Microstrategy (MSTR) Risk Factors

We periodically receive notices from third parties claiming we are infringing their intellectual property rights. The frequency of such claims may increase as we expand our offerings and branding, the number of offerings and level of competition in our industry grow, the functionality of offerings overlaps, and the volume of issued patents, patent applications, and copyright and trademark registrations continues to increase. Responding to any infringement claim, regardless of its validity, could: - be time-consuming, costly, and/or result in litigation;- divert management's time and attention from developing our business;- require us to pay monetary damages or enter into royalty or licensing agreements that we would normally find unacceptable;- require us to stop selling certain of our offerings;- require us to redesign certain of our offerings using alternative non-infringing technology or practices, which could require significant effort and expense;- require us to rename certain of our offerings or entities; or - require us to satisfy indemnification obligations to our customers or channel partners. Additionally, while we monitor our use of third-party software, including open-source software, our processes for controlling such use in our offerings may not be effective. If we fail to comply with the terms or conditions associated with third-party software that we use, if we inadvertently embed certain types of third-party software into one or more of our offerings, or if third-party software that we license is found to infringe the intellectual property rights of others, we could become subject to infringement liability and be required to re-engineer our offerings, discontinue the sale of our offerings, or make available to certain third parties or generally available, in source code form, our proprietary code, any of which could materially adversely affect our business, operating results, and financial condition. If a successful infringement claim is made against us and we fail to develop or license a substitute technology or brand name, as applicable, our business, results of operations, financial condition, or cash flows could be materially adversely affected.

We hold our bitcoin with regulated custodians that have duties to safeguard our private keys. Our custodial services contracts do not restrict our ability to reallocate our bitcoin among our custodians, and our bitcoin holdings may be concentrated with a single custodian from time to time. In light of the significant amount of bitcoin we hold, we continually seek to engage additional custodians to achieve a greater degree of diversification in the custody of our bitcoin as the extent of potential risk of loss is dependent, in part, on the degree of diversification. If there is a decrease in the availability of digital asset custodians that we believe can safely custody our bitcoin, for example, due to regulatory developments or enforcement actions that cause custodians to discontinue or limit their services in the United States, we may need to enter into agreements that are less favorable than our current agreements or take other measures to custody our bitcoin, and our ability to seek a greater degree of diversification in the use of custodial services would be materially adversely affected. As of December 31, 2023, the insurance that covers losses of our bitcoin holdings covers only a small fraction of the value of the entirety of our bitcoin holdings, and there can be no guarantee that such insurance will be maintained as part of the custodial services we have or that such coverage will cover losses with respect to our bitcoin. Moreover, our use of custodians exposes us to the risk that the bitcoin our custodians hold on our behalf could be subject to insolvency proceedings and we could be treated as a general unsecured creditor of the custodian, inhibiting our ability to exercise ownership rights with respect to such bitcoin. Any loss associated with such insolvency proceedings is unlikely to be covered by any insurance coverage we maintain related to our bitcoin. Bitcoin is controllable only by the possessor of both the unique public key and private key(s) relating to the local or online digital wallet in which the bitcoin is held. While the Bitcoin blockchain ledger requires a public key relating to a digital wallet to be published when used in a transaction, private keys must be safeguarded and kept private in order to prevent a third party from accessing the bitcoin held in such wallet. To the extent the private key(s) for a digital wallet are lost, destroyed, or otherwise compromised and no backup of the private key(s) is accessible, neither we nor our custodians will be able to access the bitcoin held in the related digital wallet. Furthermore, we cannot provide assurance that our digital wallets, nor the digital wallets of our custodians held on our behalf, will not be compromised as a result of a cyberattack. The bitcoin and blockchain ledger, as well as other digital assets and blockchain technologies, have been, and may in the future be, subject to security breaches, cyberattacks, or other malicious activities.

Despite extensive testing by us and our current and potential customers, we have in the past discovered software errors, bugs, or security vulnerabilities (including the log4j and SpringShell vulnerabilities which surfaced in December 2021 and March 2022, respectively, and affected companies worldwide) in our offerings after commercial shipments began and they may be found in future offerings or releases. This could result in lost revenue, damage to our reputation, or delays in market acceptance, which could have a material adverse effect on our business, operating results, and financial condition. We may also need to expend resources and capital to correct these defects if they occur. Our customer agreements typically contain provisions designed to limit our exposure to product liability, warranty, and other claims. It is possible these provisions are unenforceable in certain domestic or international jurisdictions, and we may be exposed to such claims. A successful claim against us could have a material adverse effect on our business, operating results, and financial condition.

Aspects of our business involve collecting, processing, disclosing, storing, and transmitting personal data, which are subject to certain privacy policies, contractual obligations, and U.S. and foreign laws, regulations, and directives relating to privacy and data protection. We store a substantial amount of customer and employee data, including personal data, on our networks and other systems and the cloud environments we manage. In addition, the types of data subject to protection as personal data in the European Union, China, the United States, and elsewhere have been expanding. In recent years, the collection and use of personal data by companies have come under increased regulatory and public scrutiny, especially in relation to the collection and processing of sensitive data, such as healthcare, biometric, genetic, financial services, and children's data, precise location data, and data regarding a person's race or ethnic origins, political opinions, or religious beliefs. For example, in the United States, protected health information is subject to HIPAA, which can provide for civil and criminal penalties for noncompliance. Entities (such as us) that engage in creating, receiving, maintaining, or transmitting protected health information provided by covered entities and other business associates are subject to enforcement under HIPAA. Our access to protected health information triggers obligations to comply with certain privacy rules and data security requirements under HIPAA. In addition to potential enforcement by the United States Department of Health and Human Services for potential HIPAA violations, we are also potentially subject to privacy enforcement from the FTC. The FTC has been particularly focused on certain activities related to the processing of sensitive data, including the unpermitted processing of health and genetic data through its recent enforcement actions and is expanding the types of privacy violations that it interprets to be "unfair" under Section 5 of the FTC Act, as well as the types of activities it views to trigger the Health Breach Notification Rule (which the FTC also has the authority to enforce). The agency is also in the process of developing rules related to commercial surveillance and data security that may impact our business. We will need to account for the FTC's evolving rules and guidance for proper privacy and data security practices in order to mitigate our risk for a potential enforcement action, which may be costly. If we are subject to a potential FTC enforcement action, we may be subject to a settlement order that requires us to adhere to very specific privacy and data security practices, which may impact our business. We may also be required to pay fines as part of a settlement (depending on the nature of the alleged violations). If we violate any consent order that we reach with the FTC, we may be subject to additional fines and compliance requirements. We face risks of similar enforcement from State Attorneys General and, potentially, other regulatory agencies. Any systems failure or security breach that results in the release of, or unauthorized access to, personal data, or any failure or perceived failure by us or our third-party service providers to comply with applicable privacy policies, contractual obligations, or any applicable laws or regulations relating to privacy or data protection, could result in proceedings against us by domestic or foreign government entities or others, including private plaintiffs in litigation. Such proceedings could result in the imposition of sanctions, fines, penalties, liabilities, government orders, and/or orders requiring that we change our data practices, any of which could have a material adverse effect on our business, operating results, reputation, and financial condition. Various U.S. and foreign government bodies may enact new or additional laws or regulations, or issue rulings that invalidate prior laws or regulations, concerning privacy, data storage, data protection, and cross-border transfer of data that could materially adversely impact our business. In the European Union, GDPR took effect in May 2018. GDPR establishes requirements regarding the handling and security of personal data, requires disclosure of data breaches to individuals, customers, and data protection authorities in certain circumstances, requires companies to honor data subjects' requests relating to their personal data, permits regulators to impose fines of up to €20,000,000 or 4% of global annual revenue, whichever is higher, and establishes a private right of action. Furthermore, a new ePrivacy Regulation, regulating electronic communications, was proposed in 2017 and is under consideration by the European Commission, the European Parliament, and the European Council. In July 2020, the CJEU invalidated the U.S.-EU Privacy Shield, which provided a mechanism to lawfully transfer personal data from the European Union to the United States and certain other countries. In the wake of the invalidation of the U.S.-EU Privacy Shield, we transitioned to reliance on SCCs to lawfully transfer certain personal data from the European Union to the United States. The CJEU decision also drew into question the long-term viability of the SCCs for transfers of personal data from the EU and European Economic Area to the U.S. As a result, in October 2022, President Biden signed an executive order to implement the EU-U.S. Data Privacy Framework, which would serve as a replacement to the EU-U.S. Privacy Shield. The European Union initiated the process to adopt an adequacy decision for the EU-U.S. Data Privacy Framework in December 2022 and the European Commission adopted the adequacy decision on July 10, 2023. The adequacy decision will permit U.S. companies who self-certify to the EU-U.S. Data Privacy Framework to rely on it as a valid data transfer mechanism for data transfers from the EU to the U.S. and will also provide support for the use of standard contractual clauses. However, some privacy advocacy groups have already suggested that they will be challenging the EU-U.S. Data Privacy Framework. If these challenges are successful, they may not only impact the EU-U.S. Data Privacy Framework, but they may also further limit the viability of the standard contractual clauses and other data transfer mechanisms. The uncertainty around this issue has the potential to impact our business internationally. Because the rules involving this data transfer mechanism are also undergoing revision and this transfer mechanism may also be declared invalid (or require us to change our business practices) in the future, these developments may require us to provide an alternative means of data transfer. In addition, the required terms for contracts containing SCCs along with recommended supplemental provisions are changing and may require us to assume additional obligations, otherwise inhibit or restrict our ability to undertake certain activities, or incur additional costs related to data protection. In addition, in June 2021, the EDPB issued the EDPB Recommendations. The new SCCs were required to be in place for new transfers of personal data as of September 27, 2021 and to replace those being used for existing transfers of personal data by December 27, 2022. The new SCCs place obligations on us in relation to government authorities' access requests in respect of personal data transferred under the SCCs, and other obligations to bring the SCCs in line with the requirements of the GDPR. The EDPB Recommendations are designed to be read in tandem with the new SCCs and set out new requirements for organizations to assess third countries and identify appropriate supplementary data protection and security measures to be implemented on a case-by-case basis where needed. Moreover, due to Brexit, the SCCs issued by the European Commission are no longer automatically adopted in the United Kingdom post-Brexit. In response, the UK's Information Commissioner's Office ("ICO") published a template Addendum to the new EU SCCS which adapts the new EU SCCs for UK use. In the alternative, the ICO also published the international data transfer agreement ("IDTA"). The IDTA replaces the current set of SCCs being used in the UK. The UK SCCs Addendum and IDTA, after having been put before UK parliament, have been in force as of March 2022 and UK-based organizations were required to start using the UK IDTA or Addendum for new data transfer arrangements starting in September 2022. The UK and the U.S. also agreed to a U.S.-UK "data bridge," which went into effect on October 12, 2023. This functions similarly to the EU-U.S. Data Privacy Framework and provides an additional legal mechanism for companies to transfer data from the UK to the U.S. The rules involving these alternative SCC data transfer options are continually undergoing revision and these transfer mechanisms may also be declared invalid (or require us to change our business practices) in the future, requiring us to provide an alternative means of data transfer or implement significant changes in our data security and protection practices. In addition, the required terms for contracts containing SCCs along with recommended supplemental provisions are changing and may require us to assume additional obligations, otherwise inhibit or restrict our ability to undertake certain activities, or incur additional costs related to data protection. Similar requirements are also coming into force in other countries. Brazil enacted the Brazilian General Data Protection Law, which became effective in August 2020 and imposes requirements largely similar to GDPR on products and services offered to users in Brazil. In China, we may also be subject to the Cybersecurity Law that went into effect in June 2017 and the revision of the Personal Information Security Specification that went into effect in October 2020, which have broad but uncertain application and impose a number of new privacy and data security obligations. China also adopted new legislation on the protection of privacy and personal data in November 2021, including the PIPL and Data Security Law that impose new data processing obligations on us. Under these new regulations, if an entity operating in China violates the law, regulators may order it to take corrective actions, issue warnings, confiscate illegal income, suspend services, revoke operating permits or business licenses, or issue a fine. The fine can be up to ¥50 million or 5 percent of an organization's annual revenue for the prior financial year. Further, in connection with cross-border transfer of personal information under the PIPL in China, China regulators published the Draft Rules on Standard Contracts Regarding Export of Personal Information and, under the PIPL, the adoption of standard contractual clauses between the data controller (the entity which transfers personal information to a location outside the PRC) and the offshore recipient is required to lawfully facilitate the offshore transfer of personal information from China. These requirements apply to companies operating in China and seeking to transfer personal data outside of China and organizations which do not satisfy these conditions may be required to satisfy additional regulatory requirements and/or be subject to penalties or fines. Other countries are considering new or expanded laws governing privacy and data security that may impact our business practices. These developments, including in Brazil and China, may impact our activities with our customers, other MicroStrategy entities and vendors, and require us to take additional and appropriate steps in light of data transfers between the U.S. and the EU (and the UK), as well as transfers and onward transfers of personal data from the EU to other non-EU countries. State privacy laws in the United States also may impact our business operations. The state of California has adopted a comprehensive privacy law, the CCPA, which took effect in January 2020 and became enforceable in July 2020. We have been required to devote substantial resources to implement and maintain compliance with the CCPA, and noncompliance could result in regulatory investigations and fines or private litigation. Moreover, in November 2020, California voters approved a privacy law, the CPRA, which amends the CCPA to create additional privacy rights and obligations in California, and went into effect on January 1, 2023. Numerous other states have passed laws similar to the CCPA, which will go into effect in 2023 and beyond. More states may follow. These laws may impose additional costs and obligations on us. Similarly, in March 2022, the U.S. federal government also passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which will require companies deemed to be part of U.S. critical infrastructure to report any substantial cybersecurity incidents or ransom payments to the federal government within 72 and 24 hours, respectively. The implementing regulations are not expected for another two-to-three years. The Securities and Exchange Commission also has issued new regulations related to cybersecurity that may require additional reporting and other compliance obligations, as well as creating additional risks related to public notifications concerning cyber incidents. Furthermore, the U.S. Congress is considering comprehensive privacy legislation. At this time, it is unclear whether Congress will pass such a law and if so, when and what it will require and prohibit. Moreover, it is not clear whether any such legislation would give the FTC any new authority to impose civil penalties for violations of the Federal Trade Commission Act in the first instance, whether Congress will grant the FTC rulemaking authority over privacy and information security, or whether Congress will vest some or all privacy and data security regulatory authority and enforcement power in a new agency, akin to EU data protection authorities. Complying with these and other changing requirements could cause us or our customers to incur substantial costs or pay substantial fines or penalties, require us to change our business practices, require us to take on more onerous obligations in our contracts, or limit our ability to provide certain offerings in certain jurisdictions, any of which could materially adversely affect our business and operating results. New laws or regulations restricting or limiting the collection or use of mobile data could also reduce demand for certain of our offerings or require changes to our business practices, which could materially adversely affect our business and operating results.

Our customers include the U.S. government, state and local governments and government agencies. There are a variety of risks in doing business with government entities, including: Procurement. Contracting with public sector customers is highly competitive and can be time-consuming and expensive, requiring us to incur significant up-front time and expense without any assurance that we will win a contract. Further, even if we win a contract, it may be placed on hold, or reversed, due to a post-award protest. Budgetary Constraints and Cycles. Public sector funding reductions or delays adversely impact demand and payment for our offerings. Termination of Contracts. Public sector customers often have contractual or other legal rights to terminate contracts for convenience or due to a default. If a contract is terminated for the customer's convenience, we may only be able to collect fees for software or services delivered prior to termination and settlement expenses. If a contract is terminated due to our default, we may not recover even those amounts, and we may be liable for excess costs incurred by the customer for procuring alternative software or services. Compliance with Government Contracting Requirements. Government contractors are required to comply with a variety of complex laws, regulations, and contractual provisions relating to the formation, administration, or performance of government contracts that give public sector customers substantial rights and remedies, many of which are not typical for commercial contracts. These may include rights regarding price protection, the accuracy of information provided to the government, contractor compliance with socio-economic policies, and other terms unique to government contracts. Governments and government agencies routinely investigate and audit contractors for compliance with these requirements. If, as a result of an audit or review, it is determined that we have failed to comply with these requirements, we may be subject to civil and criminal penalties or administrative sanctions, including contract termination, forfeiture of profits, fines, treble damages, and suspensions or debarment from future government business and we may suffer harm to our reputation. Our customers also include foreign governments and government agencies. Similar procurement, budgetary, contract, and audit risks also apply to these entities. In addition, compliance with complex regulations and contracting provisions in a variety of jurisdictions can be expensive and consume significant management resources. In certain jurisdictions, our ability to win business may be constrained by political and other factors unrelated to our competitive position in the market. Each of these difficulties could materially adversely affect our business and results of operations.