Vivid Seats (SEAT) Risk Analysis

Our ability to attract and retain ticket buyers, sellers, and partners depends in large part on our ability to continue to provide a user-friendly and effective platform, develop and improve our platform, and introduce compelling new solutions and enhancements. Our industry is characterized by rapidly changing technology, service, and product introductions, and changing demands of ticket buyers, sellers, and partners. Technological innovation in areas such as AI and machine learning may further accelerate these changes. While we spend substantial time and resources understanding and responding to these changes and demands, if we fail to adapt, competitors may be able to more successfully enhance their platforms, improve operational efficiency, and/or deliver more personalized user experiences. Developing new and improved solutions and enhancements is costly and complex, and the timetable for commercial release is difficult to predict and may vary from our historical experience. Our ability to effectively develop, adopt, or integrate emerging technologies, including AI and machine learning, may also impact our ability to remain competitive. In addition, after development, ticket buyers, sellers, and partners may not be satisfied with, or may perceive that their needs are not adequately addressed by, our solutions and enhancements. The success of a new solution or enhancement to our platform can depend on several factors, including timely completion and delivery, competitive pricing, adequate quality testing, platform integration, user awareness, and overall market acceptance and adoption. If we do not continue to maintain and improve our platform, or to successfully develop new and improved solutions and enhancements, our business, financial condition, and results of operations could be adversely affected.

We process certain personal data and other sensitive or confidential information, including about ticket buyers and sellers and our employees. Penetration of our information technology systems, or the misappropriation or misuse of such data or information (including credit card and other personally identifiable information), could interrupt our operations and subject us to adverse consequences, including increased costs, litigation, and governmental enforcement actions. Cyberattacks, malicious internet-based activity, fraud, and similar evolving threats (including phishing attacks, malicious code, software bugs, malware attacks, ransomware attacks, denial-of-service attacks, credential stuffing attacks, and credential harvesting) threaten the confidentiality, integrity, and availability of our information technology systems. Such threats come from a variety of sources and are increasingly prevalent and difficult to detect. In addition, we rely on third parties to process certain information in a variety of contexts (e.g., cloud-based infrastructure, encryption technology, and employee email) and to provide certain hardware, software, and applications. These third parties' information technology systems are subject to similar threats, and our ability to monitor their security practices is limited. If any of these third parties were to suffer a security incident or other interruption, we could experience adverse consequences. While we may be entitled to damages if a third party fails to satisfy its privacy- or security-related obligations to us, any award, assuming we are able to recover it, may be insufficient to cover our damages. Our past and future business acquisitions could also increase our exposure to these threats if our systems were negatively affected by vulnerabilities in an acquired entity's systems. It may be difficult and/or costly to detect, investigate, mitigate, contain, and remediate a security incident, and our efforts to do so may not be successful. Actions taken by us or the third parties with whom we work to do so could result in outages, data losses, and business disruptions. Threat actors may also gain access to other networks and systems after a compromise of our networks and systems (for example, by using an initial compromise of one part of our environment to gain access to other parts of our environment, or by leveraging a compromise of our networks or systems to gain access to third-party networks or systems, such as through phishing or supply chain attacks). We have devoted significant resources to the development of systems, practices, and policies designed to detect, mitigate, and remediate vulnerabilities in our information technology systems, protect against potential cybersecurity threats and their consequences, and protect sensitive information. However, such measures cannot provide absolute security or certainty. Advances in threat actor capabilities, technologies, methods, and tools, inadvertent violations of our practices or policies, or other developments could result in a compromise or breach of our systems and processes that are used to protect sensitive information. We may also experience delays in developing and deploying remedial measures designed to address identified vulnerabilities. In addition, laws in certain of the jurisdictions in which we operate require, and laws in other jurisdictions in which we may operate in the future may require, businesses in certain instances to notify affected individuals, governmental entities, and/or credit reporting agencies of cybersecurity incidents, including those affecting personal information. Certain of our contractual obligations contain similar requirements. Such requirements are inconsistent, and compliance in the event of a widespread cybersecurity incident may be complex, costly, and difficult to implement. These risks may increase not only as we expand our operations in new jurisdictions, but also as our business continues to involve greater numbers of ticket buyers, sellers, and partners. While we maintain general and cyber liability insurance policies, they may not cover, or may cover only a portion of, any response and remediation costs and potential claims related to cybersecurity incidents to which we are exposed, or they may be inadequate to indemnify us for all or any portion of liabilities that may be imposed. There can be no assurance that our existing insurance coverage will continue to be available on acceptable terms or in amounts sufficient to cover the potentially significant losses that may result from a cybersecurity incident or that the insurer will not deny coverage of any future claim. Any of these or similar threats could lead to a security incident or other interruption that results in the unauthorized, unlawful, or accidental acquisition, modification, destruction, loss, or disclosure of, or access to, our information technology systems, or those of third parties with whom we conduct business. If we or such a third party experience (or are perceived to have experienced) a significant incident or interruption, it may have adverse consequences on us, including: governmental enforcement actions; lawsuits (including class action claims); additional reporting requirements and/or oversight; bans or restrictions on processing sensitive information; indemnification obligations; negative publicity and reputational harm; the diversion of management resources; the interruption of our operations (including data availability); financial losses; and incidents of ticketing fraud or counterfeit tickets. Any of the foregoing could adversely affect our business, financial condition, and results of operations.

The application of indirect taxes such as sales and use, amusement, value-added, goods and services, business, and gross receipts to businesses like ours, and to ticket buyers and sellers on our marketplace, is a complex and evolving issue. Because significant judgment is required to evaluate applicable tax obligations, amounts recorded are subject to adjustment. In many cases, the ultimate tax determination is uncertain because it is unclear how new and existing statutes might apply to our business. One or more jurisdictions may seek to impose additional reporting, recordkeeping, or indirect tax collection obligations on businesses like ours that facilitate online marketplaces. The imposition of information reporting or tax collection requirements could decrease ticket seller activity on our platform, which would adversely affect our business. New legislation could require us, or ticket sellers on our marketplace, to incur substantial compliance costs, including in connection with tax calculation, collection, remittance, as well as audit requirements, which could adversely affect our business, financial condition, and results of operations. In addition, we could become subject to sales and use tax and value-added tax audits in the future, and federal, state, local, or international tax authorities could assert that we are obligated to collect additional amounts as taxes on behalf of ticket sellers and remit those taxes to the proper authorities. We could also be subject to audits and assessments with respect to jurisdictions for which we have not accrued tax liabilities. A successful assertion that we should be collecting additional sales or other taxes in jurisdictions where we have not historically done so, and where we do not accrue for such taxes, could result in substantial tax liabilities for past sales and otherwise adversely affect our business, financial condition, and results of operations.

In the ordinary course of business, we collect, receive, store, protect, use, transmit, share, and dispose of (collectively, "process") personal data and other sensitive information. This subjects us to numerous federal, state, and international laws and regulations, industry standards, external and internal privacy and security policies, and contractual requirements addressing privacy, data protection, and the processing of such data and information. Many U.S. states, and the federal and local governments, have adopted data protection and security legislation, including laws relating to personal data privacy and data breach notification. Many U.S. states have also enacted comprehensive privacy laws that impose obligations on covered businesses, such as requiring privacy disclosures and giving residents certain rights with respect to their personal data (e.g., the right to access, correct, or delete such data and to opt out of certain data processing activities). Certain U.S. states also impose strict requirements on the processing of personal data, such as conducting data privacy impact assessments, and provide statutory fines for non-compliance. For example, the CCPA applies to the personal data of California residents and requires covered businesses to provide specific privacy notice disclosures and honor requests to exercise certain privacy rights. The CCPA provides for statutory penalties and a private right of action for data breaches resulting from a failure to implement reasonable security procedures and practices. U.S. state and federal legislators continue to consider and enact similar laws, reflecting a trend toward more stringent privacy legislation in the United States. These and any future similar laws are likely to increase our compliance costs, particularly when they have conflicting requirements and evolving judicial interpretations, and may require us to further modify our data processing practices and policies. There has also been a noticeable uptick in U.S. class action litigation in which plaintiffs utilize laws, including the Video Privacy Protection Act of 1988, the Telephone Consumer Protection Act, state wiretapping laws, and other privacy laws and regulations, relating to the use of tracking technologies such as cookies and pixels, as well as AI-enabled ‘chatbots' and customer service agents. This trend may lead legislatures to consider responsive regulation. Our inability or failure to obtain consent for these practices or to appropriately disclose them could result in adverse consequences, including class action litigation and mass arbitration demands. Personal and other user data is also increasingly subject to legislation and regulations in foreign jurisdictions in which we operate. For example, PIPEDA is a comprehensive Canadian privacy and security law for organizations collecting, using, or disclosing information about identified individuals for commercial purposes. Certain Canadian provinces also have their own data protection regulations. Similarly, the United Kingdom, the European Union (the "EU"), and countries in the European Economic Area (the "EEA") traditionally have taken broader views on, and imposed different legal obligations on companies as to, the types of data that are subject to privacy and data protection laws and regulations. For example, the EU General Data Protection Regulation (the "GDPR") applies to companies that collect and use personal data in connection with the offering of goods or services to individuals in the EEA or the monitoring of their behavior. The United Kingdom has its own General Data Protection Regulation. Under the GDPR, companies may face bans on data processing, other corrective actions, monetary fines, and/or private litigation related to the processing of personal data. The APPI, a Japanese law governing the handling of personal information, may also impose obligations on covered entities that are in addition to, or differ from, those in other jurisdictions (for example, it differs from the GDPR with respect to its approach to notifications and the cross-border transfer of personal data). Compliance with these and any other foreign data privacy laws and regulations may significantly increase our operational costs and our overall risk exposure. In the ordinary course of business, we transfer personal data from one jurisdiction to another. Certain European jurisdictions, including the United Kingdom, have enacted laws requiring that personal data be localized or limiting the transfer thereof to other jurisdictions, including the United States. Other jurisdictions have adopted or may adopt similar data localization and/or cross-border data transfer restrictions. Although there are various mechanisms that may be used to transfer such data from the United Kingdom and the EEA to the United States in compliance with these restrictions, they are subject to legal challenges and there can be no assurance that we can satisfy or rely on them. If there were no lawful manner for us to make such transfers, or if the requirements for doing so were too onerous, we could face adverse consequences, including the interruption of our operations, the need to relocate our data processing activities, and penalties such as fines and injunctions. In addition, companies that transfer personal data out of the United Kingdom and the EEA have faced increased scrutiny from regulators and litigants, and certain of such companies have been ordered by European regulators to suspend or cease certain such data transfers for allegedly violating the GDPR's cross-border data transfer restrictions. Regulators in the United States are also increasingly scrutinizing personal data transfers and have proposed and enacted certain data localization or transfer requirements. For example, the U.S. Department of Justice has issued a rule that places additional restriction on certain data transactions involving countries of concern (e.g., China, Russia, Iran) and covered persons (i.e., individuals and entities who are designated as such by the U.S. Attorney General or are considered "foreign persons" and are majority owned by, or organized under the laws of, a primary resident in, or a contractor of, a covered person or country of concern) that may impact certain business activities such as vendor, employee, and contractor engagements, data sharing, and investor agreements. Violations of the rule could lead to significant civil and criminal fines and penalties. We must also comply with certain industry standards and contractual obligations related to personal privacy, data security, and AI. For example, certain privacy laws, including the CCPA and the GDPR, require the imposition of specific contractual restrictions on service providers. We also publish privacy policies, marketing materials, and other statements related to compliance with certain certifications or self-regulatory principles concerning data privacy and security. U.S. regulators are increasingly scrutinizing these materials, and if they are found to be deficient, unfair, misleading, or misrepresentative of our practices, we could be subject to governmental enforcement actions or other adverse consequences. From time to time, our personnel use generative AI technologies in the course of their work. We use also use AI technologies in certain of our products. The disclosure and use of personal and/or confidential data in generative AI technologies, and the development and use of such technologies, present various privacy and data security risks and are subject to an increasing number of laws and regulations. Several jurisdictions, including in the United States and Europe, have enacted laws and regulations governing the development and use of AI, such as the EU's AI Act, Colorado's Artificial Intelligence Act, and the CCPA's automated decision-making regulations, and we expect other jurisdictions will adopt similar laws. Certain consumer rights extended by privacy laws (e.g., the right to delete certain personal data and regulate automated decision-making) may also be incompatible with the use of AI technologies. Further, countries and states are applying their data and consumer protection laws to AI technologies, including generative AI and AI-enabled ‘chatbots.' As a result, our use of these technologies could result in additional compliance costs, lawsuits, and regulatory actions. However, our inability to use these technologies, or limitations on such use, could result in a competitive disadvantage. The interpretation and application of many privacy and data protection laws are, and will likely remain, uncertain, and it is possible that these laws may be interpreted and applied in a manner that is inconsistent with each other and with our existing data management practices, policies, or product features. If so, in addition to the possibility of fines, lawsuits (including class action claims), additional reporting requirements and/or oversight, bans or restrictions on processing personal data, orders to destroy or not use personal data, and other claims and penalties, we could be required to change our business activities and practices or to modify our practices, policies, or products, which could adversely affect our business. In addition to government regulation, privacy advocacy and industry groups may propose new and different self-regulatory standards that legally or contractually apply to us. Any inability by us, or our service providers and partners, to adequately address privacy, data protection, and data security concerns or comply with applicable privacy, data protection, or data security laws, regulations, policies, and other obligations, could result in additional costs and liability to us and adversely affect our reputation, sales, and business. In addition, any compromise of our information security, including that results in the unauthorized access, acquisition, or release of personal or other user data, or the perception that such a compromise has occurred, could harm our brand and reputation, discourage ticket sellers, buyers, and partners from using our platform, and result in litigation (including class claims) and/or fines and proceedings by governmental agencies, any of which could adversely affect our business, financial condition, and results of operations.

We operate in an increasingly competitive industry and face significant and continuous competition from other national, regional, local, and international primary and secondary ticketing service providers to acquire and retain ticket buyers, sellers, and partners. We also compete with other professional ticket resellers in our Resale segment, as well as with providers of other avenues for entertainment, including restaurants, movies, and television, for the discretionary spending of consumers. This competition could lead to decreased sale volumes and/or profit margins, which would adversely affect our business, financial condition, and results of operations. Competitive variables that could lead to a decrease in ticket orders, prices, fees, and/or profit margins, certain of which have adversely affected our past financial performance, include: competitive offerings that include more favorable terms or pricing; increased marketing spending by our competitors; consolidation among competitors resulting in their increased market share; technological changes and innovations, such as consumers' increasing use of AI to search for live event tickets, that we are unable to adopt or adapt to or are late in adopting or adapting to; other entertainment options or ticket inventory selections and varieties that we do not offer; increased pricing in the primary ticket marketplace, which could result in reduced profits for secondary ticket sellers; primary ticket marketplaces enacting policies that restrict or impede secondary ticket sales; and increased search engine marketing costs as competitors increase bid prices.

The supply of live events depends on several factors, many of which are outside of our control. We rely on artists and sports teams to perform and play at live events, and scenarios such as artists deciding to perform less frequently or at smaller venues, sports league lockouts, promoters or event venues failing to correctly anticipate demand for particular events, or negative trends in the entertainment and/or sporting industries that cause a reduction in the number or availability of live events adversely affect our business, financial condition, and results of operations. Our business also depends on demand for and attendance at live events, which is affected by, among other things, discretionary consumer and corporate spending. Many factors impact such spending, including economic conditions (e.g., unemployment levels, interest rates, inflation, and commodity prices), changes to tax rates/laws, public safety concerns, and other extraordinary events. Reduced discretionary spending, as well as other negative business or industry conditions or trends, can decrease demand for and attendance at live events, as well as reduce ticket sales, which adversely affect our revenue and operating results. All of these risks may become more acute during periods of economic slowdown, recession, and uncertainty. For example, the COVID-19 pandemic and related economic slowdown materially and adversely impacted our business, including due to event restrictions and cancellations. While live events are now generally held at pre-pandemic scope and scale, there can be no assurance that the supply of and/or demand for such events will not be negatively impacted by any future economic slowdown, recession, or uncertainty, which would adversely affect our business, financial condition, and results of operations.

Maintaining and enhancing our reputation and brand as a differentiated ticketing marketplace is critical in our ability to retain existing, and attract new, ticket buyers, sellers, and partners. The successful promotion of our brand requires significant investments of time, money, and effort, which may increase as our marketplace continues to expand and become more competitive. To the extent these investments yield increased revenue, it may not offset the increased expenses we incur. If we do not successfully maintain and enhance our brand and differentiate our marketplace from competitive products and services, our business may not grow, we may be unable to compete effectively, and we could lose existing, or fail to attract new, ticket buyers, sellers, or partners, any of which could adversely affect our business, financial condition, and results of operations. There are also many factors outside of our control that could undermine and/or harm our reputation and brand. A negative perception of our marketplace could adversely affect our business, including as a result of: complaints or negative publicity and our responsiveness thereto; our inability to timely comply with applicable laws, regulations, and/or consumer protection-related guidance; the use of our platform to sell fraudulent or counterfeit tickets; the timing of refunds and/or payment reversals through our platform; actual or perceived disruptions or defects in our platform; cybersecurity incidents; a lack of awareness of our policies; or changes to our policies that third parties perceive as overly restrictive, unclear, or inconsistent with our values. If we are unable to maintain a reputable, user-friendly, and effective platform that provides tickets to desirable events, our ability to attract and retain ticket buyers, sellers, and partners could be impaired and our reputation, brand, and business could be adversely affected.

Inflation can negatively impact our business by increasing our overall costs, particularly if we are unable to achieve commensurate increases to revenues. Inflation has resulted, and may continue to result, in elevated interest rates and capital costs, increased costs of labor, weakened exchange rates, reduced discretionary consumer and corporate spending, and other similar effects. As a result of inflation, we have experienced, and may continue to experience, increased costs. Although we may take measures to mitigate the effects of inflation, such measures may not be effective and, even if such measures are effective, there could be a difference in timing between the effects of inflation and of such measures. As a result, our business, financial condition (including liquidity), and results of operations may be adversely affected.

We have operations in Canada, Japan, and the United Kingdom, and we continue to strategically expand our international operations. Accordingly, we are subject to risks associated with doing business internationally, including, but not limited to: complying with a variety of newly applicable, and often changing and/or conflicting, laws and regulations, including those relating to anti-bribery, anti-corruption, anti-money laundering, data protection, and privacy; obtaining required governmental approvals, permits, and licenses; obtaining and enforcing our IP rights; staffing and managing our foreign operations; financial risks such as longer payment cycles, difficulty collecting accounts receivable, the impact of local and regional financial crises, and exposure to foreign currency exchange rate fluctuations; preferences by local consumers for local competitors; and political and economic instability. We may also have difficulty expanding our business internationally because of the difficulties associated with obtaining local ticket supply and/or limited brand recognition, which could delay or limit the acceptance of our services by ticket buyers, sellers, and partners in new markets and increased marketing and other costs associated with establishing our brand. If we are unable to successfully expand internationally or manage the risks associated therewith, our business, financial condition, and results of operations could be adversely affected.

The occurrence and threat of extraordinary events, including public safety concerns or disruptions, intentional or unintentional mass-casualty incidents, acts of civil unrest, terrorist attacks, military actions, disease epidemics or other public health concerns (and governmental responses thereto), natural disasters, and severe weather events, may deter or prevent artists, sports teams, promoters, or event venues from performing, playing, or operating and substantially decrease the demand for live events. Because Vegas.com is concentrated in Southern Nevada, which has recently experienced water and electricity shortages, it is particularly exposed to certain of these risks. The occurrence of extraordinary events has in the past adversely affected, and may in the future adversely affect, our business, financial condition, and results of operations. Event cancellations related to such events could also adversely affect our financial performance because we may be obligated to issue refunds or credits for previously purchased tickets. The global COVID-19 pandemic and related economic shutdown resulted in significant disruption to our business, the entertainment and sporting industries, and the global economy in 2020 and 2021. The pandemic led governments and other authorities around the world to impose measures intended to control its spread, including travel bans, border closings and restrictions, business closures, quarantines, and vaccine requirements. During the height of the pandemic, many artists, sports teams, promoters, and event venues around the world ceased performances, games, and operations. Because we depend on live events in order to generate revenue from ticket sales, the decreased supply of and demand for such events during the pandemic negatively impacted our business and financial condition. While live events are now generally held at pre-pandemic scope and scale, it is difficult to predict any future outbreaks of disease epidemics and whether restrictions could again be imposed. Any of these circumstances could again adversely affect the live events industry and our business and financial condition.

Our success depends upon the continued service of our senior management team and key technical employees, as well as our ability to continue to identify, attract, hire, integrate, develop, motivate, and retain highly skilled personnel for all areas of our organization. Each of our executive officers, key technical employees, and other personnel could terminate their relationship with us at any time. The loss of any member of our senior management team or key personnel could significantly delay or prevent the achievement of our business objectives and/or negatively impact our business and relationships. As such, effective succession planning and the execution of smooth personnel transitions is important to our long-term success. If we fail to effectively manage our hiring needs and execute smooth personnel transitions, our business may be adversely affected. Competition in our industry for qualified employees is intense. To attract top talent, we must offer competitive compensation arrangements and benefits packages, as well as periodically increase compensation levels in response to competition and inflation. If we fail to successfully attract, hire, and integrate new personnel, our efficiency and ability to meet forecasts, as well as employee morale, productivity, and retention, could suffer, which may adversely affect our business.