Lemonade (LMND) Risk Factors

We provide insurance through our subsidiaries, LIC and MIC. Since LIC is a New York State-domiciled insurance company, LIC's primary insurance regulator responsible for supervision and examination is the NYDFS. Since MIC is domiciled in Delaware and is commercially domiciled in California, MIC's primary insurance regulators responsible for supervision and examination are the Delaware Department of Insurance and the California Department of Insurance. LIC and MIC are subject to a financial examination by their primary insurance regulators every three to five years, under which they will review LIC and MIC's financials, including their relationships and transactions with affiliates. NYDFS is currently leading a group financial exam for LIC and MIC covering the years 2019 through 2022. We cannot predict with precision the likelihood, nature, or extent of any necessary remedial actions, if any, resulting from any examination, or the associated costs of such remedial actions or regulatory scrutiny. In addition, insurance regulators of other states in which we are licensed to operate periodically conduct market conduct examinations or other targeted investigations. We are presently subject to, and in the future will continue to be subject to, such examination and investigations. Any regulatory or enforcement action or any regulatory order imposing remedial, injunctive, or other corrective action against us resulting from these examinations or investigations could have a material adverse effect on our business, reputation, financial condition or results of operations. The results of each examination can give rise to fines and monetary penalties as well as regulatory orders requiring remedial, injunctive, or other corrective action.

Litigation and other proceedings may include, but are not limited to, complaints from or litigation by customers or reinsurers, related to alleged breaches of contract or otherwise. As our market share increases, competitors may pursue litigation to require us to change our business practices or offerings and limit our ability to compete effectively. As is typical in the insurance industry, we continually face risks associated with litigation of various types arising in the normal course of our business operations, including disputes relating to insurance claims under our policies as well as other general commercial and corporate litigation. Although we are not currently involved in any material litigation with our customers, us and other members of the insurance industry are the target of class action lawsuits and other types of litigation, some of which involve claims for substantial or indeterminate amounts, and the outcomes of which are unpredictable. This litigation is based on a variety of issues, including sale of insurance and claim settlement practices. In addition, because we employ artificial intelligence to collect data points, customers or consumer groups have brought and could bring individual or class action claims alleging that our methods of collecting or using data and pricing risk are impermissibly discriminatory or otherwise improper. We cannot predict with any certainty whether we will be involved in such material litigation in the future or what impact such material litigation would have on our business. If we were to be involved in litigation and it was determined adversely, it could require us to pay significant damage amounts or to change aspects of our operations, either of which could have a material adverse effect on our financial results. Even claims without merit can be time- consuming and costly to defend and may divert management's attention and resources away from our business and adversely affect our business, results of operations and financial condition. Additionally, routine lawsuits over claims that are not individually material could in the future become material if aggregated with a substantial number of similar lawsuits. In addition to increasing costs, a significant volume of customer complaints or litigation could adversely affect our brand and reputation, regardless of whether such allegations are valid or whether we are liable. We cannot predict with certainty the costs of defense, the costs of prosecution, insurance coverage or the ultimate outcome of litigation or other proceedings filed by or against us, including remedies or damage awards, and adverse results in such litigation, and other proceedings may harm our business and financial condition. See "Legal Proceedings."

The GDPR applies to the processing of personal data by our business in the context of our establishments in the European Union and/or the UK. In addition, all portions of our business established outside the European Union may be required to comply with the requirements of the GDPR with respect to the offering of products or services to individuals in the European Union or UK. The GDPR could also apply to our establishments of business outside the European Union if we were to monitor the activities of individuals in the European Union or become established in the European Union/UK. The GDPR increases the maximum level of fines for the most serious compliance failures to the greater of four percent of annual worldwide turnover or €20,000,000/ GBP17,500,000, respectively. We may also be subject to the local privacy and data protection laws of the E.U. Member States in which we offer products or services, which can carry penalties and potential criminal sanctions. The regulatory requirements and restrictions set out in the GDPR include, among others, the following: - The GDPR imposes a number of principles with respect to the processing of personal data, including requirements to process personal data lawfully, fairly, and in a transparent manner, to process personal data only to the extent necessary for the purposes required, maintain the accuracy of personal data, limit the retention of personal data for no longer than is necessary, and maintain appropriate technical and organizational security measures against unauthorized processing or accidental loss, destruction, or damage. We are implementing external and internal policies and procedures, technical measures and internal training designed to adhere to those principles;- In relation to the transparency principle, the GDPR requires us to provide individuals in the European Union whose personal data we process ("data subjects") with certain information regarding the processing of their personal data by us, and we have an E.U. privacy policy, which can be found at https://www.lemonade.com/de/en/privacy-policy (with respect to Germany), https://www.lemonade.com/nl/en/privacy-policy (with respect to the Netherlands) and http://www.lemonade.com/fr/en/privacy-policy (with respect to France);- The GDPR requires us to maintain internal records of our processing activities and to make those records available to regulators on demand;- The GDPR requires us to include certain mandatory terms in our agreements with third parties that process personal data subject to the GDPR on our behalf ("Processors") and we are in the process of entering into compliant data processing terms with each of our Processors. If third parties with whom we work were to violate their obligations under the GDPR, and/or under their agreements with us, such violation could potentially have an adverse impact on our business;- The GDPR grants data subjects certain rights, including the right to object to the processing of their personal data by us, to request copies of their personal data from us, to receive information regarding the processing of their personal data and to exercise certain other rights against us in respect of their personal data, and we are implementing internal policies and procedures designed to address those rights;- The GDPR prohibits automated decision making, i.e. a decision evaluating a data subject's personal aspects based solely on automated processing that produces legal effects or other significant effects for that data subject, except where such decision making is necessary for entering into or performing a contract or is based on the data subject's explicit consent. There is not yet any clear precedent as to whether use of artificial intelligence to make insurance offers to individuals will be considered necessary even though it is integral to our business model. If our automated decision making processes cannot meet this necessity threshold, we cannot use these processes with E.U. data subjects unless we obtain their explicit consent. Relying on consent to conduct this type of processing holds its own risks because consent must be considered freely given (commentators argue that seeking consent by tying it to a service may be problematic) and consent can be withdrawn by a data subject at any time. We are continually monitoring for updates to guidance in this area, however, if subsequent guidance and/or decisions limit our ability to use our artificial intelligence models, that may decrease our operational efficiency and result in an increase to the costs of operating our business. Automated decision making also attracts a higher regulatory burden under the GDPR, which requires the existence of such automated decision making be disclosed to the data subject including a meaningful explanation of the logic used in such decision making, and safeguards must be implemented to safeguard individual rights, including the right to obtain human intervention and to contest any decision. Further obligations in terms of transparency are likely to be imposed under new laws regulating AI, including the EU AI Act which is expected to enter into force in 2024, and the majority of the substantive requirements applying two years later. The EU AI Act includes requirements around transparency, conformity assessments and monitoring, risk assessments, human oversight, security and accuracy, and proposes fines for breach of up to 7% of worldwide annual turnover. Once fully applicable, the EU AI Act will have a material impact on the way artificial intelligence is regulated in the EU, and together with developing guidance and/ or decisions in this area, is likely to affect our use of artificial intelligence and our ability to provide and to improve our services, require additional compliance measures and changes to our operations and processes, result in increased compliance costs and potential increases in civil claims against us, and could adversely affect our business, operations and financial condition.; and - The GDPR also places limits on the profiling of individuals, i.e. processing of personal data to evaluate certain personal aspects, like analyzing or predicting aspects of a person's economic situation, health, personal preferences, location, etc. There is a lack of clarity on when we can rely on consent from the data subject to conduct profiling, or when we can rely on our legitimate business interests to do so. In the latter case, it is unclear what kind of opt-out mechanism would be required to achieve GDPR compliance. We are continually monitoring for updates to guidance in this area, however, if subsequent guidance and/or decisions limit our ability to engage in profiling, that may decrease our operational efficiency and result in an increase to the costs of operating our business. We are also subject to European Union rules with respect to cross-border transfers of personal data out of the European Economic Area ("EEA") and the United Kingdom. Case law from the Court of Justice of the European Union ("CJEU") states that reliance on the standard contractual clauses - a standard form of contract approved by the European Commission as an adequate personal data transfer mechanism - alone may not necessarily be sufficient in all circumstances and that transfers must be assessed on a case-by-case basis. On October 7, 2022, President Biden signed an Executive Order on ‘Enhancing Safeguards for United States Intelligence Activities' which introduced new redress mechanisms and binding safeguards to address the concerns raised by the CJEU in relation to data transfers from the EEA to the United States and which formed the basis of the new EU-US Data Privacy Framework ("DPF"), as released on December 13, 2022. The European Commission adopted its Adequacy Decision in relation to the DPF on July 10, 2023, rendering the DPF effective as an EU GDPR transfer mechanism to U.S. entities self-certified under the DPF. On October 12, 2023, the UK Extension to the DPF came into effect (as approved by the UK Government), as a UK GDPR data transfer mechanism to U.S. entities self-certified under the UK Extension to the DPF. We currently rely on the DPF to transfer certain personal data from the EEA to the United States and on the UK Extension to the DPF to transfer certain personal data from the UK to the United States. We also currently rely on the EU standard contractual clauses and the UK Addendum to the EU standard contractual clauses and the UK International Data Transfer Agreement as relevant to transfer personal data outside the EEA and the UK with respect to both intragroup and third party transfers. We expect the existing legal complexity and uncertainty regarding international personal data transfers to continue. In particular, we expect the DPF Adequacy Decision to be challenged and international transfers to the United States and to other jurisdictions more generally to continue to be subject to enhanced scrutiny by regulators. As the regulatory guidance and enforcement landscape in relation to data transfers continue to develop, we could suffer additional costs, complaints and/or regulatory investigations or fines; we may have to stop using certain tools and vendors and make other operational changes; we may have to implement revised standard contractual clauses for existing intragroup, customer and vendor arrangements within required time frames; and/or it could otherwise affect the manner in which we provide our services, and could adversely affect our business, operations and financial condition. In respect of the GDPR's obligations, we rely on positions and interpretations of the law that have yet to be fully tested before the relevant courts and regulators. If a regulator or court of competent jurisdiction determined that one or more of our compliance efforts does not satisfy the applicable requirements of the GDPR, or if any party brought a claim in this regard, there could be potential governmental or regulatory investigations, enforcement actions, regulatory fines, compliance orders, litigation or public statements against us by consumer advocacy groups or others, and that could cause customers to lose trust in us and damage our reputation. Likewise, a change in guidance could be costly and have an adverse effect on our business. We are also subject to evolving EU and UK privacy laws on cookies, tracking technologies and e-marketing. In the EU and the UK under national laws derived from the ePrivacy Directive, informed consent is required for the placement of a cookie or similar technologies on an individual's device and for direct electronic marketing. The GDPR also imposes conditions on obtaining valid consent for cookies, such as a prohibition on pre-checked consents and a requirement to ensure separate consents are sought for each type of cookie or similar technology. Recent European court and regulator decisions are driving increased attention to cookies and tracking technologies. Recent European court and regulator decisions are also driving increased attention to cookies and tracking technologies. If the trend of increasing enforcement by regulators of the strict approach to opt-in consent for all but essential use cases, as seen in recent guidance and decisions continues this may increase the cost of operating our business and lead to a decline in revenues and impair our ability to collect user information. In addition, legal uncertainties about the legality of cookies and other tracking technologies may lead to regulatory scrutiny and increase potential civil liability under data protection or consumer protection laws. Any such changes may force us to incur substantial costs or require us to change our business practices which could compromise our ability to pursue our growth strategy effectively and may adversely affect our ability to acquire customers or otherwise harm our business, financial condition and operating results. In light of the complex and evolving nature of EU, EU Member State and UK privacy laws on cookies and tracking technologies, there can be no assurances that we will be successful in our efforts to comply with such laws; violations of such laws could result in regulatory investigations, fines, orders to cease/ change our use of such technologies, as well as civil claims including class actions, and reputational damage. Any significant change to applicable laws, regulations, interpretations of laws or regulations, or market practices, regarding the use of personal data, or regarding the manner in which we seek to comply with applicable laws and regulations, could require us to make modifications to our products, services, policies, procedures, notices, and business practices, including potentially material changes. Such changes could potentially have an adverse impact on our business.

Because our products are highly-advanced and require rigorous testing and regulatory approvals, development cycles can be complex. Moreover, development projects can be technically challenging and expensive, and may be delayed or defeated by the inability to obtain licensing or other regulatory approvals. The nature of these development cycles may cause us to experience delays between the time we incur expenses associated with research and development and the time we generate revenues, if any, from such expenses. If we expend a significant amount of resources on research and development and our efforts do not lead to the successful introduction or improvement of products that are competitive in the marketplace, this could materially and adversely affect our business and results of operations. Additionally, anticipated customer demand for a product we are developing could decrease after the development cycle has commenced. Such decreased customer demand may cause us to fall short of our sales targets, and we may nonetheless be unable to avoid substantial costs associated with the product's development. If we are unable to complete product development cycles successfully and in a timely fashion and generate revenues from such future products, the growth of our business may be harmed.

We enter into assignment of invention agreements with employees and contractors, pursuant to which such individuals assign to us all rights to any inventions created in the scope of their employment or engagement with us. Under the Israeli Patent Law, 5727-1967 (the "Israel Patent Law"), inventions conceived by an employee or a person deemed to be an employee during and in consequence of their employment are regarded as "service inventions," which belong to the employer, absent a specific agreement between employee and employer giving the employee service invention rights. In the case of a service invention, employees and former employees may petition the Israeli Compensation and Royalties Committee established under the Israel Patent Law to determine whether they are entitled to remuneration for their service inventions. The Israeli Compensation and Royalties Committee and the Supreme Court have held that employees may be entitled to remuneration for their service inventions despite having waived such rights, resulting in uncertainty under Israeli law with respect to the efficacy of waivers of service invention rights. Although our contractors and employees have agreed to assign to us service invention rights, we may face claims demanding remuneration in consideration for assigned inventions. As a consequence of such claims, we could be required to pay additional remuneration or royalties to our current or former contractors or employees, or be forced to litigate such claims, which could negatively affect our business.

We use data, technology and intellectual property licensed from unaffiliated third parties in certain of our products, including insurance industry proprietary information that we license from Insurance Services Office, Inc. ("ISO"), and we may license additional third-party technology and intellectual property in the future. Any errors or defects in this third-party technology and intellectual property could result in errors that could harm our brand and business. In addition, licensed technology and intellectual property may not continue to be available on commercially reasonable terms, or at all. Also, should ISO refuse to license its proprietary information to us on the same terms that it offers to our competitors, we could be placed at a significant competitive disadvantage. Further, although we believe that there are currently adequate replacements for the third-party technology and intellectual property we presently use other than proprietary information provided by ISO, the loss of our right to use any of this technology and intellectual property could result in delays in producing or delivering affected products until equivalent technology or intellectual property is identified, licensed or otherwise procured, and integrated. Our business would be disrupted if any technology and intellectual property we license from others or functional equivalents of this software were either no longer available to us or no longer offered to us on commercially reasonable terms. In either case, we would be required either to attempt to redesign our products to function with technology and intellectual property available from other parties or to develop these components ourselves, which would result in increased costs and could result in delays in product sales and the release of new product offerings. Alternatively, we might be forced to limit the features available in affected products. Any of these results could harm our business, results of operations and financial condition.

Some parts of our business depend on our relationships and contractual arrangements with third parties. If our third parties terminate business arrangements with us, or renew contracts on terms less favorable to us, we may fail to meet our business objectives and targets, and our cash flows, results of operations and financial condition could be adversely affected. For example, our life insurance product is offered through an arrangement with a life insurance provider. In these relationships, we rely on the third-party's internal controls, to manage the product. Although we monitor the third-party provider's and other service providers on an ongoing basis, our monitoring efforts may not be adequate, or our providers could exceed their authorities or otherwise breach obligations owed to us, which could result in operational disruption, reputational damage and regulatory intervention and otherwise have a material adverse effect on our results of operation and financial condition.

Historically, insurers have experienced significant fluctuations in operating results due to competition, frequency and severity of catastrophic events, levels of capacity, adverse litigation trends, regulatory constraints, general economic conditions, and other factors. The supply of insurance is related to prevailing prices, the level of insured losses and the level of capital available to the industry that, in turn, may fluctuate in response to changes in rates of return on investments being earned in the insurance industry. As a result, the insurance business historically has been a cyclical industry characterized by periods of intense price competition due to excessive underwriting capacity as well as periods when shortages of capacity increased premium levels. Demand for insurance depends on numerous factors, including the frequency and severity of catastrophic events, levels of capacity, the introduction of new capital providers and general economic conditions. All of these factors fluctuate and may contribute to price declines generally in the insurance industry. We cannot predict with certainty whether market conditions will improve, remain constant or deteriorate. Negative market conditions may impair our ability to underwrite insurance at rates we consider appropriate and commensurate relative to the risk assumed. Additionally, negative market conditions could result in a decline in policies sold, an increase in the frequency of claims and premium defaults, and an uptick in the frequency of falsification of claims. If we cannot underwrite insurance at appropriate rates, our ability to transact business will be materially and adversely affected. Any of these factors could lead to an adverse effect on our business, results of operations and financial condition.

The renters and homeowners insurance market is highly competitive with carriers competing through product coverage, reputation, financial strength, advertising, price, customer service and distribution. While we face limited direct competition from traditional insurance companies for first-time renters, we face significant competition from traditional insurance companies for homeowners, car and life. Competitors include companies such as Allstate, Farmers, Liberty Mutual, State Farm, GEICO, Progressive and Travelers. These companies are larger than us and have significant competitive advantages over us, including increased name recognition, higher financial ratings, greater resources, and additional access to capital. Our future growth will depend in large part on our ability to grow our homeowners insurance business in which traditional insurance companies retain certain advantages. In particular, unlike us, many of these competitors offer consumers the ability to purchase renters, homeowners and multiple other types of insurance coverage and "bundle" them together into one policy and, in certain circumstances, include an umbrella liability policy for additional coverage at competitive prices. Moreover, as we expand into new lines of business and offer additional products beyond renters, homeowners, pet, life and car insurance, we could face intense competition from insurance companies that are already established in such markets. Competitors in the pet insurance space include companies such as Nationwide, Embrace, and Trupanion. Competitors in the car insurance space include companies such as Progressive, GEICO and Allstate. Additionally, any new insurance products could take months to be approved by regulatory authorities, or may not be approved at all. We currently face competition by technology companies in the markets in which we operate. There are various technology companies that have recently started operating in adjacent insurance categories that may in the future offer renters, homeowners, pet, life and car insurance products. Technology companies may in the future begin operating and offering products at better and more competitive pricing than us, which could cause our results of operations and financial condition to be materially and adversely affected. In addition, traditional insurance companies may seek to adapt their businesses to sell insurance and process claims using technology similar to ours. Given their size, resources, and other competitive advantages, they may be able to erode any market advantage we may currently have over them.

We currently rely on third-party vendors to provide payment processing services, including the processing of payments from credit cards and debit cards, and our business would be disrupted if these vendors become unwilling or unable to provide these services to us and we are unable to find a suitable replacement on a timely basis. If we or our processing vendor fail to maintain adequate systems for the authorization and processing of credit card transactions, it could cause one or more of the major credit card companies to disallow our continued use of their payment products. In addition, if these systems fail to work properly and, as a result, we do not charge our customers' credit cards on a timely basis or at all, our business, revenue, results of operations and financial condition could be harmed. The payment methods that we offer also subject us to potential fraud and theft by criminals, who are becoming increasingly more sophisticated, seeking to obtain unauthorized access to or exploit weaknesses that may exist in the payment systems. If we fail to comply with applicable rules or requirements for the payment methods we accept, or if payment-related data are compromised due to a breach of data, we may be liable for significant costs incurred by payment card issuing banks and other third parties or subject to fines and higher transaction fees, or our ability to accept or facilitate certain types of payments may be impaired. In addition, our customers could lose confidence in certain payment types, which may result in a shift to other payment types or potential changes to our payment systems that may result in higher costs. If we fail to adequately control fraudulent credit card transactions, we may face civil liability, diminished public perception of our security measures, and significantly higher credit card-related costs, each of which could harm our business, results of operations and financial condition.

The effects of climate change continue to create an alarming level of concern for the state of the global environment. As a result, the global business community has increased its political and social awareness surrounding the issue, and the United States has entered into international agreements in an attempt to lessen expected increases in global temperatures, such as reentering the Paris Agreement. Further, the U.S. Congress, state legislatures and federal and state regulatory agencies continue to propose and enact initiatives to supplement the global effort to combat climate change. If new legislation or regulation is enacted, we could incur increased costs and capital expenditures to comply with its limitations, which may impact our financial condition and operating performance. For example, on November 21, 2021, the NYDFS issued Guidance for New York Domestic Insurers on Managing the Financial Risks from Climate Change, pursuant to which domestic insurers are expected to take a strategic approach to managing climate risks. The guidance imposed an initial deadline of August 15, 2022, under which domestic insurers were expected to implement certain board and management governance measures and develop specific plans to implement certain organizational structure changes. NYDFS is expected to issue further guidance on timing regarding more complex expectations, such as those relating to risk appetite, analysis of the impact of climate risks on existing risk factors, reflection of climate risks in the Own Risk and Solvency Assessment (ORSA), scenario analysis, and public disclosure. In addition, the U.S. Federal Reserve recently identified climate change as a systemic risk to the economy. It also reported that a gradual change in investor sentiment regarding climate risk introduces the possibility of abrupt tipping points or significant swings in sentiment, which could create unpredictable follow-on effects in financial markets. If this occurred, we could be negatively impacted by the general economic decline, including by possible negative impacts to our stock price.