Qualys (QLYS) Risk Factors

We and our service providers face threats from a variety of sources, including attacks on our networks and systems from numerous sources, including traditional "hackers," sophisticated nation-state and nation-state supported actors, other sources of malicious code (such as viruses and worms), ransomware, social engineering, denial of service attacks, and phishing attempts. We and our service providers could be a target of cyber-attacks or other malfeasance designed to impede the performance of our solutions, penetrate our network security or the security of our cloud platform or our internal systems, misappropriate proprietary information and/or cause interruptions to our services. We and our service providers have experienced and may continue to experience security incidents and attacks of varying degrees from time to time. We have incurred costs to respond to such incidents and may continue to incur costs to support our efforts to enhance our security measures. Additionally, due to political uncertainty and military actions in parts of Eastern Europe and the Middle East, we and our service providers are vulnerable to heightened risks of cybersecurity incidents and security and privacy breaches from or affiliated with nation-state actors, including attacks that could materially disrupt our systems, operations and services. Our solutions, platforms, and system, and those of our service providers, are subject to security incidents as a result of technical and non-technical issues, including intentional or inadvertent acts or omissions by our employees or service providers. With the increase in personnel working remotely, at least part-time in our case, we and our service providers are at increased risk for security breaches and incidents. We have taken and intend to continue to take steps to monitor and enhance the security of our solutions, cloud platform, and other relevant systems, IT infrastructure, networks, and data; however, the unprecedented scale of remote work may require additional personnel and resources, which nevertheless cannot be guaranteed to fully safeguard our solutions, our cloud platform, or any systems, IT infrastructure networks, or data upon which we rely. Further, because our operations involve providing IT security solutions to our customers, we are targeted for cyber-attacks and other security incidents. A breach in or incident impacting our data security, an attack against our service availability, or any breach, incident, or attack impacting our third-party service providers, could impact our networks or networks secured by our solutions, creating system disruptions or slowdowns and exploiting security vulnerabilities of our solutions, and the information stored on our networks or those of our third-party service providers could be accessed, used, publicly disclosed, altered, lost, or stolen, which could subject us to liability and cause us financial harm. If an actual or perceived disruption in the availability of our solutions or the breach or other compromise of our security measures or those of our service providers occurs, it could adversely affect the market perception of our solutions, result in a loss of competitive advantage, have a negative impact on our reputation, or result in the loss of customers, channel partners and sales, and it may expose us to the loss, unavailability or alteration of information, claims, demands and litigation, regulatory investigations, actions and other proceedings and possible liability. Any such actual or perceived security breach or incident or disruption could also divert the efforts of our technical and management personnel. We and our service providers may face difficulties or delays in identifying and responding to any security breach or incident. We also may incur significant costs and operational consequences of investigating, remediating, eliminating and putting in place additional tools and devices designed to prevent actual or perceived security incidents, as well as costs to respond to and otherwise address any breach or incident, including any to comply with any notification obligations resulting from any security incidents. In addition, any such actual or perceived security breach or incident could impair our ability to operate our business and provide solutions to our customers. If this happens, our reputation could be harmed, our revenues could decline and our business could suffer. Although we maintain insurance coverage that may be applicable to certain liabilities in the event of a security breach or other security incident, we cannot be certain that our insurance coverage will be adequate for liabilities that actually are incurred, that insurance will continue to be available to us on economically reasonable terms, or at all, or that any insurer will not deny coverage as to any future claim. The successful assertion of one or more large claims against us that exceed available insurance coverage or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could have a material and adverse effect on our business, including our financial condition, operating results and reputation.

Our solutions are subject to U.S. export controls, specifically, the Export Administration Regulations and economic sanctions enforced by the Office of Foreign Assets Control. We incorporate encryption technology into certain of our solutions. These encryption solutions and the underlying technology may be exported only with the required export authorizations, including by license, a license exception or other appropriate government authorizations. U.S. export controls may require submission of an encryption registration, product classification and/or annual or semi-annual reports. Governmental regulation of encryption technology and regulation of imports or exports of encryption products, or our failure to obtain required import or export authorization for our solutions, when applicable, could harm our international sales and adversely affect our revenues. Compliance with applicable regulatory requirements regarding the export of our solutions, including with respect to new releases of our solutions, may create delays in the introduction of our solutions in international markets, prevent our customers with international operations from deploying our solutions throughout their globally-distributed systems or, in some cases, prevent the export of our solutions to some countries altogether. In addition, various countries regulate the import of our appliance-based solutions and have enacted laws that could limit our ability to distribute solutions or could limit our customers' ability to implement our solutions in those countries. Any new export or import restrictions, new legislation or shifting approaches in the enforcement or scope of existing regulations, or in the countries, persons or technologies targeted by such regulations, could result in decreased use of our solutions by existing customers with international operations, declining adoption of our solutions by new customers with international operations and decreased revenues. If we fail to comply with export and import regulations, we may be fined or other penalties could be imposed, including denial of certain export privileges.

We collect certain personal information of our customers in connection with subscriptions to our solutions. Additionally, the data that our solutions collect to help secure and protect the IT infrastructure of our customers may include additional personal or confidential information of our customers' employees and their customers, and we may collect, store and otherwise process personal or confidential information more generally in connection with our business and operations. Personal privacy has become a significant issue in the United States and in many other countries where we offer our solutions. The regulatory framework for privacy issues worldwide is currently evolving and is likely to remain uncertain for the foreseeable future. Many federal, state and foreign government bodies and agencies have adopted or are considering adopting laws and regulations regarding the collection, use, disclosure and retention of personal information. In the United States, these include, for example, rules and regulations promulgated under the authority of the Federal Trade Commission, the Health Insurance Portability and Accountability Act of 1996, the Gramm-Leach-Bliley Act, and state breach notification laws. Internationally, virtually every jurisdiction in which we operate has established its own data security and privacy legal framework with which we or our customers must comply. These privacy, data protection and information security laws and regulations may result in ever-increasing regulatory and public scrutiny and escalating levels of enforcement and sanctions. Additionally, new laws and regulations relating to privacy and data protection continue to be proposed and enacted. For example, the European Union has adopted the Global Data Protection Regulation ("GDPR"). This regulation, which took effect in May of 2018, provides for substantial obligations relating to the handling, storage and other processing of data relating to individuals and administrative fines for violations, which can be up to four percent of the previous year's annual revenue or €20 million, whichever is higher. The GDPR may be subject to new or changing interpretations by courts, and our interpretation of the law and efforts to comply with the rules and regulations of the law may be ruled invalid. Similarly, the California Consumer Privacy Act ("CCPA") requires covered companies to, among other things, provide certain disclosures to California consumers and affords such consumers rights to opt-out of certain sales of personal information. The CCPA also creates a private right of action for statutory damages for certain breaches of information. Additionally, the California Privacy Rights Act ("CPRA"), was approved by voters in the November 3, 2020 election. The CPRA modified the CCPA significantly, creating obligations relating to consumer data beginning on January 1, 2022, with enforcement authorized as of July 1, 2023. In addition, other states have enacted or proposed legislation that regulates the collection, use, and sale of personal information, including, for example, Washington's My Health, My Data Act and legislation similar to the CCPA adopted in Virginia, Colorado, Utah, Connecticut, Iowa, Indiana, Montana, Tennessee, Oregon, Florida, Delaware, Texas, Kentucky, New Jersey, New Hampshire, Maryland, Minnesota, Nebraska, and Rhode Island. Aspects of the CCPA, CPRA, and these other new and evolving state laws, as well their interpretation and enforcement, remain uncertain. We cannot predict the impact of the CCPA, CPRA, or other evolving privacy and data protection obligations on our business or operations, but they may require us to modify our data processing practices and policies and incur substantial costs and expenses in an effort to comply. The privacy, data protection, and information security laws and regulations we must comply with also are subject to change. For example, the United Kingdom has enacted a Data Protection Act, and has implemented legislation referred to as the "UK GDPR," that substantially implement the GDPR in the United Kingdom following the United Kingdom's exit from the European Union. This legislation provides for substantial penalties for noncompliance of up to the greater of £17.5 million or four percent of the previous year's annual revenues. While the European Union has deemed the United Kingdom an "adequate country" to which personal data could be exported from the European Economic Area ("EEA"), this decision is required to be renewed after four years of being in effect and may be modified, revoked, or challenged in the interim, creating uncertainty regarding transfers of personal data to the United Kingdom from the EEA. It remains unclear how United Kingdom data protection laws or regulations will develop in the medium to longer term and how data transfers to and from the United Kingdom will be regulated. Additionally, we have self-certified under the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, and the United Kingdom extension to the EU-U.S. Data Privacy Framework, and have adopted certain standard contractual clauses approved by the European Commission ("SCCs") as part of our data processing agreements with regard to certain transfers of personal data from the EEA to the U.S. Both the EU-U.S. Data Privacy Framework and SCCs have, however, been subject to legal challenge. In its July 16, 2020 opinion, the CJEU imposed additional obligations on companies when relying on SCCs to transfer personal data. The European Commission has published revised SCCs addressing the CJEU concerns on June 4, 2021, that are required to be implemented. The United Kingdom has adopted new standard contractual clauses ("UK SCCs"), that became effective as of March 21, 2022, and which also are required to be implemented. The EU-U.S. Data Privacy Framework, Swiss-U.S. Data Privacy Framework, United Kingdom extension to the EU-U.S. Data Privacy Framework, revised SCCs and UK SCCs, guidance and opinions of regulators, and other developments relating to cross-border data transfer may require us to implement additional contractual and technical safeguards for any personal data transferred out of Europe, which may increase compliance costs, lead to increased regulatory scrutiny or liability, and which may adversely impact our business, financial condition and operating results. We may be unsuccessful in maintaining legitimate means for our transfer and receipt of personal data from the EEA, United Kingdom, or Switzerland. We may experience reluctance or refusal by current or prospective European customers to use our products, and we and our customers may face a risk of enforcement actions by data protection authorities relating to personal data transfers to us and by us from the EEA, United Kingdom, and Switzerland. Any such enforcement actions could result in substantial costs and diversion of resources, distract management and technical personnel and negatively affect our business, operating results and financial condition. Some countries also are considering or have passed legislation requiring local storage and processing of data, or similar requirements, which could increase the cost and complexity of delivering our services. In addition to laws and regulations, privacy advocacy and industry groups or other private parties may propose new and different privacy standards that either legally or contractually apply to us. Because the interpretation and application of privacy and data protection laws, regulations, standards and contractual obligations are uncertain, it is possible that they may be interpreted and applied in a manner that is, or perceived to be, inconsistent with our data management practices or the features of our solutions. If so, in addition to the possibility of regulatory investigations and enforcement actions, fines, lawsuits and other claims, other forms of injunctive or operations-limiting relief, and damage to our reputations and loss of goodwill, we could be required to fundamentally change our business activities and practices or modify our solutions and may face limitations in our ability to develop new solutions and features, any of which could have an adverse effect on our business. Any inability to adequately address privacy concerns, even if unfounded, or any actual or perceived inability to comply with applicable privacy or data protection laws, regulations and privacy standards, could result in cost and liability to us, damage our reputation, inhibit sales of subscriptions and harm our business. Furthermore, the costs of compliance with, and other burdens imposed by, the laws, regulations, and privacy standards that are applicable to the businesses of our customers may limit the use and adoption of, and reduce the overall demand for, our solutions. Privacy concerns, whether valid or not valid, may inhibit market adoption of our solutions particularly in certain industries and foreign countries.

Our business depends to a significant extent on the overall demand for IT and on the economic health of our current and prospective customers. Economic weakness, customer financial difficulties, change in interest rates, inflationary pressures and potential for a recession, and constrained spending on IT security, as well as longer sales cycles, which factors we have experienced in 2023 and into 2024, have resulted and may in the future result in decreased revenue and earnings. In addition, continued governmental budgetary challenges in the United States and Europe, inflationary pressures and potential for a recession, and geopolitical turmoil in many parts of the world, including the ongoing military conflicts in parts of Eastern Europe and the Middle East, and other disruptions to global and regional economies and markets in many parts of the world, as well as uncertainties related to changes in public policies such as domestic and international regulations, taxes or international trade agreements, have and may continue to put pressure on global economic conditions and overall spending on IT security and may further increase inflation, both in the U.S. and globally, which could increase our operating costs in the future and reduce overall spending on IT security. General economic weakness may also lead to longer collection cycles for payments due from our customers, an increase in customer bad debt, restructuring initiatives and associated expenses, and impairment of investments. Furthermore, the continued weakness and uncertainty in worldwide credit markets, including the sovereign debt situation in certain countries in the European Union, may adversely impact our European operations, as well as our current and potential customers' available budgetary spending, which could lead to delays or reductions in planned purchases of our solutions. Uncertainty about future economic conditions also makes it difficult to forecast operating results and to make decisions about future investments. Future or continued economic weakness for us or our customers, failure of our customers and markets to recover from such weakness, customer financial difficulties, and reductions in spending on IT security could have a material adverse effect on demand for our platform and consequently on our business, financial condition and results of operations.

We market and sell subscriptions to our solutions throughout the world and have personnel in many parts of the world. In addition, we have sales offices and research and development facilities outside the United States and we conduct, and expect to continue to conduct, a significant amount of our business with organizations that are located outside the United States, particularly in Europe and Asia. Therefore, we are subject to risks associated with having international sales and worldwide operations, including: - foreign currency exchange fluctuations;- trade and foreign exchange restrictions;- economic or political instability in foreign markets, including as a result of increasing tensions between India and China;- greater difficulty in enforcing contracts, accounts receivable collection and longer collection periods;- changes in regulatory requirements;- tax laws (including U.S. taxes on foreign subsidiaries);- difficulties and costs of staffing and managing foreign operations;- the uncertainty and limitation of protection for intellectual property rights in some countries;- costs of compliance with foreign laws and regulations and the risks and costs of non-compliance with such laws and regulations;- costs of complying with U.S. laws and regulations for foreign operations, including the Foreign Corrupt Practices Act, import and export control laws, tariffs, trade barriers, economic sanctions and other regulatory or contractual limitations on our ability to sell our solutions in certain foreign markets, and the risks and costs of non-compliance;- heightened risks of unfair or corrupt business practices in certain geographies and of improper or fraudulent sales arrangements that may impact financial results and result in restatements of, and irregularities in, financial statements;- the potential for political unrest, acts of terrorism, hostilities or war;- management communication and integration problems resulting from cultural differences and geographic dispersion; and - multiple and possibly overlapping tax structures. Some of our business partners also have international operations and are subject to the risks described above. Even if we are able to successfully manage the risks of international operations, our business may be adversely affected if our business partners are not able to successfully manage these risks. Our business, including the sales of subscriptions of our solutions, may be subject to foreign governmental regulations, which vary substantially from country to country and change from time to time. Failure to comply with these regulations could adversely affect our business. Further, in many foreign countries it is common for others to engage in business practices that are prohibited by our internal policies and procedures or U.S. regulations applicable to us. Although we have implemented policies and procedures designed to ensure compliance with these laws and policies, there can be no assurance that all of our employees, contractors, channel partners and agents have complied or will comply with these laws and policies. Violations of laws or key control policies by our employees, contractors, channel partners or agents could result in delays in revenue recognition, financial reporting misstatements, fines, penalties or the prohibition of the importation or exportation of our solutions and could have a material adverse effect on our business and results of operations. If we are unable to successfully manage the challenges of international operations, our business and operating results could be adversely affected. In addition, as of September 30, 2024, approximately 76% of our employees were located outside of the United States, with 68% of our employees located in Pune, India. Accordingly, we are exposed to changes in laws governing our employee relationships in various U.S. and foreign jurisdictions, including laws and regulations regarding wage and hour requirements, fair labor standards, employee data privacy, unemployment tax rates, workers' compensation rates, citizenship requirements and payroll and other taxes which may have a direct impact on our operating costs. We may continue to expand our international operations and international sales and marketing activities. Expansion in international markets has required, and will continue to require, significant management attention and resources. We may be unable to scale our infrastructure effectively or as quickly as our competitors in these markets and our revenues may not increase to offset any increased costs and operating expenses, which would cause our results to suffer.

A significant natural disaster, such as an earthquake, fire or a flood, or a significant power outage could have a material adverse impact on our business, operating results and financial condition. Our corporate headquarters and a significant portion of our operations are located in the San Francisco Bay Area, a region known for seismic activity. In addition, natural disasters could affect our business partners' ability to perform services for us on a timely basis. In the event we or our business partners are hindered by any of the events discussed above, our ability to provide our solutions to customers could be delayed, resulting in our missing financial targets, such as revenues and net income, for a particular quarter. Further, if a natural disaster occurs in a region from which we derive a significant portion of our revenues, customers in that region may delay or forego subscriptions of our solutions, which may materially and adversely impact our results of operations for a particular period. In addition, war, acts of terrorism, pandemics or other health emergencies, or responses to these events could cause disruptions in our business or the business of our business partners, customers or the economy as a whole. All of the aforementioned risks may be exacerbated if the disaster recovery plans for us and our suppliers prove to be inadequate. To the extent that any of the above results in delays of customer subscriptions or commercialization of our solutions, our business, financial condition and results of operations could be adversely affected.

Our reporting currency is the U.S. dollar and we generate a majority of our revenues in U.S. dollars. However, for the nine months ended September 30, 2024, we incurred approximately 27% of our expenses in foreign currencies, primarily the Euro, British Pound, and Indian Rupee, principally with respect to salaries and related personnel expenses associated with our European and Indian operations. Additionally, for the nine months ended September 30, 2024, approximately 25% of our revenues were generated in foreign currencies. Accordingly, changes in exchange rates may have a material adverse effect on our business, operating results and financial condition. The exchange rate between the U.S. dollar and foreign currencies has fluctuated substantially in recent years and may continue to fluctuate substantially in the future. We expect that a majority of our revenues will continue to be generated in U.S. dollars for the foreseeable future and that a significant portion of our expenses, including personnel costs, as well as capital and operating expenditures, will continue to be denominated in the Euro, British Pound and Indian Rupee. The result of our operations may be adversely affected by foreign exchange fluctuations. We use derivative financial instruments to reduce our foreign currency exchange risks. We use foreign currency forward contracts to mitigate the impact of foreign currency fluctuations of certain non-U.S. dollar denominated net asset positions, to date primarily cash, accounts receivable and operating lease liabilities (non-designated), as well as to manage foreign currency fluctuation risk related to forecasted transactions (designated). However, we may not be able to purchase derivative instruments that are adequate to insulate ourselves from foreign currency exchange risks. Additionally, our hedging activities may contribute to increased losses as a result of volatility in foreign currency markets.