SEMrush Holdings (SEMR) Risk Factors

With consent from our customers, we obtain personal, confidential, and other customer data from our customers' websites, social media accounts, and Google Analytics' accounts to operate certain functionality on our platform or within products that we offer. We rely on credit card purchases as the primary means of collecting our premium subscription fees. In addition, with consent from our customers, we collect and store certain personally identifiable information ("personal data"), credit card information, and other data needed to create, support, and administer the customer account, conduct our business, and comply with legal obligations, including rules imposed by the Payment Card Industry networks. We take reasonable steps to protect the security, confidentiality, integrity, and availability of the information we and our third-party service providers hold, but there is no guarantee that despite our efforts, inadvertent disclosure (such as may arise from software bugs or other technical malfunctions, employee error or malfeasance, improper use of third-party artificial intelligence services, or other factors) or unauthorized access, acquisition, misuse, disclosure or loss of personal or other confidential information will not occur or that third parties will not gain unauthorized access to this information or disrupt or disable our systems or infrastructure. Attacks on information technology systems are increasing in their frequency, levels of persistence, sophistication and intensity, and they are being conducted by increasingly sophisticated and organized groups and individuals with a wide range of motives and expertise, including nation-state actors. Such attacks could include the deployment of harmful malware, system-disrupting ransomware, denial-of-service attacks, social engineering and other means to affect service reliability and threaten the confidentiality, integrity and availability of information. Further, the prevalence of remote work by our employees and those of our third-party service providers creates increased risk that a cybersecurity incident may occur. We have experienced, and may experience in the future, breaches of our security due to human error, malfeasance, system errors or vulnerabilities, or other irregularities. For example, we have been the target of attempts to identify and exploit system vulnerabilities and/or penetrate or bypass our security measures to gain unauthorized access to our systems, including a brute force attack that resulted in access to our affiliate program partner contact information. Since techniques used to conduct malicious cyber activities change frequently, we and our third-party service providers may be unable to anticipate these techniques or to implement adequate measures to prevent or detect them. If our security measures or the security measures of our third-party service providers fail, or if vulnerabilities in our software are exposed and exploited, and, as a result, a third party disrupts the operations of our systems or obtains unauthorized access to any customers' data, our relationships with our customers may be damaged, and we could incur liability. Further, our customers with annual subscription terms may have the right to terminate their subscriptions before the end of the subscription term due to our uncured material breach of agreement, including with respect to our data security obligations. It is also possible that unauthorized access to customer data may be obtained through inadequate use of security controls by customers, suppliers or other vendors. While we are not currently aware of any impact that supply chain attacks may have had on our business, these events are complex, difficult to defend against, and of unknown scope, therefore we could face a level of ongoing residual risk of security breaches or other incidents resulting from this type of event. We may also be subject to additional liability risks for failing to disclose data breaches or other security incidents under state data breach notification laws or under the private right of action granted to individuals under certain data privacy laws for actions arising from certain data security incidents, such as the California Consumer Privacy Act ("CCPA") (which is further discussed below in this "Risk Factors" section). In addition, some regions, such as the EU, the United Kingdom ("UK"), and the United States, have enacted mandatory data breach notification requirements for companies to notify data protection authorities, state and federal agencies, or individuals of data security incidents or personal data breaches. We may also be contractually required to notify certain customers in the event of a security incident pursuant to the applicable customer agreement. These mandatory disclosures regarding a security breach may lead to negative publicity and may cause our customers to lose confidence in the effectiveness of our data security measures. Any security breach, whether actual or perceived, may harm our reputation, and we could lose customers or fail to acquire new customers. Federal, state, and provincial regulators and industry groups may also consider and implement from time to time new privacy and security requirements that apply to our business, such as the long established Massachusetts data security regulations and the New York Stop Hacks and Improve Electronic Data Act, both of which establish administrative, technical, and physical data security requirements for companies, and permit civil penalties for each violation. Compliance with evolving privacy and security laws, requirements, and regulations may result in cost increases due to necessary systems changes, new limitations or constraints on our business models and the development of new administrative processes. They also may impose further restrictions on our collection, disclosure, and use of personal data kept in our databases or those of our vendors. If our security measures fail to protect credit card information adequately, we could be liable to both our customers and their users for their losses, as well as the vendors under our agreements with them such that we could be subject to fines and higher transaction fees, we could face regulatory action, and our customers and vendors could end their relationships with us, any of which could harm our business, results of operations or financial condition. Any intentional or inadvertent security breaches or other unauthorized access to or disclosure of personal data could expose us to enforcement actions, regulatory or governmental audits, investigations, litigation, fines, penalties, adverse publicity, downtime of our systems, and other possible liabilities. There can be no assurance that the limitations of liability in our contracts would be enforceable or adequate or would otherwise protect us from any such liabilities or damages with respect to any particular claim. In addition, our cybersecurity insurance coverage may be inadequate to cover all costs and expenses associated with a security incident that may occur in the future. We may need to devote significant resources to defend against, respond to and recover from cybersecurity incidents, diverting resources from the growth and expansion of our business.

In the ordinary course of business, we may be involved in and subject to litigation for a variety of claims or disputes and receive regulatory inquiries. These claims, lawsuits, and proceedings could include labor and employment, wage and hour, income tax, commercial, data privacy, antitrust, alleged securities law violations or other investor claims, and other matters. The number and significance of these potential claims and disputes may increase as our business expands. Any claim against us, regardless of its merit, could be costly, divert management's attention and operational resources, and harm our reputation. As litigation is inherently unpredictable, we cannot assure you that any potential claims or disputes will not have a material adverse effect on our business, results of operations, and financial condition. Any claims or litigation, even if fully indemnified or insured, could make it more difficult to compete effectively or to obtain adequate insurance in the future. In addition, we may be required to spend significant resources to monitor and protect our contractual, intellectual property, and other rights, including collection of payments and fees. Litigation has been and may be necessary in the future to enforce such rights. Such litigation could be costly, time consuming, and distracting to management and could result in the impairment or loss of our rights. Furthermore, our efforts to enforce our rights may be met with defenses, counterclaims, and countersuits attacking the validity and enforceability of such rights. Our inability to protect our rights, as well as any costly litigation or diversion of our management's attention and resources, could have an adverse effect on our business, results of operations, and financial condition or harm our reputation.

We hold personal data about a variety of individuals, such as our customers, users, employees, contractors, and business partners, and we use such personal data as needed to collect payment from our customers, communicate with and recommend products to our customers and prospective customers through our marketing and advertising efforts, and comply with legal obligations. Processing of personal data is increasingly subject to legislation and regulation in numerous jurisdictions around the world. For example, relevant applicable laws and regulations governing the collection, use, disclosure, security or other processing of personal information include, in the United States, rules and regulations promulgated under the authority of the Federal Trade Commission, the CCPA and similar state privacy laws, and state breach notification laws. The CCPA, for example, broadly defines personal information and provides an expansive meaning to activity considered to be a sale of personal information, and gives California residents expanded privacy rights and protections, including the right to opt out of the sale or sharing of personal information. The CCPA also provides for civil penalties for violations and a private right of action for certain data breaches involving personal information, which is expected to increase the likelihood of, and risks associated with, data breach litigation. The California Privacy Rights Act ("CPRA"), which became effective on January 1, 2023, imposes additional obligations on companies covered by the legislation and significantly modifies the CCPA, including by expanding consumers' rights with respect to certain sensitive personal information and establishes a state agency vested with the authority to enforce the CCPA. It is not yet fully clear how the CCPA (as amended by the CPRA) will be enforced and how it will be interpreted. Additionally, similar comprehensive privacy laws have been passed in many other states and a number of other states have proposed new privacy laws. While these new state laws incorporate many similar concepts, there are also several key differences in the scope, application, and enforcement of the laws that will change the operational practices of regulated businesses. These new laws will, among other things, impact how regulated businesses collect and process personal sensitive data, conduct data protection assessments, transfer personal data to affiliates and other third parties, and respond to consumer rights requests. The effects of the CCPA and other similar state or federal laws are potentially significant and may require us to modify our data collection or data processing practices and policies, and to incur substantial costs and potential liability in an effort to comply with such legislation. We maintain offices in the EU (including Cyprus, the Czech Republic, Germany, the Netherlands, Poland, and Spain), and we have customers in the EU and the UK. Accordingly, we are subject to the General Data Protection Regulation (EU) 2016/679 (the "EU GDPR"), and related member state implementing legislation. As of January 1, 2021, the UK's European Union (Withdrawal) Act 2018 incorporated the EU GDPR (as it existed on December 31, 2020 but subject to certain UK-specific amendments) into UK law (the "UK GDPR"). The EU GDPR and UK GDPR are collectively defined herein as "European Data Protection Law". European Data Protection Law places obligations on controllers and processors of personal data, while establishing rights for individuals with respect to their personal data, including rights of access and deletion in certain circumstances. European Data Protection Law is also explicitly extraterritorial in its application, and could affect our business activities in jurisdictions outside the EU and the UK. We have implemented measures designed to comply with the requirements of European Data Protection Law. In respect of these measures, we rely on positions and interpretations of the law (including European Data Protection Law) that have yet to be fully tested before the relevant courts and regulators. If a regulator or court of competent jurisdiction determined that one or more of our compliance efforts does not satisfy the applicable requirements of the law (including European Data Protection Law), or if any party brought a claim in this regard, we could be subject to governmental or regulatory investigations, enforcement actions, regulatory fines, compliance orders, litigation or public statements against us by consumer advocacy groups or others, any of which could cause customers to lose trust in us or otherwise damage our reputation. Likewise, a change in guidance could be costly and have an adverse effect on our business. Similarly, if the data collection and processing consents we obtain from our customers, and consumers, are found to be ineffective or noncompliant with the applicable requirements of the law (including European Data Protection Law), we could be subject to regulatory actions, inquiries, investigations, orders, penalties, fines and/or claims made by individuals and groups in private litigation. These potential actions could restrict our ability to collect or otherwise process personal data and may have an adverse impact on our business. European Data Protection Law also imposes strict rules on the transfer of personal data out of the EU/UK to third countries deemed to lack adequate privacy protections (including the United States), unless an appropriate safeguard specified by the European Data Protection Law is implemented, such as the Standard Contractual Clauses ("SCCs") approved by the European Commission, or a derogation applies. We rely on SCCs and certain derogations to transfer personal data from the EU and the UK to the United States. On July 16, 2020, the Court of Justice of the EU (the "CJEU") in its Schrems II decision ruled that transfers made pursuant to the SCCs and other alternative transfer mechanisms need to be analyzed on a case-by-case basis to ensure EU standards of data protection are met in the jurisdiction where the data importer is based. If the standard is not met, businesses will be required to adopt supplementary measures. On June 4, 2021, the European Commission published new versions of the SCCs ("New SCCs"), to align with the EU GDPR and to address the issues identified by the CJEU's Schrems II decision. The UK Information Commissioner's Office has published its own form of standard contractual clauses, referred to as the "International Data Transfer Agreement" or "IDTA" for the purposes of data transfers out of the UK. We and many other companies may need to implement different or additional measures to establish or maintain legitimate means for the transfer of personal data from Europe and the UK to the United States and other third countries, and we may, in addition to other impacts, experience additional costs associated with increased compliance burdens. Indeed, companies relying on SCCs or the IDTA to govern transfers of personal data to third countries will also need to assess whether the data importer can ensure sufficient guarantees for safeguarding the personal data under European Data Protection Law, including an analysis of the laws in the recipient's country. European or multi-national customers may refuse or be reluctant to use or continue to use our platform or products as a result of such developments until law makers and regulators in the EU and the United States have resolved the issues that instigated the decision of the CJEU noted above. This and other future developments regarding the flow of data across borders could increase the cost and complexity of delivering our platform and products in some markets and may lead to governmental enforcement actions, litigation, fines, and penalties or adverse publicity, which could have an adverse effect on our reputation and business. In addition, the UK has announced plans to reform the country's data protection legal framework in its Data Protection & Digital Information (No. 2) Bill, which will introduce significant changes from the EU GDPR. This may lead to additional compliance costs and could increase our overall risk exposure as we may no longer be able to take a unified approach across the EU and the UK, and will need to amend our processes and procedures to align with the new framework. We may find it necessary or advantageous to join industry bodies, or self-regulatory organizations, that impose stricter compliance requirements than those set out in applicable laws, including European Data Protection Law. We may also be bound by contractual restrictions that prevent us from participating in data processing activities that would otherwise be permissible under applicable laws, including European Data Protection Law. Such strategic choices may impact our ability to exploit data and may have an adverse impact on our business. We expect that there will continue to be new proposed laws, regulations, and industry standards concerning privacy, data protection, and information security in the United States, the EU, the UK, and other jurisdictions, and we cannot yet determine the impact such future laws, regulations, and standards may have on our business. These and other legal requirements could require us to make additional changes to our platform or products in order for us or our customers to comply with such legal requirements or reduce our ability to lawfully collect personal data used in our platform and products. These changes could reduce demand for our platform or products, require us to take on more onerous obligations in our contracts, restrict our ability to store, transfer, and process personal data or, in some cases, impact our ability or our customers' ability to offer our products in certain locations, to deploy our solutions, to reach current and prospective customers, or to derive insights from data globally. The costs of complying with existing or new data privacy or data protection laws and regulations, regulatory guidance, our privacy policies and contractual obligations to customers, users, or other third parties, may limit the use and adoption of our platform and products, reduce overall demand for our products, make it more difficult for us to meet expectations from or commitments to customers and users, lead to significant fines, penalties, or liabilities for noncompliance, impact our reputation, or slow the pace at which we close sales transactions, any of which could harm our business. Furthermore, the uncertain and shifting regulatory environment and trust climate may cause concerns regarding data privacy and may cause our vendors, customers and users to resist providing the data necessary to allow us to offer our platform and products to our customers and users effectively, or could prompt individuals to opt out of our collection of their personal data. Even the perception that the privacy of personal data is not satisfactorily protected or does not meet regulatory requirements could discourage prospective customers from subscribing to our products or discourage current customers from renewing their subscriptions. Compliance with any of the foregoing laws and regulations can be costly and can delay or impede the development of new products. We may incur substantial fines if we violate any laws or regulations relating to the collection or use of personal data. For example, the European Data Protection Law imposes sanctions for violations up to the greater of €20 million (£17.5 million) and 4% of worldwide gross annual revenue, enables individuals to claim damages resulting from infringement of the European Data Protection Law and introduces the right for non-profit organizations to bring claims on behalf of data subjects. The CCPA allows for fines of up to $7,500 for each violation and many other state laws contemplate penalties for violations. Our actual or alleged failure to comply with applicable privacy or data security laws, regulations, and policies, or to protect personal data, could result in enforcement actions and significant penalties against us, which could result in negative publicity or costs, subject us to claims or other remedies, and have a material adverse effect on our business, financial condition, and results of operations. Many aspects of data protection and privacy laws are relatively new and their scope has not been tested in the courts. As a result, these laws and regulations are subject to differing interpretations and may be inconsistent among jurisdictions. It is possible that these laws and regulations may be interpreted and applied in a manner that is inconsistent with our interpretations and existing data management practices or the features of our products. Certain of our activities could be found by a court, government or regulatory authority to be noncompliant or become noncompliant in the future with one or more data protection or data privacy laws, even if we have implemented and maintained a strategy that we believe to be compliant. Further, we may be subject to additional risks associated with data security breaches or other incidents, in particular because certain data privacy laws, including European Data Protection Law and the CCPA, grant individuals a private right of action arising from certain data security incidents. If so, in addition to the possibility of fines, lawsuits, and other claims and penalties, we could be required to fundamentally change our business activities and practices or modify our products, which could harm our business. We also receive personal data from third-party vendors (e.g., data brokers). We may not be able to verify with complete certainty the source of such data, how it was collected, and that such data was collected and is being shared with us in compliance with all applicable data protection and privacy laws. Our use of personal data obtained from third-party vendors could result in potential regulatory investigations, fines, penalties, compliance orders, liability, litigation, and remediation costs, as well as reputational harm, any of which could materially adversely affect our business and financial results. The requirements of European Data Protection Law pertaining to the licensing of data or obtaining such data from third parties are not entirely clear in all cases. It is possible that third parties may bring claims against us, alleging non-compliance with such requirements, and seeking damages, seeking to prevent us from using certain data, or seeking to prevent us from using data in particular ways. Such claims could potentially adversely affect our ability to provide our services and the current level of functionality of our platform in such circumstances, which could adversely affect our results of operations.

Our business environment is rapidly evolving and intensely competitive. We also face changing technologies, shifting user needs, and frequent introductions of rival products and services. To compete successfully, we must accurately anticipate technology developments and deliver innovative, relevant and useful products, services, and technologies in a timely manner. Likewise, we anticipate continuing pressure to innovate and develop a wider range of products and services. This will result in us needing to expend significant resources in research and development and potentially acquisitions of other companies or assets, to enhance our technology and new and existing products and services. To remain competitive and to acquire and retain new customers, we must deliver features and functionality that enhance the utility and perceived value of our platform, products, and add-ons to our prospective and existing customers. Our platform, products, and add-ons must (i) operate without the presence of material software defects, whether actual or perceived, (ii) maintain deep and rich data sources, (iii) adapt to the changing needs of our current and prospective customers including by developing new technology, (iv) adapt to changing functionality and provide interoperability with third-party APIs, (v) maintain and develop integrations with complementary third-party services that provide value to our customers, (vi) be easy to use and visually pleasing, (vii) deliver rapid return on investment to our customers across multiple functions within their organizations, and (viii) be delivered with a superior customer support experience. We may not be successful in delivering on some or all of the foregoing or in doing so while maintaining competitive pricing, which could result in customer dissatisfaction leading to termination or downgrades of premium subscriptions, fewer new free customers, fewer subscription upgrades or lower dollar-based net revenue retention rates, prospective customers' selection of our competitors' products over our own, and other adverse effects on our business. Many of our current and future competitors benefit from competitive advantages over us, such as greater name recognition, longer operating histories, more targeted products for specific use cases, larger sales and more established relationships or integrations with third-party data providers, search engines, online retail platforms, and social media networking sites, and more established relationships with customers in the market. Additionally, many of our competitors may expend a considerably greater amount of funds on their research and development efforts, and those that do not may be acquired by larger companies that would allocate greater resources to our competitors' research and development programs. Demand for our platform is also price sensitive. Many factors, including our marketing, sales and technology costs, and the pricing and marketing strategies of our competitors, can significantly affect our pricing strategies. Certain competitors offer, or may in the future offer, lower-priced or free products that compete with our platform, products, and/or add-ons, or may bundle their solutions with other companies' offerings to provide a broader range of functionality at reduced volume pricing. Similarly, certain competitors may use marketing strategies that enable them to acquire customers at a lower cost than we do. Even if such competitive products do not include all the features and functionality that our platform provides, we could face pricing pressure to the extent that customers find such alternative products to be sufficient to meet their needs or do not perceive a material return on investment from the additional features and functionality they would obtain by purchasing our platform relative to the competitive point solutions. Additionally, our competitors may further drive down the price through strategic business combinations. We may be forced to engage in price-cutting initiatives, offer other discounts, or increase our sales and marketing and other expenses to attract and retain free and paying customers in response to competitive pressures, any of which would harm our business and operating results.

Our revenue, results of operations, and cash flows depend on the overall demand for and use of technology and information for sales and marketing, which depends in part on the amount of spending allocated by our paying customers or potential paying customers on sales and marketing technology and information. In addition to the internal strategy of our paying customers, which is not predictable and is subject to change, this spending depends on worldwide economic and geopolitical conditions. As we continue to see increased economic uncertainty in the United States and abroad, we may see customers, especially SMBs that are disproportionately impacted by these conditions, reduce or stop spending on our products. Specifically, most of our paying customers are on month-to-month premium subscriptions that can be canceled at any time. Furthermore, the spending patterns of the SMBs that make up a large portion of our paying customer base are difficult to predict and are typically more susceptible to the adverse effects of economic fluctuations. Adverse changes in the economic environment or business failures of our SMB customers may have a greater impact on us than our competitors who do not focus on SMBs to the extent that we do.

The design and development of our products is primarily conducted by our subsidiaries in the Czech Republic, Cyprus, Spain, Serbia, Armenia, Germany, the Netherlands, and Poland. We also have marketing and administrative operations in the same jurisdictions. In addition, members of our sales force are located in Europe, the United Kingdom, and Asia. Approximately 52% and 53% of our revenue for the years ended December 31, 2023 and 2022, respectively, was generated from sales to paying customers located outside the United States including indirect sales through our resellers outside of the United States. As a result of our international operations and sales efforts, we face numerous challenges and risks that could harm our international operations, delay new product releases, increase our operating costs, and hinder our ability to grow and detect underlying trends in our operations and business, and consequently adversely impact our business, financial condition, and results of operations. Such risks include but are not limited to the following: - geopolitical and economic instability in and impacting the localities where we have foreign operations;- rising inflation impacting the stability of our workforce and foreign operations;- military conflicts impacting the localities where we have foreign operations;- limited protection for, and vulnerability to theft of, our intellectual property rights, including our trade secrets;- compliance with local laws and regulations, and unanticipated changes in local laws and regulations, including tax laws and regulations;- trade and foreign exchange restrictions and higher tariffs;- the complexity of managing international trade sanctions and export restrictions imposed by the United States government and other jurisdictions in which we have foreign operations;- fluctuations in foreign currency exchange rates which may make our premium subscriptions more expensive for international paying customers and which may increase our expenses for employee compensation and other operating expenses that are paid in currencies other than U.S. dollars;- difficulties in staffing international operations;- changes in immigration policies which may impact our ability to hire personnel;- differing employment practices, laws, and labor relations; and - regional health issues and the impact of public health epidemics and pandemics on employees and the global economy. Further, it is possible that governments of one or more foreign countries may seek to limit access to the internet or our platform, products or certain features in their countries, or impose other restrictions that may affect the availability of our platform, products, or certain features in their countries for an extended period of time or indefinitely. For example, China is among a number of countries that have blocked certain online services, including Amazon Web Services, making it difficult for such services to access those markets. In addition, governments in certain countries may seek to restrict or prohibit access to our platform if they consider us to be in violation of their laws (including privacy laws) and may require us to disclose or provide access to information in our possession. If we fail to anticipate developments in the law or fail for any reason to comply with relevant laws, our platforms could be further blocked or restricted and we could be exposed to significant liability that could harm our business. In the event that access to our platform is restricted, in whole or in part, in one or more countries or our competitors are able to successfully penetrate geographic markets that we cannot access, our ability to acquire new customers or renew or grow the premium subscriptions of existing paying customers may be adversely affected, we may not be able to maintain or grow our revenue as anticipated and our business, results of operations, and financial condition could be adversely affected.