Lumen Technologies (LUMN) Risk Analysis

As a critical infrastructure provider, our operations rely heavily on a broad range of hardware, software, networks and other products and services that are owned and managed by us or by third parties, including systems used to transmit and store large volumes of sensitive data (collectively, "IT systems"). We and our third-party partners and customers are frequent targets of increasingly sophisticated cyber-attacks, including distributed denial-of-service, ransomware, malware, viruses, credential harvesting, man-in-the-middle, software vulnerability exploitation, and social engineering. Our efforts to implement sound information security and business continuity programs cannot ensure the integrity of our systems and successful attacks could materially disrupt operations, compromise data, damage our reputation, trigger regulatory investigations or litigation, or result in significant costs. We have acquired and will continue to acquire companies that may have cybersecurity vulnerabilities or unsophisticated controls, which exposes us to significant risk. We and certain of our third-party providers have previously experienced cyberattacks and security incidents. Future attacks could have a material adverse effect on our business, operations, or financial results. As further described in Item 1C "Cybersecurity" of this annual report, cyber-attacks originate from multiple sources and manifest in diverse ways, potentially exposing personally identifiable information, customer data, or protected health information, subjecting us to stringent domestic and foreign data protection laws. These threats may also arise from failure or intrusions of unaffiliated third-party systems on which we materially rely to operate our business. Risks are heightened by factors such as: - our storage of digital information on Internet-connected servers;- use of open and software-defined networks;- complexity of our global network infrastructure, including harder-to-secure legacy systems;- rising demand for data services;- increasing customer scale and complexity of service requirements;- our large remote workforce;- our IT support obligations tied to divested businesses; and - escalating sophistication of threat actors. Consequences of a successful attack could include operational disruption, data loss or exposure, regulatory penalties, reputational harm, customer attrition, service credits or costly retention incentives, costly remediation, litigation, and loss of certifications. Any of these outcomes could require us to notify customers, regulatory agencies or the public of data incidents and have a material adverse impact on our business, operations, or financial results. Our role in global internet traffic makes us a continuing target for advanced persistent threats, including nation-state actors and other sophisticated threat actors. Risks are amplified by AI-driven attacks, widely available evasion and anti-forensic tools that make it increasingly challenging to detect, respond to, and recover from cyber attacks. Escalating geopolitical tensions and rivalries increase the likelihood of state-sponsored cyber-attacks against us. No defenses can guarantee prevention. Consequently, we expect to experience cyber incidents in the future. While past incidents have not had a material adverse effect on our business strategy, results of operations, or financial condition, we cannot guarantee that material incidents will not occur in the future. We continue to take steps designed to limit our cyber risks, and although we maintain cyber insurance, coverage may be limited by deductibles, exclusions, and caps, and may not fully offset losses. Moreover, as a contractor to the Department of Defense ("DoD"), we are contractually required to protect "controlled unclassified information" and comply with the DoD's cybersecurity requirements, including the security controls specified in the National Institute of Standards and Technology Special Publication 800-171 ("NIST SP 800-171"). The DoD has also begun phased implementation of the Cybersecurity Maturity Model Certification ("CMMC") into its contracts. CMMC incorporates the requirements of NIST SP 800-171 and will require all contractors to, depending on the level of security required, perform a self-assessment or receive specific third-party certifications. If we are unable to protect controlled unclassified information or to achieve or maintain the required CMMC level, we may be deemed ineligible to bid on or perform certain government contracts. Noncompliance could also result in contract termination, reduced revenue, reputational harm, and increased costs associated with remediation and reassessment, any of which could materially harm our business.

As explained in greater detail elsewhere in this annual report, we are subject to numerous, often complex and occasionally conflicting laws and regulations at the international, federal, state, and local levels. We cannot assure that we will successfully obtain or maintain all authorization licenses necessary to operate in our markets, and full compliance cannot be guaranteed at all times. Even when authorizations are secured, the service standards and conditions imposed under these authorizations and related laws may increase costs, restrict operational flexibility, or expose us to third-party claims. Governmental agencies, including state attorneys general, have routinely investigated our business practices in the past and are expected to continue doing so. These investigations have resulted in substantial fines and, in some cases, consent decrees that restrict future conduct and carry judicial enforcement risks. Breaching a consent decree could subject us to contractual remedies and contempt of court proceedings, any of which could have material adverse consequences. Future investigations could lead to litigation, penalties, operational changes, or reputational harm. Our former or current participation in FCC buildout programs, such as RDOF, exposes us to significant financial risk. Noncompliance could result in significant penalties, forfeitures, or disqualification from future programs, materially affecting our financial condition. New subsidy programs, such as the $65 billion broadband fund established in 2021, may also increase competition in certain markets. We provide services to various federal, state and local agencies. Failure to comply with complex regulations, laws, or contractual terms could result in penalties, negative publicity, suspension or debarment from future programs, or revocation of FCC licenses. Government agencies reserve the right to terminate contracts for convenience or lack of funding, which could materially impact our results of operations. We are subject to numerous data privacy and security laws, including recently enacted or strengthened requirements in the EU and certain U.S. states. These laws are complex, frequently change, and often conflict across jurisdictions. Customers may impose additional requirements. Noncompliance could result in substantial penalties and reputational damage. Due to the nature of our operations, we have been, and expect to continue to be impacted by regulatory developments related to climate change, including, for example, the direct regulation of greenhouse gas emissions or carbon policies that could result in a tax on such emissions. In addition, policy-driven changes in the prices of fuel or energy in geographies in which we operate could make it more expensive for us to purchase energy to power our networks and data centers. Laws governing our operations have long been unsettled, limiting our ability to plan effectively. Regulatory uncertainty has increased following a 2024 U.S. Supreme Court decision eliminating judicial deference to agency interpretations of ambiguous federal laws. Future legislation or court rulings could impose burdensome requirements or liabilities. For example, our business could be materially impacted if U.S. Congress amends or repeals current federal limitations on the liability of private network providers, such as us, for third-party content stored or transmitted on private networks, as proposed by certain officials and consumer groups. We could also be significantly affected by initiatives to expand regulation of internet service providers or strengthen data privacy laws. Additionally, federal and state agencies that regulate support program payments and service fees may reduce the amounts we receive or can charge. Expanded regulation of 911 services is expected to increase costs and potential fines. Finally, as a carrier of last resort for certain Mass Market customers, we may be required to provide services under economically disadvantageous conditions, diverting resources from other business priorities.

Our international operations are subject to a wide range of U.S. and non-U.S. laws, regulations, treaties, tariffs, and governing our operations in international jurisdictions, either directly or indirectly through our contractual arrangements with other carriers. Many of these laws or directives are complex, frequently change, and may conflict across jurisdictions in which we provide services. These requirements could materially restrict our ability to provide services internationally or expose us to penalties, license revocations, or contract terminations if violated. In addition, increases in U.S. tariffs could result in additional costs that we may not recover from customers. Beyond regulatory risks, conducting business internationally involves other challenges, including: economic, social and political instability, with the attendant risks of terrorism, kidnapping, extortion, civic unrest, potential seizure or nationalization of assets; currency and exchange controls, repatriation restrictions and fluctuations in currency exchange rates, problems collecting accounts receivable; the difficulty or inability in certain jurisdictions to enforce contract or intellectual property rights; reliance on certain third parties with whom we lack extensive experience; supply chain challenges; and challenges in securing and maintaining the necessary physical and telecommunications infrastructure. Any of these factors could materially adversely affect our operations and financial condition.

Many of our domestic facilities are located in regions susceptible to severe weather and natural disasters, including tropical storms, hurricanes, tornadoes, earthquakes, floods, wildfires, or other casualty events. These events have disrupted operations in the past and may occur again, potentially causing significant damage such as downed transmission lines, flooded facilities, power outages, fuel shortages, network delays or failures, property and equipment loss, and business interruptions. Due to substantial deductibles, coverage limits and exclusions, and limited availability, we have typically recovered only a portion of our losses through insurance. Our system redundancy and other measures we implement to protect infrastructure and maintain operations may prove inadequate to sustain our operations following such events. Any such occurrence could result in lost revenue, litigation risks, reputational harm, and reduced profitability. In addition, climate change may increase the frequency or severity of these events, heightening our exposure to operational disruptions and supply chain risks. Climate change could also require increased investment in network resilience and lead to additional regulatory requirements that may adversely affect our operations or financial results.

Changes in U.S. or foreign government policies may result in modifications to existing trade agreements, the imposition of new tariffs, or significant increases in existing tariffs on goods imported into the U.S., as well as retaliatory measures by foreign governments. The U.S. presidential administration has implemented or increased tariffs and signaled its intent to impose additional tariffs, but future actions by U.S. or foreign governments remain uncertain. A trade war or other governmental actions related to tariffs or trade agreements, as well as changes in social, political, regulatory, or economic conditions or laws governing foreign trade, manufacturing, development, and investment in countries where we operate, could negatively impact our business. In addition, any resulting negative sentiment toward the U.S. could further harm our operations, financial condition, or results of operations.

Our operations, financial performance, and liquidity rely significantly on key suppliers, vendors, licensors, customers, and other third parties. Disruptions or terminations of these relationships could have a material adverse effect on our business, financial condition, or results of operations. Reliance on other communications providers: To deliver certain services within certain markets, we purchase services, lease network capacity, or interconnect with infrastructure owned by other communications carriers or cloud companies, some of which compete with us. These arrangements limit our control over service availability, delivery, and quality. We face risks that these providers may decline to renew agreements, impose unfavorable terms, or experience financial distress, including bankruptcy, that could impair ability to provide services. These risks are heightened when contracting with competitors, who may terminate agreements, increase prices, or prioritize their own traffic. In addition, some communications providers rely on our network to transmit their data or voice traffic. If these companies shift all or part of this traffic to alternative networks they own, build, or lease, our revenue could decline. For example, certain hyperscaler customers have developed infrastructure that has reduced their reliance on our network. Reliance on key suppliers and vendors: We rely on a limited number of suppliers and vendors for critical equipment and services, including fiber optic cable, software, optronics, transmission electronics, digital switches, routing equipment, customer premise equipment and components, and operational support to assist with operating, maintaining and administering our business, including billing, security, provisioning and general operations. Our business could be adversely affected if these parties fail to deliver products or services on acceptable terms due to operational disruptions, increased pricing, security incidents, litigation, financial distress, bankruptcy, or strategic changes. Reliance on key licensors: We license essential technologies from third parties to deliver certain products and services. These agreements may expire or be terminated, and future licenses may not be available on acceptable terms or at all. If a licensor faces intellectual property disputes or other challenges, our ability to use licensed technology could be impaired. Incorporating licensed technology into our network may also limit flexibility to deploy different technologies from alternative licensors. Reliance on key customer contracts. We maintain several complex, high-value contracts with national and global customers. These contracts are subject to factors that may reduce or eliminate profitability. Failure to renew significant contracts upon expiration would adversely affect our results. Reliance on landowners: We require rights-of-way, colocation agreements, franchises, licenses, and other authorizations from governmental bodies, railway companies, utilities, carriers, and other third-party landowners to locate a portion of our network equipment over, on or under their respective properties, or to conduct operations within their jurisdictions. Many of these authorizations will expire within the next five to ten years unless renewed. Our operations could be adversely affected if authorizations lapse, are cancelled, terminated, allowed to expire, or become subject to material price increases. Network expansion may also be delayed if we cannot secure necessary permits or approvals. We cannot assure successful renewal or replacement of these arrangements.

Our Lumen and other brand names, together with our corporate reputation, are critical assets that support our ability to attract and retain customers and employees. These assets are vulnerable to significant harm from events such as customer or competitor disputes, cyber-attacks, service outages, data breaches, internal control deficiencies, performance failures, compliance violations, employee misconduct, government investigations, or litigation. Similar incidents involving competitors could also generate negative publicity for the entire industry, indirectly impacting our business. Our reputation may further be impaired by criticism from customers, vendors, employees, advocacy groups, regulators, investors, the media, social media influencers, or others regarding our services, operations, or public positions. For example, unfavorable trends in customer experience scores - such as Net Promoter Score ("NPS") or Customer Health Score ("CHS") - relative to competitors could adversely affect us. Additionally, the risk of reputational harm associated with unauthorized disclosure of confidential information or customer data may increase if employees misuse social networking platforms or emerging technologies, including generative AI tools. Negative or inaccurate information about Lumen, even if based on rumor or misunderstanding, could also cause reputational harm. Damage to our reputation or brands may be difficult, costly, and time-consuming to remediate. Any such harm could diminish the value and effectiveness of our brands, reduce investor confidence, and erode customer and employee loyalty, ultimately having a material adverse impact on the value of our securities.