Paycor HCM (PYCR) Risk Factors

The market for our solutions is characterized by rapid technological advancements, changes in customer requirements, frequent new product introductions and enhancements, and changing industry standards. The life cycles of our products are difficult to estimate. Rapid technological changes and the introduction of new products and enhancements by new or existing competitors could undermine our current market position. Our success depends in substantial part on our continuing ability to provide products and services that SMBs will find superior to our competitors' product offerings and will continue to use. Our future success will depend upon our ability to anticipate and to adapt to changes in technology and industry standards, and to effectively develop, to introduce, to market, and to gain broad acceptance of new product and service enhancements incorporating the latest technological advancements. In addition, because our solutions are designed to operate on a variety of systems, we will need to continuously modify and enhance our solutions to keep pace with changes in internet-related hardware, iOS, Android, and other software, and communication, browser, and database technologies. Additionally, we believe that providing insights from aggregated data, including those insights derived from advanced artificial intelligence ("AI") and machine learning, may become increasingly important to the value that our solutions and services deliver to our customers. We intend to continue to invest significant resources in research and development to enhance our existing products and services and introduce new high-quality products that customers will want. If we are unable to predict user preferences or industry changes, or if we are unable to modify our products and services on a timely basis or to effectively bring new products to market, our sales may suffer. In addition, investment in product development often involves a long return on investment cycle. We have made and expect to continue to make significant investments in product development. We may expend significant time and resources developing and pursuing sales of a particular enhancement or application that may not result in revenues in the anticipated time frame or at all, or may not result in revenue growth sufficient to offset increased expenses. Furthermore, uncertainties about the timing and nature of new functionality, or new functionality to existing platforms or technologies, could increase our research and development expenses. Any failure of our applications to operate effectively with future network platforms and technologies could reduce the demand for our applications, result in customer dissatisfaction, and have a material adverse effect on our business, financial condition, and results of operations. In addition, we may experience difficulties with software development, industry standards, design, or marketing that could delay or prevent our development, introduction or implementation of new solutions and enhancements. The introduction of new solutions by competitors, the emergence of new industry standards, or the development of entirely new technologies to replace existing product offerings could render our existing or future solutions obsolete. We may not have sufficient resources to make the necessary investments in software development and we may experience difficulties that could delay or prevent the successful development, introduction, or marketing of new products or enhancements. In addition, our products or enhancements may not meet the increasingly complex customer requirements of the marketplace or achieve market acceptance at the rate we expect, or at all. Any failure by us to anticipate or respond adequately to technological advancements, customer requirements, and changing industry standards, or any significant delays in the development, introduction, or availability of new products or enhancements, could undermine our current market position.

Our solutions involve the collection, processing, storage, use, disclosure, and transmission of customers' and their employees' confidential and proprietary information, including personal data, as well as financial and payroll data. We rely on the efficient and uninterrupted operation of complex information technology systems and networks to operate our business. Attempts by others to gain unauthorized access to information technology systems and the data contained therein are becoming increasingly sophisticated and difficult to prevent. In particular, HCM software such as ours may be specifically targeted in cyber-attacks, including by way of computer viruses, worms, phishing attacks, ransomware, malicious software programs, and other data security threats, which could result in the unauthorized release, access, gathering, monitoring, encryption, misuse, loss, or destruction of our customers' sensitive and/or confidential data (including personal data), or otherwise disrupt our customers' or other third parties' business operations. If cybercriminals, including those working in the capacity of hackers, State actors, inside threats, or cybercrime groups, can circumvent our security measures, or if we are unable to detect an intrusion into or misuse of our systems and contain such intrusion or misuse in a reasonable amount of time, our information and our customers' personal data, including confidential and personal data, may be compromised. We seek to promptly detect and investigate all security incidents, mitigate any resulting loss or damage and prevent their recurrence, but, in some cases, we may be unaware of an incident or its magnitude and effects. There can be no assurance that our Information Technology ("IT") security and recovery system will be sufficient to prevent or limit the damage from any future cyber-attack or disruptions or to allow us to reinstate any operations that were affected by such attack or disruption. Additionally, customers or other third parties may seek monetary damages from us in connection with any such breaches or other incidents. Certain of our employees have access to personal data about our customers' employees. While we conduct background checks of our employees and limit access to systems and data, it is possible that one or more of these individuals may circumvent these controls, resulting in a security breach. Outside parties have fraudulently induced our employees in the past, and may also attempt to do so in the future, to disclose personal data via illegal electronic spamming, phishing, or other tactics. In addition, some of our third-party service providers and other vendors have access to certain portions of our IT system. Any failures, misconduct or negligence on the part of these service providers and vendors, including their respective employees and representatives, may cause material disruptions in our business and operations. Although we have security measures in place to protect regulated and personal data, and to prevent data loss and other security breaches, these measures could be breached because of third-party action, employee error, third-party or employee malfeasance, or otherwise. Because the techniques used to obtain unauthorized access to or to sabotage systems change frequently, we may not be able to anticipate these techniques and implement adequate preventative or protective measures, including in a timely manner. While we currently maintain a cyber-liability insurance policy, our cyber liability insurance coverage may be inadequate or may not continue to be available in the future on acceptable terms, or at all. In addition, our cyber liability insurance policy may not cover all claims made against us, and defending a suit, regardless of its merit, could be costly and divert management's attention from our business and operations. We have experienced data security incidents in the past, and expect to experience additional incidents in the future, however, to date no such incidents have been material to our business, operating results or financial condition. Any actual or perceived data security breach or incident could require notifications to data subjects, data owners, and/or other third parties (including regulators) under applicable data breach notification laws, damage our reputation, cause existing customers to discontinue the use of our solutions, prevent us from attracting new customers, or subject us to third-party lawsuits, regulatory fines, or other actions or liabilities, any of which could adversely affect our business, operating results or financial condition. If our IT systems, or the IT systems at our third-party service providers, were breached or attacked, the proprietary and confidential information of our company and our customers as well as personal data could be disclosed, and we may be required to incur substantial costs and liabilities, including the following: -     Expenses to rectify the consequences of the security breach or cyber-attack. -     Claims by customers or their employees related to stolen information, including personal data. -     Costs of repairing damage to our systems. -     Lost revenue and income resulting from any system downtime caused by such breach or attack. -     Loss of competitive advantage if our proprietary information is obtained by competitors as a result of such breach or attack. -     Increased costs of cyber security insurance or other security risk mitigation tools. -     Damage to our reputation. As a result, any compromise of security of our IT systems, or those of our third-party service providers, or a cyber-attack of those systems could have a material adverse effect on our business, reputation, financial condition, and operating results.

We are sometimes the subject of complaints or litigation from customers, employees, or other third parties for various actions. For example, customers use our products in connection with the preparation and filing of tax returns and other regulatory reports. If any of our products contain errors that produce inaccurate results upon which users rely, or cause users to misfile or fail to file required information, we could be subject to liability claims from users. Our cloud and maintenance renewal agreements with our customers typically contain provisions intended to limit our exposure to such claims, but such provisions may not be effective in limiting our exposure. Contractual limitations we use may not be enforceable and may not provide us with adequate protection against product liability claims in certain jurisdictions. A successful claim for product or service liability brought against us could result in substantial cost to us and divert management's attention from our operations. We are also, from time to time, involved in litigation involving claims related to, among other things, breach of contract, tortious conduct, data security and privacy matters, intellectual property matters and employment and labor law matters. The damages sought against us in some of these litigation proceedings could be substantial. Although we maintain liability insurance for some litigation claims, if one or more of the claims were to greatly exceed our insurance coverage limits or if our insurance policies do not cover a claim, this could have a material adverse effect on our business, financial condition, results of operations and cash flows.

As a vendor of services, we are ordinarily held responsible by taxing authorities for collecting and paying any applicable sales, use or other taxes. Additionally, the application of federal, state, and local tax laws to services provided electronically like ours is evolving. New income, sales, use, or other tax laws, statutes, rules, regulations, or ordinances could be enacted at any time (possibly with retroactive effect), and could be applied solely or disproportionately to services and applications provided over the internet. These enactments could adversely affect our sales activity, due to the inherent cost increase the taxes would represent, and could adversely affect our business, operating results, or financial condition. Each state has different rules and regulations governing sales and use taxes, and these rules and regulations are subject to varying interpretations that change over time. We review these rules and regulations periodically and, when we believe we are subject to sales and use taxes in a particular state, we may voluntarily engage state tax authorities in order to determine how to comply with that state's rules and regulations. We cannot ensure that we will not be subject to sales and use taxes or related penalties for past sales in states where we currently believe no such taxes are required. In addition, existing tax laws, statutes, rules, regulations, or ordinances could be interpreted, changed, modified, or applied adversely to us (possibly with retroactive effect), which could require us or our customers to pay additional tax amounts, as well as require us or our customers to pay fines or penalties and substantial interest for past amounts. If we are unsuccessful in collecting such taxes from our customers, we could be held liable for such costs, thereby adversely affecting our business, operating results, or financial condition. Additionally, the imposition of such taxes on us would effectively increase the cost of our software and services we provide to customers and would likely have a negative impact on our ability to retain existing customers or to gain new customers in the jurisdictions in which such taxes are imposed.

Our products and services are subject to various complex laws and regulations on the federal, state, and local levels, including those governing data security and privacy, which have become significant issues globally. The regulatory framework for privacy issues is rapidly evolving and is likely to remain uncertain and inconsistently enforced for the foreseeable future. Many federal, state, and foreign governmental bodies and agencies have adopted or are considering adopting laws and regulations regarding the creation, collection, receipt, processing, handling, maintenance, storage, use, disclosure, and transmission of personal data and other sensitive information. In the United States, these include rules and regulations promulgated under the authority of the Federal Trade Commission, the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act, the Family Medical Leave Act of 1993, the Patient Protection and Affordable Care Act, as amended by the Health Care and Education Reconciliation Act,federal and state labor and employment laws, state data breach notification laws, and state privacy laws, such as the California Consumer Privacy Act (the "CCPA") and the Illinois Biometric Information Privacy Act (the "IBIPA"). The CCPA went into effect on January 1, 2020 and established a new privacy framework for covered businesses such as ours, which may require us to modify our data processing practices and policies. The CCPA imposes severe statutory damages and provides consumers with a private right of action for certain data breaches. Further, in November 2020, California voters passed the California Privacy Rights and Enforcement Act ("CPRA"), which expands the CCPA with additional data privacy compliance requirements that may impact our business, and establishes a regulatory agency dedicated to enforcing those requirements. It remains unclear how various provisions of the CCPA and CPRA will be interpreted and enforced. The IBIPA regulates the collection, use, safeguarding, and storage of "biometric identifiers" or "biometric information" by companies such as ours. IBIPA includes a private right of action for persons who are aggrieved by violations of the IBIPA. Even in circumstances where we do not believe a regulation applies to our activities, we may still be the subject of lawsuits alleging a regulation does apply. We are currently a defendant in three lawsuits, two in Illinois state court, and one in federal court in the Southern District of Illinois, related to the IBIPA. Each alleges that the Company violated IBIPA by failing to provide adequate notices and obtain consent from users of timekeeping devices that use handprint and/or fingerprint scanning for employee timekeeping. We do not believe IBIPA applies to the Company as alleged in the complaints and strenuously deny these claims. While adverse results in these lawsuits may include awards of substantial monetary damages, we believe it is too early to determine the possibility of liability and have not accrued any potential or estimated liabilities relating to these matters. Further, because some of our customers have establishments in the European Union ("EU") or otherwise process the personal data of EU residents, the GDPR 2016/679 may apply to our processing of certain customer and employee information. The GDPR went into effect on May 25, 2018 and has resulted in and will continue to result in significantly greater compliance burdens and costs for companies like us. Any data security breach could require notifications to the data subject and/or owners under federal, U.S., U.S. state, and/or international data breach notification laws and regulations. The effects of the CCPA, CPRA, IBIPA, GDPR and other U.S. state, U.S. federal, and international laws and regulations that are currently in effect or that may go into effect in the future, are significant and may require us to modify our data processing practices and policies and to incur substantial costs and potential liability in an effort to comply with such laws and regulations. Any actual or perceived failure to comply with these and other data protection and privacy laws and regulations could result in regulatory scrutiny and increased exposure to the risk of litigation or the imposition of consent orders, resolution agreements, requirements to take particular actions with respect to training, policies or other activities, and civil and criminal penalties, including fines, which could have an adverse effect on our results of operations or financial condition. Moreover, allegations of non-compliance, whether or not true, could be costly, time consuming, distracting to management, and cause reputational harm. In addition to government regulation, privacy advocates, and industry groups may propose new and different self-regulatory standards. Because the interpretation and application of privacy and data protection laws are still uncertain, it is possible that these laws may be interpreted and applied in a manner that is inconsistent with our existing data management practices or the features of our solutions. Any failure to comply with government laws or regulations that apply to our applications, including privacy and data protection laws, could subject us to liability. In addition to the possibility of fines, lawsuits, and other claims, we could be required to fundamentally change our business activities and practices or modify our solutions, which could have an adverse effect on our business, operating results, or financial condition. Any actual or perceived inability to adequately address privacy concerns, even if unfounded, or comply with applicable privacy or data protection laws, regulations, standards, and policies, could result in additional cost and liability to us, damage our reputation, inhibit sales, and adversely affect our business, operating results, or financial condition. Furthermore, privacy concerns may cause our customers' employees to resist providing the personal data necessary to allow our customers and their employees to use our applications effectively. Even the perception of privacy concerns, whether or not valid, may inhibit market adoption of our applications in certain industries. All these legislative and regulatory initiatives may adversely affect our ability, or our customers to create, collect, receive, process, handle, maintain, store, transmit, use, or disclose demographic and personal data from their employees, which could reduce demand for our solutions. Certain of our products and services use data-driven insights to help our clients manage their businesses more efficiently. Further, our ability to provide data-driven insights using AI or machine learning may also be constrained by current or future regulatory requirements, statutes or ethical considerations that could restrict or impose burdensome and costly requirements on our ability to leverage data in innovative ways.

We rely on third-party couriers, financial and accounting processing systems, and various financial institutions, to deliver payroll checks and tax forms, perform financial services in connection with our applications, such as providing ACH and wire transfers as part of our payroll and tax payment services, and to provide technology and content support, manufacture time clocks, and process background checks. We anticipate that we will continue to depend on various third-party relationships to grow our business, provide technology and content support, manufacture time clocks, process background checks, and deliver payroll checks and tax forms. Identifying, negotiating, and documenting relationships with these third parties and integrating third-party content and technology requires considerable time and resources. Our agreements with third parties typically are non-exclusive and do not prohibit them from working with our competitors. In addition, these third parties may not perform as expected under our agreements, and we may have disagreements or disputes with such third parties, which could negatively affect our brand and reputation. A global economic slowdown or recession could also adversely affect the businesses of our third-party providers, hindering their ability to provide the services on which we rely. Further, a disruption of the Federal Reserve Bank's services, including ACH processing, could negatively affect our payroll and expense reimbursement services by delaying direct deposits and other financial transactions across the United States. If we are unsuccessful in establishing or maintaining our relationships with these third parties, our ability to compete in the marketplace or to grow our revenues could be impaired, and our business, operating results, or financial condition could be adversely affected. Even if we are successful, these relationships may not result in improved operating results.

The market for HCM and payroll solutions is fragmented, highly competitive, and rapidly changing. Our competitors may develop products that are superior to our products or achieve greater market acceptance. We may be unable to compete successfully against current or future competitors. With the introduction of new technologies and market entrants, competition could intensify in the future. We believe the principal competitive factors in our market include breadth and depth of product functionality, scalability and reliability of applications, modern and innovative cloud technology platforms combined with an intuitive user experience, multi-country and jurisdiction domain expertise in HCM and payroll, quality of implementation and customer service, integration with a wide variety of third-party applications and systems, total cost of ownership and return on investment, brand awareness, reputation, pricing, and distribution. We face a variety of competitors, some of which are long-established providers of HCM solutions. Several of our competitors are larger, have greater name recognition, longer operating histories, and significantly greater resources than we do. Many of these competitors can devote greater resources to the development, promotion, and sale of their products and services. Furthermore, our current or potential competitors may be acquired by third parties with greater available resources and the ability to initiate or withstand substantial price competition, which may include price concessions, delayed payment terms, or other terms and conditions that are more enticing to potential customers. As a result, our competitors may be able to develop products and services better received by our markets, or may be able to respond more quickly and effectively than we can to new or changing opportunities, technologies, regulations, or customer requirements. In order to capitalize on customer demand for cloud applications, legacy vendors are modernizing and expanding their applications through cloud acquisitions and organic development. Legacy vendors may also seek to partner with other leading cloud HCM providers. We also face competition from vendors selling custom software and point solutions. Our competitors vary for each of our solutions and primarily include payroll and HR service and software providers, such as Automatic Data Processing, Inc., Paychex, Inc., Paycom Software, Inc., Paylocity Holding Corp., Ultimate Software Group, Inc. and other local and regional providers. In addition, other companies, such as NetSuite, Inc. and Microsoft Corporation, that provide cloud applications in different target markets, may develop applications or acquire companies that operate in our target markets, and some potential customers may elect to develop their own internal applications. Our competitors could offer HCM solutions on a standalone basis or bundled as part of a larger product sale. In addition, current and potential competitors have established, and might in the future establish, partner, or form other cooperative relationships with vendors of complementary products, technologies, or services to enable them to offer new products and services, to compete more effectively or to increase the availability of their products in the marketplace. New competitors or relationships might emerge that have greater market share, a larger customer base, more widely adopted proprietary technologies, greater marketing expertise, greater financial resources, and larger sales forces than we have, which could put us at a competitive disadvantage. Considering these advantages, current or potential customers might accept competitive product offerings in lieu of purchasing our offerings. We expect intense competition to continue for these reasons, and such competition could negatively impact our sales, profitability, or market share. If our competitors' products, services, or technologies become more accepted than our applications, if they are successful in bringing their products or services to market earlier than ours, or if their products or services are more technologically capable than ours, it could have a material adverse effect on our business, financial condition, and results of operations. In addition, some of our competitors may offer their products and services at a lower price. If we are unable to achieve our target pricing levels or if we experience significant pricing pressures, it could have a material adverse effect on our business, financial condition, and results of operations.

Our business depends on our ability to satisfy our customers, both with respect to our applications and the technical support provided to help our customers use the applications that address the needs of their businesses. We use implementation and customer services teams to implement and configure our solutions and provide support to our customers. Customers' support requests span numerous subjects, and the volume of such requests can be high, particularly during peak periods (such as open enrollment season), which may result in long wait times to contact us for support. If a customer is not satisfied with the quality of our solutions, the applications delivered, or the timeliness or quality of support provided, we could incur additional costs to address the situation, our profitability might be negatively affected, and the customer's dissatisfaction with our implementation or support service could harm our ability to sell additional applications to that customer. In addition, our sales process is highly dependent on the reputation of our solutions and applications and on positive recommendations from our existing customers. Our customers have no obligation to continue to use our applications and may choose not to continue to use our applications at the same or higher level of service, if at all. Moreover, our customers generally have the right to cancel their agreements with us for any or no reason by providing 30 days' prior written notice. In the past, some of our customers have elected not to continue to use our applications. Any failure to maintain a high-quality user experience and customer support, or a market perception that we do not maintain high-quality support, could adversely affect customer retention, our reputation, our ability to sell our applications to existing and prospective customers, and, as a result, our business, operating results, or financial condition. Further, our solutions are inherently complex and may in the future contain or develop undetected defects or errors. Any defects in our applications could adversely affect our reputation, impair our ability to sell our applications in the future or retain current clients, and result in significant costs to us. The costs incurred in correcting any application defects may be substantial and could adversely affect our business, operating results, or financial condition. Any defects in functionality or defects that cause interruptions in the availability of our applications could result in: -     Loss of clients or delayed market acceptance and sales of our applications. -     Termination of service agreements or loss of customers. -     Credits, refunds, or other liability to customers, including reimbursements for any fees or penalties assessed by regulatory agencies. -     Breach of contract, breach of warranty, or indemnification claims against us, which may result in litigation. -     Diversion of development and service resources, or increased costs to hire additional development and service resources to correct defects or errors. -     Increased scrutiny of our solutions from regulatory agencies. -     Injury to our reputation. Because of the large amount of data that we collect and manage, it is possible that hardware failures or errors in our applications could result in data loss, data corruption, or cause the information that we collect to be incomplete or contain inaccuracies that our customers regard as significant. Our customers might assert claims against us in the future alleging that they suffered damages due to a defect, error, or other failure of our solutions. Our errors and omissions insurance may be inadequate or may not be available in the future on acceptable terms, or at all. In addition, our policy may not cover all claims made against us, and defending a suit, regardless of its merit, could be costly and divert management's attention. Any failures in the performance of our solutions could harm our reputation and our ability to retain existing customers and attract new customers, which would have an adverse impact on our business, operating results, or financial condition. See "-Risks Relating to Our Business, Products and Operations-Our software might not operate properly, which could damage our reputation, give rise to claims against us, or divert application of our resources from other purposes, any of which could harm our business and operating results."