Model N (MODN) Risk Analysis

Our ability to increase revenues from existing customers and attract new customers depends in large part on our ability to enhance and improve our existing solutions and to develop and introduce new solutions. The success of any enhancement or new solutions depends on several factors, including timely completion, adequate quality testing, introduction and market acceptance. Any enhancement or new solutions that we develop or acquire may not be introduced in a timely or cost-effective manner, may contain defects or may not achieve the broad market acceptance necessary to generate significant revenues. If we are unable to successfully enhance our existing solutions and develop new solutions to meet customer requirements, our business and operating results will be adversely affected. Because we designed our solutions to operate on a variety of network, hardware and software platforms, we will need to continuously modify and enhance our solutions to keep pace with changes in networking, internet-related hardware, and software, communication, browser and database technologies. If we are unable to respond in a timely manner to these rapid technological developments in a cost-effective manner, our solutions may become less marketable and less competitive or obsolete and our operating results may be negatively impacted.

Our solutions are used by our customers to manage and store personally identifiable information, proprietary information and sensitive or confidential data relating to their business. Although we maintain security features in our solutions, our security measures may not detect or prevent hacker interceptions, phishing or break-ins, security breaches, the introduction of viruses or malicious code, such as "ransomware," attacks utilizing artificial intelligence and machine learning and other disruptions that may jeopardize the security of information stored in and transmitted by our solutions. Cyberattacks and other malicious Internet-based activity continue to increase generally and may be directed at either the solution used by our customers or our corporate information technology software and infrastructure. Because techniques used to obtain unauthorized access, exploit vulnerabilities or sabotage systems change frequently and generally are not identified until they are launched against a target, we may be unable to anticipate these techniques, patch vulnerabilities, or implement adequate preventative measures. Certain of our customers may have a greater sensitivity to security defects or breaches in our software than to defects in other, less critical, software solutions. Any actual or perceived security breach or theft of the business-critical data of one or more of our customers, regardless of whether the breach is attributable to the failure of our software or solutions, may adversely affect the market's perception of our solutions. Additionally, the SEC also adopted a new cybersecurity rule requiring companies subject to SEC reporting requirements to formally report material cyber security incidents, where failure to report may result in the SEC imposing injunctions, fines and other penalties. There can be no assurance that limitation of liability, indemnification or other protective provisions in our contracts would be applicable, enforceable or adequate in connection with a security breach, or would otherwise protect us from any such liabilities or damages with respect to any particular claim. We also cannot be sure that our existing general liability insurance coverage and coverage for errors or omissions, including cybersecurity incidents, will continue to be available on acceptable terms or will be available in sufficient amounts to cover one or more large claims, or that the insurer will not deny coverage as to any future claim. One or more large claims may be asserted against us that exceed our available insurance coverage, or changes in our insurance policies may occur, including premium increases or the imposition of large deductible or co-insurance requirements. Furthermore, a party that is able to circumvent our security measures or exploit any vulnerabilities in our solutions could misappropriate our or our customers' proprietary or confidential information, cause interruption in their operations, damage or misuse their computer systems, misuse any information that they misappropriate, cause early termination of our contracts, subject us to notification and indemnity obligations, litigation, and regulatory investigation or governmental sanctions, cause us to lose existing customers, and harm our ability to attract future customers. Any such breach could cause harm to our reputation, business, financial condition and results of operations, and we may incur significant liability, and as a result our business and financial position may be harmed.

The market for revenue management solutions is highly competitive, fragmented and subject to rapid changes in technology. We face competition from spreadsheet-assisted manual processes, internally developed solutions, large integrated systems vendors, providers of business process outsourcing services and smaller companies that offer point solutions. Companies lacking IT resources often resort to spreadsheet-assisted manual processes or personal database applications. In addition, some potential customers, particularly large enterprises, may elect to develop their own internal solutions, including custom-built solutions that are designed to support the needs of a single organization. Companies with large investments in packaged ERP or CRM applications, which do not typically provide revenue management capabilities, may extend these horizontal applications with configurations or point solution applications in order to address one or a small set of revenue management sub processes or drivers. Common horizontal applications that customers attempt to configure for this purpose in the life sciences and high tech industries include large integrated systems vendors like SAP SE and Oracle Corporation. We also encounter competition from small independent companies which compete based on price, unique product features or functions and custom developments. Many of our competitors have greater name recognition, larger sales and marketing budgets and greater resources than we do and may have pre-existing relationships with our potential customers, including relationships with, and access to, key decision makers within these organizations, and major distribution agreements with consultants and system integrators. Moreover, many software vendors could bundle solutions or offer them at a low price as part of a larger product sale. With the introduction of new technologies and market entrants, we expect competition to intensify in the future. We also expect enterprise software vendors that focus on enterprise resource planning or back-office applications to enter our market with competing products. In addition, we expect sales force automation vendors to acquire or develop additional solutions that may compete with our solutions. If we fail to compete effectively, our business will be harmed. In addition, pricing pressures and increased competition generally could result in reduced sales, reduced margins, losses or the failure of our solutions to achieve or maintain more widespread market acceptance, any of which could harm our business.

We believe that maintaining and enhancing the "Model N" brand identity is critical to our relationships with our customers and partners and to our ability to attract new customers and partners. The successful promotion of our brand will depend largely upon our marketing efforts, our ability to continue to offer high-quality solutions and our ability to successfully differentiate our solutions from those of our competitors. Our brand promotion activities may not be successful or yield increased revenues. In addition, independent industry analysts often provide reviews of our solution, as well as those of our competitors, and perception of our solution in the marketplace may be significantly influenced by these reviews. If these reviews are negative, or less positive as compared to those of our competitors' products and services, our brand may be adversely affected. Further, stockholder activism has been increasing in recent years. Any such activism or public criticism of our company or management team may harm our brand and reputation. The promotion of our brand requires us to make substantial expenditures, and we anticipate that the expenditures will increase as our market becomes more competitive and as we expand into new verticals within the life sciences and high tech industries. To the extent that these activities yield increased revenues, these revenues may not offset the increased expenses we incur. If we do not successfully maintain and enhance our brand, our business may not grow, we may have reduced pricing power relative to competitors with stronger brands and we could lose customers, partners, current employees and prospective employees, all of which would adversely affect our business operations and financial results.

Personal privacy and data security have become significant issues in the United States, Europe and in many other jurisdictions where we offer our solutions. The regulatory framework for privacy and security issues worldwide is rapidly evolving and is likely to remain uncertain for the foreseeable future, especially for cross-border data transfers involving personal data. For example, the Court of Justice of the European Union ("ECJ") ruled on July 16, 2020, the U.S.-E.U. Privacy Shield as an invalid mechanism for managing personal data transfers between the European Union ("E.U.") and the United States (and other countries). Shortly thereafter, the European Commission finalized new versions of the Standard Contractual Clauses, now in effect as of June 27, 2021, to provide a safeguard mechanism to manage personal data transfers to jurisdictions (such as the United States) that the European Commission does not recognize as not offering an adequate level of data protection. To comply with these new, or subsequently later modified, Standard Contractual Clauses, we may need to implement additional safeguards to further enhance the security of personal data transferred out of the European Economic Area ("EEA"), the United Kingdom, or Switzerland, which could increase our compliance costs, expose us to further regulatory scrutiny and liability, and adversely affect our business. We rely on a mixture of approved safeguard mechanisms (such as the Standard Contractual Clauses) to transfer personal data from our E.U. businesses to the U.S. and continue to evaluate what additional mechanisms may be required to establish adequate safeguards for cross-border personal data transfers. For example, due to the recent European Commission's July 10, 2023 adoption of an adequacy decision for the E.U.-U.S. Data Privacy Framework (a cooperative effort between U.S. and European officials to overcome the security issues raised by the E.U.-U.S. Privacy Shield regarding personal transfers from the E.U. to the United States), we have self-certified to comply with the E.U. – U.S. and the UK Extension to the E.U. – U.S. Data Privacy Framework as a mechanism to legally facilitate personal data transfers from the E.U. and the U.K. to the U.S. This new Data Privacy Framework could be subject to legal challenge in front of the ECJ. While we don't anticipate any immediate changes in our current operations, we will observe how legal challenges may shape this framework and how it may affect cross-border personal data flows between the E.U. and the U.S. and the U.K, which could prompt changes to our current operations. Internationally, many jurisdictions in which we operate have established their own data security and privacy legal framework with which we or our customers must comply, including but not limited to, the European General Data Protection Regulation (GDPR), which imposes additional obligations and risks upon our business. Notably, the U.K. implemented the Data Protection Act, effective May 2018 and statutorily amended in 2019, that contains provisions, including its own derogations, for how GDPR is applied in the U.K. These developments in the European Union could increase the risk of non-compliance and the costs of providing our products and services in a compliant manner. From the beginning of 2021 (when the transitional period following Brexit expired), we have to continue to comply with the GDPR and also the Data Protection Act, with each regime having the ability to fine up to the greater of €20 million (£17.5 million) or 4% of global turnover. The relationship between the U.K. and the E.U. remains uncertain, for example how data transfers between the U.K. and the E.U. and other jurisdictions will be treated and the role of the U.K.'s supervisory authority. For example, on June 28, 2021, the European Commission adopted the adequacy decision ("U.K. Adequacy Decision") in the wake of a non-binding vote by the European Parliament against the then-draft U.K. Adequacy Decision the month prior. Consequently, personal data can continue to flow from the EEA to the U.K. without the need for appropriate safeguards. The U.K. Adequacy Decision includes a "sunset clause", rendering the decision valid for four years only, after which it will be reviewed by the European Commission and renewed only if the European Commission considers that the U.K. continues to ensure an adequate level of data protection. The European Commission also stated that it would intervene at any point within the four years if the U.K. deviates from the level of protection presently in place. If this adequacy decision is reversed by the European Commission, it would require that companies implement protection measures such as the Standard Contractual Clauses for data transfers between the E.U. and the U.K. As described above, in October 2023, a U.K. extension to the E.U. – U.S. Data Privacy Framework (the U.K. – U.S. Data Bridge) was adopted enabling the transfer of personal data between the UK and U.S. entities without the need for additional safeguards, but this U.K. – U.S. Data Bridge will likely be subject to legal challenge and potentially invalidated. These changes could lead to additional costs as we try to ensure compliance with new privacy legislation and will increase our overall risk exposure. We have incurred substantial expense in complying with the obligations imposed by the GDPR and we may be required to make further significant changes in our business operations as regulatory guidance changes, all of which may adversely affect our revenue and our business overall. Despite our efforts to attempt to comply with the GDPR, a regulator may determine that we have not done so and subject us to fines and public censure, which could harm our company. Along with the factors describe above in Europe, federal, U.S. state or foreign government bodies or agencies have in the past, and may in the future, adopt laws and regulations affecting data privacy, and these laws may be interpreted and applied in a manner that is inconsistent with each other. This may include evolving and changing definitions of personal data and personal information within the European Union, the United States, and elsewhere, especially relating to classification of IP addresses, machine identification, location data, and other information that may limit or inhibit our ability to operate or expand our business, including limiting strategic partnerships that may involve the sharing of data. For example, the California Consumer Privacy Act ("CCPA"), as amended by the California Privacy Rights Act ("CPRA"), expanded the rights of California consumers and obligations of covered businesses to honor such rights. The CPRA requires covered businesses to, among other things, provide disclosures regarding the businesses' data collection and use practices, and affords Californians privacy rights such as the ability to opt-out of certain sales of personal information and expanded rights to access and require deletion of their personal information, opt out of certain personal information sharing, and receive detailed information about how their personal information is collected, used and shared. The CPRA provides for civil penalties for violations, as well as a private right of action for security breaches that may increase security breach litigation. Potential uncertainty surrounding new regulations promulgated by the California Privacy Protection Agency, the newly created agency under the CPRA charged with CCPA/CPRA rule-making and enforcement, may increase our compliance costs and potential liability, particularly in the event of a data breach, and could have a material adverse effect on our business, including how we use personal information, our financial condition, and the results of our operations or prospects. Following California's lead, several other states enacted privacy laws that took effect in 2023: the Colorado Privacy Act, the Connecticut Personal Data Privacy and Online Monitoring Act, the Utah Consumer Privacy Act, and the Virginia Consumer Data Protection Act. Additional state privacy laws have been enacted and are set to take effect between 2024 and 2026: the Florida Digital Bill of Rights (July 1, 2024), Oregon's protections for the personal data of consumer enacted through SB 619 (July 1, 2024), the Texas Data Privacy and Security Act (July 1, 2024), Montana's Consumer Data Privacy Act (October 1, 2024), the Delaware Personal Data Privacy Act (January 1, 2025), Iowa's Consumer Data Protection Act (January 1, 2025), the New Jersey Senate Bill 332 (January 15, 2025), the Tennessee Information Protection Act (July 1, 2025) and the Indiana Consumer Data Protection Act (January 1, 2026). Compliance with new privacy legislation adds complexity and may require investment in additional resources for compliance programs, thus potentially result in additional costs and expense of resources to maintain compliance. Industry organizations also regularly adopt and advocate for new standards in this area. In the United States, these include rules and regulations promulgated under the authority of federal agencies and state attorneys general and legislatures and consumer protection agencies. In many jurisdictions, enforcement actions and consequences for noncompliance are also rising. In addition to government regulation, privacy advocates and industry groups may propose new and different self-regulatory standards that either legally or contractually applies to us, or we may elect to comply with these standards under industry norms. Any inability to adequately address privacy and security concerns, even if unfounded, or comply with applicable privacy and data security laws, regulations and policies, could result in us being subject to audits, inquiries, whistleblower complaints, adverse media coverage, investigations, fines, penalties or severe sanctions, all of which may have a material and adverse impact on our business, operating results, reputation, and financial condition. Furthermore, the costs of compliance with, and other burdens imposed by, the laws, regulations, and policies that are applicable to the businesses of our customers may limit the use and adoption of, and reduce the overall demand for, our solutions. Privacy and data security concerns, whether valid or not valid, may inhibit market adoption of our solutions, particularly in foreign countries. If we are not able to adjust to changing laws, regulations and standards related to privacy or security, our business may be harmed. As mentioned, changing definitions of personal data and information may also limit or inhibit our ability to operate or expand our business, including limiting strategic partnerships that may involve the sharing of data. Also, some jurisdictions require that certain types of data be retained on servers within these jurisdictions. Our failure to comply with applicable laws, directives, and regulations may result in enforcement action against us, including fines, and damage to our reputation, any of which may have an adverse effect on our business and operating results.

Our operations and performance depend on global economic conditions. Challenging or uncertain economic conditions including those related to global epidemics, pandemics, or contagious diseases, geopolitical turmoil, and macroeconomic conditions, inflation, fluctuations in foreign exchange rates, instability in the global banking system, disruptions in supply chains and interest rates, make it difficult for our customers and potential customers to accurately forecast and plan future business activities and may cause our customers and potential customers to slow or reduce spending, or vary order frequency, on our solutions. Furthermore, during challenging or uncertain economic times, our customers may face difficulties gaining timely access to sufficient credit and experience decreasing cash flow, which could impact their willingness to make purchases and their ability to make timely payments to us. Global economic conditions have in the past and could continue to have an adverse effect on demand for our solutions, including new bookings and renewal and upsell rates, on our ability to predict future operating results and on our financial condition and operating results. If global economic conditions remain uncertain or deteriorate, it may materially impact our business, operating results and financial condition. Moreover, on March 10, 2023, Silicon Valley Bank ("SVB") was closed by the California Department of Financial Protection and Innovation and subsequently appointed the Federal Deposit Insurance Corporation ("FDIC") as receiver. Similarly, on March 12, 2023, Signature Bank and Silvergate Capital Corp. were each swept into receivership, and in May 2023, First Republic Bank was also closed and taken over by the FDIC. While the FDIC has taken steps to make whole all depositors of SVB, and other similarly situated banks, there is no assurance that similar guarantees will be made in the event of further bank closures and continued instability in the global banking system. If other banks and financial institutions enter receivership or become insolvent in the future in response to financial conditions affecting the banking system and financial markets, then our ability to obtain financing may be threatened, which could have a material adverse effect on our business and financial condition. Moreover, events such as the closure of SVB, in addition to other global macroeconomic conditions, may cause further turbulence and uncertainty in the capital markets.

We have significant international operations, including in emerging markets such as India, and we are continuing to expand our international operations as part of our growth strategy. As of September 30, 2023, approximately 47% of our total employees were located in India, where we conduct a portion of our development activities, implementation services and support services. Our current international operations and our plans to expand our international operations have placed, and will continue to place, a strain on our employees, management systems and other resources. Operating in international markets requires significant resources and management attention and will subject us to regulatory, economic and political risks and competition that are different from those in the United States. Because of our limited experience with international operations, we cannot assure you that our international expansion efforts will be successful or that returns on such investments will be achieved in the future. In addition, our international operations may fail to succeed due to other risks inherent in operating businesses internationally, including: - our lack of familiarity with commercial and social norms and customs in countries which may adversely affect our ability to recruit, retain and manage employees in these countries;- difficulties and costs associated with staffing and managing foreign operations;- the potential diversion of management's attention to oversee and direct operations that are geographically distant from our U.S. headquarters;- compliance with multiple, conflicting and changing governmental laws and regulations, including employment, tax, privacy and data protection laws and regulations;- legal systems in which our ability to enforce and protect our rights may be different or less effective than in the United States and in which the ultimate result of dispute resolution is more difficult to predict;- greater difficulty collecting accounts receivable and longer payment cycles;- higher employee costs and difficulty in terminating non-performing employees;- differences in workplace cultures;- unexpected changes in regulatory requirements;- the need to adapt our solutions for specific countries;- our ability to comply with differing technical and certification requirements outside the United States;- tariffs, export controls and other non-tariff barriers such as quotas and local content rules;- more limited protection for intellectual property rights in some countries;- adverse tax consequences, including as a result of transfer pricing adjustments involving our foreign operations;- fluctuations in currency exchange rates;- anti-bribery compliance by us or our partners;- restrictions on the transfer of funds;- global epidemics, pandemics, or contagious diseases;- general macroeconomic conditions, including rising interest rates and inflation, slower growth or recession, instability in the global banking system;- geopolitical turmoil, such as the wars in Ukraine and Israel; and - new and different sources of competition. Our failure to manage any of these risks successfully could harm our existing and future international operations and seriously impair our overall business.

Our corporate headquarters and facilities are located near known earthquake fault zones and are vulnerable to significant damage from earthquakes. The corporate headquarters and facilities are also vulnerable to damage or interruption from human error, intentional bad acts, earthquakes, hurricanes, floods, fires, global epidemics, pandemics, or contagious diseases, war, terrorist attacks, power losses, hardware failures, systems failures, telecommunications failures and similar events. The occurrence of a natural disaster or an act of terrorism or vandalism or other misconduct or other unanticipated problems with our facilities could result in lengthy interruptions to our services. If any disaster were to occur, our ability to operate our business at our facilities could be seriously or completely impaired or destroyed. The insurance we maintain may not be adequate to cover our losses resulting from disasters or other business interruptions.

Our sales contracts are primarily denominated in U.S. dollars, and therefore, substantially all of our revenues are not subject to foreign currency risk. However, the continued strengthening of the U.S. dollar could increase the real cost of our solutions to our customers outside of the United States, which could adversely affect our financial condition and operating results. In addition, an increasing portion of our operating expenses are incurred in India, are denominated in Indian rupees and are subject to fluctuations due to changes in foreign currency exchange rates. While we recently began using foreign exchange forward contracts to hedge certain cash flow exposures resulting from changes in foreign currency exchange rates, this hedging strategy may not ultimately be effective and may adversely affect our financial condition and operating results.