated or will detect, prevent or mitigate, any of these threats and we cannot predict the full impact of any such past or future incident. We may be currently unaware of certain vulnerabilities or lack the capability to detect them, which may allow them to persist in our information technology environment over long periods, and, even if discovered, it could take considerable time for us to obtain full and reliable information about the extent, amount and type of information compromised, and our remediation efforts may not be completely successful. As cybersecurity threats continue to evolve, we may be required to expend significant additional resources to continue to modify or enhance our protective measures or to investigate or remediate any information security vulnerabilities, cybersecurity breaches or other information security incidents. We may also experience similar security threats to the information technology systems we develop, install, or maintain under customer contracts. Although we work cooperatively with our customers and other business partners, including our service providers, suppliers, and subcontractors, to seek to minimize the potential for and impact of cyber-attacks and other security threats, we must rely on the safeguards put in place by those entities. See also the risk factor "Internal system or service failures, or failures in the systems or services of third parties on which we rely, could disrupt our business and impair our ability to effectively provide our services and products to our customers, which could damage our reputation and adversely affect our revenues and profitability." The occurrence of any unauthorized access to, attacks on cybersecurity breaches of other information security threats to our or our service providers', suppliers' or subcontractors' information technology infrastructure, systems or networks or data, or our failure to make adequate or timely disclosure to the public, regulators, or law enforcement agencies following any such event, could disrupt our infrastructure, systems, or networks or those of our customers, impair our ability to provide services to our customers and may jeopardize the security of data collected, stored, transmitted or otherwise processed through our information technology infrastructure, systems and networks. As a result, we could be exposed to claims, fines, penalties, loss of revenues, product development delays, compromise, corruption, or loss of confidential, proprietary, or sensitive information (including personal information or technical business information), contract terminations and damages, remediation costs and other costs and expenses, regulatory investigations or sanctions, indemnity obligations, and other potential liabilities. Any of the foregoing could adversely affect our reputation, ability to win work on sensitive contracts or loss of current and future contracts (including sensitive U.S. government contracts), business operations and financial results. We have insurance against some cyber-risks and attacks; however, our insurer may deny coverage as to any future claim, our insurance coverage may not be sufficient to offset the impact of a material loss event, and such insurance may increase in cost or cease to be available on commercial terms in the future.

We utilize artificial intelligence, including generative artificial intelligence, machine learning, and similar tools and technologies that collect, aggregate, analyze, or generate data or other materials or content (collectively, "AI") in connection with our business. There are significant risks involved in using AI and no assurance can be provided that our use of AI will enhance our products or services, produce the intended results, or keep pace with our competitors. For example, AI algorithms may be flawed, insufficient, of poor quality, rely upon incorrect or inaccurate data, reflect unwanted forms of bias, or contain other errors or inadequacies, any of which may not be easily detectable; AI has been known to produce false or "hallucinatory" inferences or outputs; our use of AI can present ethical issues and may subject us to new or heightened legal, regulatory, ethical, or other challenges; and inappropriate or controversial data practices by developers and end-users, or other factors adversely affecting public opinion of AI, could impair the acceptance of AI solutions, including those incorporated in our products and services. If the AI tools that we use are deficient, inaccurate, or controversial, we could incur operational inefficiencies, competitive harm, legal liability, brand or reputational harm, or other adverse impacts on our business and financial results. If we do not have sufficient rights to use the data or other material or content on which the AI tools we use rely, we also may incur liability through the violation of applicable laws and regulations, third-party intellectual property, data privacy, or other rights, or contracts to which we are a party. In addition, AI regulation is rapidly evolving worldwide as legislators and regulators increasingly focus on these powerful emerging technologies. The technologies underlying AI and its uses are subject to a variety of laws and regulations, including intellectual property, data privacy and security, consumer protection, competition, and equal opportunity laws, and are expected to be subject to increased regulation and new laws or new applications of existing laws and regulations. AI is the subject of ongoing review by various U.S. governmental and regulatory agencies, and various U.S. states and other foreign jurisdictions are applying, or are considering applying, their platform moderation, data privacy, and security laws and regulations to AI or are considering general legal frameworks for AI. We may not be able to anticipate how to respond to these rapidly evolving frameworks, and we may need to expend resources to adjust our operations or offerings in certain jurisdictions if the legal frameworks are inconsistent across jurisdictions. Furthermore, because AI technology itself is highly complex and rapidly developing, it is not possible to predict all of the legal, operational, or technological risks that may arise relating to the use of AI.

Volatile, negative, or uncertain economic conditions, an increase in the likelihood of a recession, or concerns about these or other similar risks may negatively impact our customers' ability and willingness to fund their projects. For example, declines in state and local tax revenues, as well as other economic declines, may result in lower government spending. Our customers reducing, postponing, or canceling spending on projects in respect of which we provide services may reduce demand for our services quickly and with little warning, which could have a material adverse effect on our business, results of operations, and financial condition. Moreover, instability in the credit or capital markets in the U.S., including as a result of failures of financial institutions and any related market-wide reduction in liquidity, or concerns or rumors about events of these kinds or similar risks, could affect the availability of credit or our credit ratings, making it relatively difficult or expensive to obtain additional capital at competitive rates, on commercially reasonable terms or in sufficient amounts, or at all, thus making it more difficult or expensive for us to access funds or refinance our existing indebtedness, or obtain financing for acquisitions. Such instability could also cause counterparties, including vendors, suppliers, and subcontractors, to be unable to perform their obligations or to breach their obligations to us under our contracts with them. In addition, instability in the credit or capital markets could negatively impact our customers' ability to fund their projects and, therefore, utilize our services, which could have a material adverse effect on our business, results of operations, and financial condition.

Any epidemics, pandemics, or similar outbreaks such as COVID-19 and its variants could create economic uncertainty and disruptions to the global economy that could adversely affect our businesses, or could lead to operational difficulties, including travel limitations, that could impair our ability to manage or conduct our business. For example, the spread of COVID-19 and mitigating measures caused unprecedented disruptions to the global economy and normal business operations across sectors and countries, including the sectors in which we, our customers and other third parties operate. Further, new contract awards have been and may continue to be delayed and our ability to perform on our existing contracts has been and may continue to be delayed or impaired, which will negatively impact our revenues. In addition, our program costs have increased as a result of COVID-19, and these cost increases may not be fully recoverable or adequately covered by insurance or equitable adjustments to contract prices. Any future epidemic, pandemic, or similar outbreak may have similar impacts, and we cannot currently anticipate the potential impact on our business and results of operations due to any such outbreak.

Our business is highly competitive, and we compete with larger companies with greater name recognition, financial resources, and a larger technical staff. We also compete with smaller, more specialized companies that can concentrate their resources on particular areas. Additionally, we compete with the U.S. government's own capabilities and federal non-profit contract research centers. For example, some customers, including the DoD, are turning to commercial contractors, rather than traditional defense contractors, for some products and services, and may utilize small business contractors or determine to source work internally rather than hiring a contractor. The markets in which we operate are characterized by rapidly changing customer needs and technology and our success depends on our ability to invest in and develop services and products that address such needs. To remain competitive, we must consistently provide superior service, technology, and performance to our customers on a cost-effective basis while understanding customer priorities and maintaining customer relationships. Our competitors may be able to provide our customers with different or greater capabilities or technologies or better contract terms than we can provide, including technical qualifications, past contract experience, geographic presence, price and the availability of qualified professional personnel, or be willing to accept more risk or lower profitability in competing for contracts. Some of our competitors have made or could make acquisitions of businesses or establish teaming or other agreements among themselves or third parties, which could allow them to offer more competitive and comprehensive solutions. As a result of such acquisitions or arrangements, our current or potential competitors may be able to accelerate the adoption of new technologies that better address customer needs, devote more significant resources to bring these products and services to market, initiate or withstand substantial price competition, develop and expand their product and service offerings more quickly than we do or limit our access to certain suppliers. These competitive pressures in our market or our failure to compete effectively may result in fewer orders, reduced revenue and margins, and loss of market share. Further industry consolidation may also impact customers' perceptions of the viability of smaller or even mid-size software firms and, consequently, customers' willingness to purchase from such firms.

As a result of the Small Business Administration set-aside program, the U.S. government may decide to restrict certain procurements only to bidders that qualify as minority-owned, small, or small disadvantaged businesses. As a result, we would not be eligible to perform as a prime contractor on those programs and would be restricted to a maximum of 49% of the work as a subcontractor on those programs. An increase in the number of procurements under the Small Business Administration set-aside program may impact our ability to bid on new procurements as a prime contractor or restrict our ability to re-compete on incumbent work that is placed in the set-aside program.

Misconduct could include fraud or other improper activities such as falsifying time or other records and violations of laws, such as the Anti-Kickback Act, and the failure to comply with our policies and procedures or with federal, state, or local government procurement regulations, regulations regarding the use and safeguarding of classified or other protected information, legislation regarding the pricing of labor and other costs in government contracts, laws and regulations relating to environmental, health or safety matters, bribery of foreign government officials, import-export control, lobbying or similar activities and any other applicable laws or regulations. Any data loss or information security lapses resulting in the compromise of personal information or the improper use or disclosure of sensitive or classified information could result in claims, remediation costs, regulatory investigations or sanctions against us, corruption or disruption of our systems or those of our customers, impairment of our ability to provide services to our customers, loss of current and future contracts, indemnity obligations, serious harm to our reputation and other potential liabilities. See also the risk factor "Cybersecurity breaches and other information security incidents could negatively impact our business and financial results, impair our ability to effectively provide our services to our customers and cause harm to our reputation or competitive position." Although we have implemented policies, procedures, training, and other compliance controls to prevent and detect these activities, these precautions may not prevent all misconduct, and as a result, we could face unknown risks or losses. This risk of improper conduct may increase as we continue to expand and do business with new partners. In the ordinary course of our business, we form and are members of joint ventures (meaning joint efforts or business arrangements of any type). Our failure to comply with applicable laws or regulations could damage our reputation and subject us to administrative, civil, or criminal investigations and enforcement actions, fines and penalties, restitution or other damages, loss of security clearance, loss of current and future customer contracts, loss of privileges and other sanctions, including suspension or debarment from contracting with federal, state or local government agencies, any of which would adversely affect our business, reputation and our future results.

We rely on our teaming relationships with other prime contractors and subcontractors, who are also often our competitors in other contexts, to submit bids for large procurements or other opportunities where we believe the combination of services and products provided by us and other companies will help us to win and perform the contract. Our future revenues and growth prospects could be adversely affected if other contractors eliminate or reduce their contract relationships with us or if the U.S. government terminates or reduces these other contractors' programs, does not award them new contracts, or refuses to pay under a contract. Companies that do not have access to U.S. government contracts may perform services as our subcontractor, and that exposure could enhance such companies' prospect of securing a future position as a prime U.S. government contractor, which could increase competition for future contracts and impair our ability to perform on contracts. We may have disputes with our subcontractors arising from, among other things, the quality and timeliness of work performed by the subcontractor, customer concerns about the subcontractor, our failure to extend existing task orders or issue new task orders under a subcontract, our hiring of a subcontractor's personnel or the subcontractor's failure to comply with applicable law. If any of our subcontractors fail to meet their contractual obligations in a timely manner or have regulatory compliance or other problems, our ability to fulfill our obligations as a prime contractor or higher tier subcontractor may be jeopardized. Significant losses could arise in future periods and subcontractor performance deficiencies could result in our termination for default. A termination for default could eliminate a revenue source, expose us to liability and have an adverse effect on our ability to compete for future contracts and task orders, especially if the customer is an agency of the U.S. government.