Lumen Technologies (LUMN) Risk Analysis

The technology and communications industry has been and continues to be impacted by significant technological changes, which are increasing demand for digitally-integrated products and enabling an increasing variety of companies to compete with us. Many of these technological changes are (i) displacing or reducing demand for certain of our services, (ii) enabling the development of competitive products or services, (iii) enabling customers to reduce or bypass use of our networks or (iv) reducing our profit margins. For example, our competitors may overbuild in our markets and roll out high speed connectivity products. Increasingly, customers are demanding higher transmission speeds and more technologically advanced products that suit their evolving needs, including traditional and generative AI services. As we note below, several of our competitors have dedicated substantially more resources to developing such advanced services. If we fail to develop competitive services, our business and financial performance could be adversely impacted. To remain competitive, we will need to accurately predict and respond to changes in technology, to continue developing and offering products and services attractive to our customers, to migrate our customers from legacy to newer products and services, to timely provision our products and services, to maintain and expand our network to enable it to support customer demands for significantly greater transmission capacity and speeds, and to discontinue outdated products and services on a cost-effective basis. Our ability to do so could be restricted by various factors, including limitations of our existing network, technology, capital or personnel. If we fail at that, we could fail to retain customers or attract new ones.

As a critical infrastructure service provider, we transmit large amounts of data over our systems, and process and store highly sensitive customer data. Consequently we, our third-party service providers, and our customers are under constant threat of cyber attacks. The number and sophistication of these attacks continues to increase. Despite our efforts to prevent these events, some of these attacks could result in a material adverse impact to our operations due to distributed denial of service attacks, ransomware attacks, malware, virus, credential harvesting, man-in-the-middle attacks, or social engineering attacks. As previously disclosed in our 2023 reports to the SEC and various 2024 media reports, (i) sophisticated threat actors accessed our internal information technology systems in 2023 and 2024 and (ii) we experienced a ransomware attack on a limited number of our servers in 2023. The ransomware attack did not impact any operations or customer data. We do not believe these incidents had or are likely to have a material adverse impact on our ability to serve our customers or our business, operations or financial results. As further described in Item 1C of this annual report, cyber-attacks on our systems may stem from a variety of sources and take many forms. Cyber-attacks can put at risk personally identifiable information, customer data or protected health information, thereby implicating stringent domestic and foreign data protection laws. These threats may also arise from failure or intrusions of systems owned, operated or controlled by other unaffiliated third-party operators, upon whom we are materially reliant to operate our business. Various other factors could intensify these risks, including, (i) our maintenance of information in digital form stored on servers connected to the Internet, (ii) our use of open- and software-defined networks, (iii) the challenges of operating and maintaining our complex multi-continent network composed of legacy and acquired properties, which is more difficult to safeguard than newer fully-integrated networks, (iv) growth in the size and sophistication of our customers and their service requirements, (v) increased use of our network due to greater demand for data services, (vi) the large number of our employees working from remote locations, (vii) our IT support agreements with purchasers of businesses we have divested over the past few years and (viii) as further discussed below, the difficulty of defending against increasingly sophisticated attacks. Cyber-attacks could (i) disrupt the proper functioning of our networks and systems, which could in turn disrupt the operations of our customers, (ii) result in the destruction, loss, theft, misappropriation or release of proprietary, confidential, sensitive, classified or otherwise valuable information of ours, our employees, our customers or our customers' end users, (iii) require us to notify customers, regulatory agencies or the public of data incidents, (iv) damage our reputation or result in a loss of business, (v) require us to provide credits for future service to our customers or to offer expensive incentives to retain customers, (vi) subject us to claims by our customers or regulators for damages, fines, penalties, license or permit revocations or other remedies, (vii) result in the loss of industry certifications or (viii) require significant management attention or financial resources to remedy the resulting damages or to change our systems. Any or all of the foregoing developments could have a material adverse impact on us. We believe the importance of our network to global internet data flows will continue to make it a target to a wide range of threat actors, including nation state actors and other advanced persistent threat actors. Moreover, the risk of incidents is likely to continue to increase due to several factors, including (i) the increasing use of machine learning, AI and other sophisticated techniques to initiate cyber and phishing attacks, (ii) the wider accessibility of cyber-attack tools that can circumvent security controls and evade detection, which can delay and limit our ability to accurately assess and fully remediate the impact of the attack, and (iii) growing threats from Chinese, Russian and other state actors due to heightened geopolitical tensions and rivalries, and the attendant increased possibility of cyber warfare targeting us in the event of a direct conflict. It should also be noted that defenses against cyber-attacks currently available to us and others are unlikely to prevent intrusions by a highly-determined, highly-sophisticated threat actor. Consequently, you should assume that we will continue to experience cyber incidents in the future. Thus far, none of our past security incidents have had a material adverse effect on us, and we continue to take steps designed to limit our cyber risks. Nonetheless, we cannot assure you that future cyber incidents or events will not ultimately have a material adverse impact on our business, operations or financial results. Although we maintain insurance coverage that may, subject to policy terms and conditions (including self-insured deductibles, coverage restrictions and monetary coverage caps), cover certain aspects of our cyber risks, such insurance coverage may be unavailable or insufficient to cover our losses.

Our international operations are subject to a wide range of U.S. and non-U.S. laws, regulations, treaties, tariffs and other directives governing our operations in international jurisdictions in which we provide services, either directly or indirectly through our contractual arrangements with other carriers. Many of these laws or other directives are complex, change frequently and conflict with the laws in other jurisdictions to which we are bound. There is a risk that these laws or other directives could materially restrict our ability to deliver services in various international jurisdictions or expose us to the risk of potential penalties, license revocations or contract terminations if we violate them. In addition, if the U.S. continues increasing its tariffs, we could incur additional expense we may be unable to recover from our customers. In addition to these international regulatory risks, some of the other risks inherent in conducting business internationally include: economic, social and political instability, with the attendant risks of terrorism, kidnapping, extortion, civic unrest, potential seizure or nationalization of assets; currency and exchange controls, repatriation restrictions and fluctuations in currency exchange rates, problems collecting accounts receivable; the difficulty or inability in certain jurisdictions to enforce contract or intellectual property rights; reliance on certain third parties with whom we lack extensive experience; supply chain challenges; and challenges in securing and maintaining the necessary physical and telecommunications infrastructure.

A substantial number of our domestic facilities are located in areas that subject them to the risks associated with severe tropical storms, hurricanes, tornadoes, earthquakes, floods, wildfires or other similar casualty events. From time to time these events (including Hurricane Ian in 2022 in Florida) have disrupted our operations, and similar future events could cause substantial damages, including downed transmission lines, flooded facilities, power outages, fuel shortages, network delays or failures, damaged or destroyed property and equipment, and business interruptions. Due to substantial deductibles, coverage limits and exclusions, and limited availability, we have typically recovered only a portion of our losses through insurance. Our system redundancy and other measures we take to protect our infrastructure and operations from the impacts of such events may be ineffective or inadequate to sustain our operations following such events. Any of these occurrences could result in lost revenues from business interruption, damage to our reputation and reduced profits. Climate changes may increase the frequency or severity of natural disasters and other extreme weather events in the future, which would increase our exposure to the above-cited risks and could disrupt our supply chain from our key suppliers and vendors. Climate changes could also require us to continue to increase our spending on network resilience initiatives, and could result in additional regulation impacting our operations or profitability.

Our ability to conduct our operations could have a material adverse impact on us if certain of our arrangements with third parties were terminated, including those further described below. Reliance on other communications providers. To offer certain services in certain of our markets, we must either purchase services or lease network capacity from, or interconnect our network with, the infrastructure of other communications carriers or cloud companies who typically compete against us in those markets. Our reliance on these supply or interconnection arrangements limits our control over the delivery, quality and quantity of these purchased services. In addition, we are exposed to the risk that other companies may be unwilling or unable to continue or renew these arrangements in the future for several reasons, including bankruptcy. Those risks are heightened when we contract with a competitor who may have incentives to act in ways unfavorable to us, including by terminating those contracts, imposing price increases or favoring their transmissions over ours. Additionally, several companies rely on our network to transmit their data or voice traffic. Their reliance on our network exposes us to the risk that they may transfer all or a portion of this traffic from our network to alternative networks owned, constructed or leased by them, thereby reducing our revenue. For instance, certain of our hyperscaler customers have built infrastructure that has reduced their reliance on us. Reliance on key suppliers and vendors. We depend on a limited number of suppliers and vendors to provide us, directly or through other suppliers, with equipment and services relating to our network infrastructure, including fiber optic cable, software, optronics, transmission electronics, digital switches, routing equipment, customer premise equipment, and related components. We also rely on software and service vendors or other parties to assist us with operating, maintaining and administering our business, including billing, security, provisioning and general operations. Our operations could be adversely affected in the future if any of these vendors are unable or unwilling for any reason to continue to deliver their products or services on terms acceptable to us, including due to business interruptions, security incidents, litigation, financial distress, bankruptcy or changes in their operations or business strategies. Reliance on key licensors. We rely on key technologies licensed from third parties to deliver certain of our products and services. Our agreements with these licensors may expire or be terminated, and some of the licenses may not be available to us in the future on terms acceptable to us or at all, including if the third-party licensor violates, or is alleged to have violated, the intellectual property rights of others. Moreover, if we incorporate licensed technology into our network, we may have limited flexibility to deploy different technologies from alternative licensors. Reliance on key customer contracts. We have several complex high-value national and global customer contracts. These contracts are frequently impacted by a variety of factors that could reduce or eliminate the profitability of these contracts. Moreover, we would be adversely impacted if we fail to renew major contracts upon their expiration. Reliance on landowners. We rely on rights-of-way, colocation agreements, franchises, licenses and other authorizations granted by governmental bodies, railway companies, utilities, carriers and other third parties to locate a portion of our network equipment over, on or under their respective properties, or to conduct operations within their jurisdictions. A significant number of these authorizations are scheduled to lapse over the next five to 10 years, unless we are able to extend or renew them. Our operations could be adversely affected if any of these authorizations are cancelled, or otherwise terminate or lapse, or if the landowner requests price increases. Similarly, our buildout plans can be delayed if we cannot receive necessary landowner authorizations or governmental permits. We cannot assure you we will be able to successfully extend these arrangements when their terms expire, or to enter into new arrangements that may be necessary to implement our network expansion opportunities.

As explained in greater detail elsewhere in this annual report, (i) our domestic operations are regulated by the FCC and other federal, state and local agencies and (ii) our international operations are regulated by a wide range of various foreign and international bodies. We cannot assure you we will be successful in obtaining or retaining all regulatory licenses necessary to carry out our business in our various markets. Even if we are, the prescribed service standards and conditions imposed on us under these licenses and related laws may increase our costs, limit our operational flexibility or result in third-party claims. We are subject to numerous requirements and interpretations under various international, federal, state and local laws, rules and regulations, which are often quite detailed or unclear and are occasionally in conflict with each other. Accordingly, we cannot ensure we will always be in compliance with all these requirements at any particular time. Various governmental agencies, including state attorneys general with jurisdiction over our operations, have routinely in the past investigated our business practices either in response to customer complaints or on their own initiative, and are expected to continue to do the same in the future. Certain of these investigations have resulted in substantial fines in the past. On occasion, we have resolved such matters by entering into consent decrees, which are court orders that frequently restrict our future conduct. If breached by us, these consent decrees expose us not only to contractual remedies, but also to judicial enforcement via contempt of court proceedings, any of which could have material adverse consequences. Additionally, future investigations can potentially result in enforcement actions, litigation, fines, settlements or reputational harm, or could cause us to change our sales practices or operations. Our prior or current participation in certain of the FCC's buildout programs subjects us to certain financial risks. For example, if we are not in compliance with FCC measures by the end of the CAF II or RDOF programs, we could incur substantial penalties or forfeitures, including but not limited to being suspended or disbarred from future governmental programs or contracts, which could have a material adverse impact on our financial condition. From time to time, legislative or regulatory bodies create new subsidy programs designed to enhance the communications infrastructure in the U.S. (such as Congress's creation of a $65 billion broadband connectivity fund in 2021), which in the past have typically increased the number of companies offering competing products in certain of our markets. We provide products or services to various federal, state and local agencies. Our failure to comply with complex governmental regulations and laws applicable to these programs, or the terms of our governmental contracts, could result in us suffering substantial negative publicity or penalties, being suspended or debarred from future governmental programs or contracts for a significant period of time and, in certain instances, could lead to the revocation of our FCC licenses. Moreover, certain governmental agencies frequently reserve the right to terminate their contracts for convenience or if funding is unavailable. If our governmental contracts are terminated for any reason, or if we are suspended or debarred from governmental programs or contracts, it could have a material adverse impact on our results of operations and financial condition. A variety of state, national, foreign and international laws and regulations apply to the collection, use, retention, protection, security, disclosure, transfer and other processing of personal and other data. The European Union and other international regulators, as well as some state governments, have recently enacted or enhanced data privacy legal requirements, and other governments are considering establishing similar or stronger protections. Many of these laws are complex and change frequently and often conflict with the laws in other jurisdictions. Some of our customers impose similar requirements on us that are equally or more demanding. If we fail to comply with any of these governmental or contractual requirements, we could incur potential substantial penalties and reputational damage. For years, the laws governing our operations have been unsettled, which has impacted our ability to plan for the future. We expect regulatory uncertainty to increase following a 2024 U.S. Supreme Court decision reversing a prior ruling that required courts to defer to reasonable agency interpretations of ambiguous federal laws. New laws or court decisions could affect our services or expose us to burdensome requirements or liabilities. In particular, our business could be materially impacted if the U.S. Congress amends or eliminates current federal law limitations on the liability of private network providers, such as us, against claims related to third-party content stored or transmitted on private networks, as currently proposed by certain governmental officials, legislative leaders and consumer interest groups. We could also be materially affected if proposals to increase the regulation of internet service providers or to further strengthen data privacy laws are enacted or implemented. In addition, federal and state agencies that regulate the support program payments we receive or the fees that we charge for certain of our regulated services can, and from time to time do, reduce the amounts we receive or can charge. Finally, we expect that expanded regulation of 911 emergency services will increase our costs and exposure to fines for noncompliance. As a carrier of last resort for certain of our Mass Market customers, we could be required to provide services under circumstances that are economically disadvantageous or that divert resources from other business priorities.

There are several potentially material proceedings pending against us, including several derivative and class action suits. Results of these legal proceedings cannot be predicted with certainty. As of any given date we could have exposure to losses under proceedings in excess of our accrued liability. For each of these reasons, any of the proceedings described in Note 18-Commitments, Contingencies and Other Items, as well as current litigation not described therein or future litigation, could have a material adverse effect on our business, reputation, financial position, operating results, the trading price of our securities and our ability to access the capital markets. We can give you no assurances as to the ultimate impact of these matters on us.

Our reputation and brands could be impacted by our public environmental initiatives, including our environmental sustainability initiatives. These initiatives, goals, or targets could be difficult to achieve and costly to implement. To the extent that our required or voluntary disclosures about environmental initiatives increase, we could be criticized for their accuracy, adequacy, or completeness. We could fail to achieve, or be perceived to fail to achieve, our environmental-related initiatives, goals, or targets. Our actual or perceived failure to achieve our environmental-related initiatives, goals, targets, or to meet evolving stakeholder expectations or standards, could adversely impact us by resulting in legal or regulatory proceedings against us, customer or employee attrition, reputational damage, or other negative impacts on our business. Conversely, we may fail to attract or retain customers, vendors, employees or other stakeholders who are opposed to our environmental-related initiatives, or may face claims from stakeholders who believe such initiatives harmed them or us.

Each of our Business and Mass Market offerings faces increasingly intense competition from a wide range of sources under evolving market conditions that have increased the number and variety of companies that compete with us. Some of our current and potential competitors: (i) offer products or services that are substitutes for our traditional wireline services, including wireless broadband, wireless voice and non-voice communication services, (ii) offer a more comprehensive range of communications products and services, (iii) operate systems that are newer, more integrated or more advanced, which enable them to provision services faster and more efficiently, (iv) have greater financial, provisioning, technical, engineering, research, development, marketing, customer relations or other resources, (v) conduct operations or raise capital at a lower cost, (vi) are subject to less regulation, (vii) have stronger brand names, (viii) have deeper or more long-standing relationships with key customers, or (ix) have larger operations than ours, any of which may enable them to compete more successfully for customers, strategic partners and acquisitions. In recent years, competitive pressures have commoditized pricing for some of our products and services and lowered market prices for many of our other products and services. Continued competitive pressures will likely place further downward pressure on market pricing.