Tenable Holdings (TENB) Risk Factors

Our subscription offerings are term-based and a majority of our subscription contracts are for one year in duration. In order for us to maintain or improve our results of operations, it is important that a high percentage of our customers renew their subscriptions with us when the existing subscription term expires, and renew on the same or more favorable terms. Our customers have no obligation to renew their subscriptions, and we may not be able to accurately predict customer renewal rates. In addition, the growth of our business depends in part on our customers expanding their use of subscription offerings and related services. Historically, some of our customers have elected not to renew their subscriptions with us for a variety of reasons, including as a result of changes in their strategic IT priorities, budgets, costs and, in some instances, due to competing solutions. Our retention rate may also decline or fluctuate if our existing customers choose to reduce or delay technology spending in response to economic conditions, including those resulting from exchange rate fluctuations relative to the U.S. dollar that make our products more expensive to existing customers, high rates of inflation and interest rates or concerns of an economic recession in the United States or other major markets, that could lead to decreased spending, as well as a result of a number of other factors, including our customers' satisfaction or dissatisfaction with our software, the increase in the contract value of subscription and support contracts from new customers, the effectiveness of our customer support services, our pricing, the prices of competing products or services, mergers and acquisitions affecting our customer base, global economic conditions, and the other risk factors described in this Annual Report on Form 10-K. We cannot assure you that customers will maintain their agreements with us, renew subscriptions or increase their usage of our software. If our customers do not maintain or renew their subscriptions or renew on less favorable terms, or if we are unable to expand our customers' use of our software, our business, results of operations, and financial condition may be harmed.

Subscriptions and perpetual licenses to our enterprise platform are generally priced based on the number of IP addresses or total IT assets that can be monitored. We expect that we may need to change our pricing from time to time. As competitors introduce new products that compete with ours or reduce their prices, we may be unable to attract new customers or retain existing customers based on our historical pricing. We also must determine the appropriate price to enable us to compete effectively internationally. Moreover, mid- to large-size enterprises may demand substantial price discounts as part of the negotiation of sales contracts and, as the amount of IT assets or IP addresses within our customers' organization grows, we may face additional pressure from our customers regarding our pricing. As a result, we may be required or choose to reduce our prices or change our pricing model, which could adversely affect our business, revenue, operating margins and financial condition. Further, our subscription agreements and perpetual licenses generally provide that we can audit our customers' use of our offerings to ensure compliance with the terms of such agreement or license and monitor an increase in IT assets and IP addresses being monitored. However, a customer may resist or refuse to allow us to audit their usage, in which case we may have to pursue legal recourse to enforce our rights under the agreement or license, which would require us to spend money, distract management and potentially adversely affect our relationship with our customers and users.

Companies in the software and technology industries, including some of our current and potential competitors, own significant numbers of patents, copyrights, trademarks and trade secrets and frequently enter into litigation based on allegations of infringement or other violations of intellectual property rights. In addition, many of these companies have the capability to dedicate substantially greater resources to enforce their intellectual property rights and to defend claims that may be brought against them. The litigation may involve patent holding companies or other adverse patent owners that have no relevant product revenue and against which our patents may therefore provide little or no deterrence. In the past, we have been subject to allegations of patent infringement that were unsuccessful, and we expect in the future to be subject to claims that we have misappropriated, misused, or infringed other parties' intellectual property rights, and, to the extent we gain greater market visibility or face increasing competition and as we acquire more companies, we face a higher risk of being the subject of intellectual property infringement claims, which is not uncommon with respect to enterprise software companies. We may in the future be subject to claims that employees or contractors, or we, have inadvertently or otherwise used or disclosed trade secrets or other proprietary information of our competitors or other parties. To the extent that intellectual property claims are made against our customers based on their usage of our technology, we have certain obligations to indemnify and defend such customers from those claims. The term of our contractual indemnity provisions often survives termination or expiration of the applicable agreement. Large indemnity payments, defense costs or damage claims from contractual breach could harm our business, results of operations and financial condition. There may be third-party intellectual property rights, including issued or pending patents that cover significant aspects of our technologies or business methods, including those relating to companies we acquire. Any intellectual property claims, with or without merit, could be very time-consuming, could be expensive to settle or litigate, could divert our management's attention and other resources and could result in adverse publicity. These claims could also subject us to making substantial payments for legal fees, settlement payments, and other costs or damages, potentially including treble damages if we are found to have willfully infringed patents or copyrights. These claims could also result in our having to stop making, selling, offering for sale, or using technology found to be in violation of a third party's rights. We might be required to seek a license for the third-party intellectual property rights, which may not be available on reasonable terms or at all. Even if a license is available to us, we may be required to pay significant upfront fees, milestones or royalties, which would increase our operating expenses. Moreover, to the extent we only have a license to any intellectual property used in our solutions, there may be no guarantee of continued access to such intellectual property, including on reasonable terms. As a result, we may be required to develop alternative non-infringing technology, which could require significant effort and expense. If a third party is able to obtain an injunction preventing us from accessing such third-party intellectual property rights, or if we cannot license or develop technology for any infringing aspect of our business, we would be forced to limit or stop sales of our software or cease business activities covered by such intellectual property, and may be unable to compete effectively. Any of these results would adversely affect our business, results of operations, financial condition and cash flows.

In the ordinary course of our business, we collect, store, use, transmit, disclose or otherwise process proprietary, confidential, and sensitive information, including personal data, intellectual property, and trade secrets. We sell cybersecurity products and, as a result, may be at increased risk of being a target of cyberattacks designed to penetrate our platform or internal systems, to compromise our data, alter or modify our source code, or to otherwise impede the performance of our products. Threats to information systems and data come from a variety of sources. In addition to computer "hackers," threat actors, personnel (such as through theft or misuse), "hacktivists," organized criminal threat actors, sophisticated nation-states and nation-state-supported actors now engage and are expected to continue to engage in cyber-attacks. Nation-state actors and nation-state-supported actors may engage in such attacks for geopolitical reasons and in conjunction with military conflicts and defense activities, including the ongoing conflict between Ukraine and Russia, the ongoing conflict in the Middle East, and rising tensions between China and Taiwan. During times of war and other major conflicts, we, third parties upon which we may rely, and our customers may be vulnerable to a heightened risk of these threats, including retaliatory cyber-attacks that could materially disrupt our systems and operations, supply chain, and ability to produce, sell and distribute our goods and services. We, our customers, and the third parties upon which we rely are subject to a variety of evolving threats, which are prevalent, continue to rise, and increasingly difficult to detect. These threats include but are not limited to: social-engineering attacks (including through deep fakes, which may be increasingly more difficult to identify as fake, and phishing attacks); credential harvesting; malicious code (such as viruses and worms); malware (including as a result of advanced persistent threat intrusions); denial-of-service attacks, credential stuffing; personnel misconduct or error; ransomware attacks; supply-chain attacks; software bugs; server malfunctions; software or hardware failures; loss of data or other information technology assets; adware; telecommunications failures; attacks enhanced or facilitated by artificial intelligence and other similar threats. In particular, ransomware attacks, including those from organized criminal threat actors, nation-states and nation-state supported actors, are becoming increasingly prevalent and severe and can lead to significant interruptions, delays, or outages in our operations, loss of data, loss of income, significant extra expenses to restore data or systems, reputational loss and the diversion of funds. To alleviate the financial, operational and reputational impact of a ransomware attack, it may be necessary to make extortion payments, but we may be unable to do so if, for example, applicable laws prohibit such payments. Additionally, we are incorporated into the supply chain of a large number of companies worldwide and, as a result, if our solutions are compromised, a significant number or, in some instances, all of our customers and their data could be simultaneously affected. The potential liability and associated consequences we could suffer as a result of such a large-scale event could be catastrophic and result in irreparable harm. The increased prevalence of remote work and use of remote devices has increased risks to our information technology systems and data, as more of our employees utilize network connections, computers and devices outside of our premises or network, including working at home, while in transit and in public locations. Furthermore, future or past business transactions, such as acquisitions or integrations, could expose us to additional cybersecurity risks and vulnerabilities, as our systems could be negatively affected by vulnerabilities present in acquired or integrated entities' systems and technologies. Furthermore, we may discover security issues that were not identified during due diligence of such acquired or integrated entities, and it may be difficult to integrate other companies into our information technology environment and security program. We rely on third-party service providers and technologies to operate critical business systems, including processing confidential and sensitive information, including, without limitation, cloud-based infrastructure, data center facilities, encryption and authentication technology, employee email and other functions. We also rely on third-party service providers to provide other products, services, or otherwise, to operate our business and elements of our infrastructure, including endpoints. Our ability to monitor these third parties' information security practices is limited, and these third parties may not have adequate information security measures in place. Additionally, software errors or vulnerabilities in these third-party technologies could result in significant disruptions to our information technology systems, leading to downtime, data loss, or compromised data integrity. If our third-party service providers experience a security incident or other interruption or cause an extended outage or disruption to our systems, we could experience adverse consequences. It is possible that our customers and potential customers would hold us accountable for any security incident affecting our third-party service providers' infrastructure or other interruption caused by our third-party service providers that impacts our infrastructure. We may incur significant liability from those customers and from other third parties with respect to any such incident. Because our agreements with certain third-party service providers, such as Amazon Web Services, or AWS, limit their liability for damages, we may not be able to recover a material portion of our liabilities to our customers and third parties arising from issues with such third-party service providers, such as AWS, in the event of an incident affecting the third parties' systems. Moreover, while we may be entitled to damages from other third-party service providers if they fail to satisfy their privacy or security-related obligations to us or if they cause a disruption in our infrastructure, any award may be insufficient to cover our damages, or we may be unable to recover such reward. In addition, supply-chain attacks have increased in frequency and severity and there have been high-profile incidents of third-party service providers causing widespread disruptions in their customers' infrastructures due to errors in their SaaS offerings, such as the Windows outage caused by a flawed CrowdStrike software update that occurred in July of 2024. We cannot guarantee that third parties' infrastructure in our supply chain or our third-party partners' supply chains have not been compromised or that errors by our third-party service providers won't cause disruptions in our infrastructure. While we have implemented security and technology measures designed to protect against security incidents or other interruptions, there can be no assurance that these measures will be effective. We have experienced, and may in the future experience, disruptions, outages, and other performance problems due to a variety of factors, including infrastructure changes, deliberate or unintentional human or software defects and configuration errors (including by third parties), capacity constraints, fraud or security incidents. We take steps designed to detect, mitigate and remediate vulnerabilities and defects and configuration errors in our information technology systems (such as our hardware and software, including that of third parties upon which we rely) and in our software applications, products and services. We may not, however, be able to detect and remediate all such vulnerabilities, defects or configuration errors on a timely basis. For example, we have identified certain vulnerabilities in our information systems and software applications, and we take steps designed to mitigate the risks associated with known vulnerabilities. Despite our efforts, there can be no assurance that these vulnerability, defect and configuration error mitigation measures will be completely effective. Further,we may experience delays in developing and deploying remedial measures and patches designed to address any such identified vulnerabilities, defects or configuration errors. Any of these or similar threats could cause a security incident or other interruption that can result in unauthorized, unlawful, or accidental acquisition, modification, destruction, loss, alteration, encryption, disclosure of, or access to our proprietary, confidential, and sensitive information or our information technology systems, or those of the third parties upon whom we rely. A security incident or other interruption could disrupt our ability (and that of third parties upon whom we rely) to provide our solutions. In some instances, we or our third-party service providers may not be able to identify the cause or cause of these security incidents or performance problems within an acceptable period of time. If our solutions are unavailable or if our customers are unable to access features of our solutions within a reasonable amount of time or at all, our business could be adversely affected. In addition, if any of the third-party providers we use were to experience or cause a significant or prolonged outage or security incident, our business could be adversely affected. We may expend significant resources or modify our business activities to try to protect against security incidents. Certain data privacy and security obligations may require us to implement and maintain specific security measures, industry-standard or reasonable security measures to protect our information technology systems and proprietary, confidential, and sensitive information, including personal data. Data protection requirements may also require us to notify relevant stakeholders of security incidents, including affected individuals, partners, collaborators, customers, regulators, law enforcement agencies and others. Such disclosures are costly, and the disclosures or failure to comply with such requirements could lead to adverse consequences. Additionally, even if we have issued or otherwise made patches or information for vulnerabilities in our software applications, products or services, our customers may be unwilling or unable to deploy such patches and use such information effectively and in a timely manner. Vulnerabilities could be exploited and result in a security incident. If we, our customers, or a third party upon which we rely, experience or cause a security incident or other interruption, or are perceived to have experienced or caused a security incident or other interruption, we may experience adverse consequences, such as government enforcement actions (for example, investigations, fines, penalties, audits, and inspections); additional reporting obligations and/or oversight; restrictions on processing information (including personal data); litigation (including class claims); indemnification obligations; negative publicity; reputational harm; monetary fund diversions; interruptions of our operations (including availability of data); financial loss (including by issuing credits to our customers); diversion of management attention; and other similar harm. Security incidents or other disruptions and attendant consequences may cause customers to stop using our solutions (including by not renewing their purchases of our solutions), deter new customers from using our solutions, and negatively impact our ability to grow and operate our business. There can be no assurance that any limitations or exclusions of liabilities in our contracts would be enforceable or adequate or would otherwise protect us from liabilities or damages if we fail to comply with data protection requirements related to information security or security incidents. We cannot be sure that our insurance coverage will be adequate or otherwise protect us from or adequately mitigate liabilities or damages with respect to claims, costs, expenses, litigation, fines, penalties, business loss, data loss, regulatory actions or other impacts arising out of security incidents. In addition, we face unique risks as a SaaS company, particularly in light of our business model. If our solutions fail to detect vulnerabilities in our customers' cybersecurity infrastructure, including for remote devices, or if our solutions fail to identify new and increasingly complex methods of cyberattacks, our business may suffer and our customers' businesses may be damaged, including by interrupting their networking traffic or operational technology environments. There is no guarantee that our solutions will detect all vulnerabilities or threats in our customers' systems, especially in light of the rapidly changing security landscape to which we must respond. Additionally, our solutions may falsely detect vulnerabilities or threats that do not actually exist. For example, our solutions rely on information provided by an active community of users who contribute information about new exploits, attacks and vulnerabilities. If the information from these third parties is inaccurate, the potential for false indications of vulnerabilities or threats increases. These false positives, while typical in the industry, may impair the perceived reliability of our offerings. Additionally, our business depends upon the appropriate and successful implementation of our product by our customers. If our customers fail to use our solutions according to our specifications, our customers may suffer a security incident on their own systems or other adverse consequences. Even if such an incident is unrelated to our security practices, it could result in our incurring significant economic and operational costs in investigating, remediating, and implementing additional measures to further protect our customers from their own vulnerabilities. The reliability and continuous availability of our solutions is critical to our success. We have experienced errors or defects in the past in connection with the release of new solutions and product upgrades, and we expect that these errors or defects will be found from time to time in the future in new or enhanced solutions after commercial release. In addition, we use third parties to assist in the development of our products and these third parties could be a source of errors or defects. Some defects may cause our solutions to be vulnerable to attacks, cause them to fail to detect vulnerabilities, or temporarily interrupt customers' networking traffic or operational technology environments, any of which may damage our customers' business and could hurt our reputation. As a result of any of the risks associated with our SaaS business, we may experience adverse consequences. We may also be subject to liability claims for damages related to errors or defects in our solutions.

In the ordinary course of our business, we collect, receive, store, process, generate, use, transfer, disclose, make accessible, protect, secure, dispose of, transmit, and share (collectively, "process") personal data and other sensitive information, including proprietary and confidential business information, trade secrets, intellectual property, and sensitive third-party information. Our data processing activities subject us to numerous data privacy and security obligations, such as various laws, rules, regulations, guidance, industry standards, external and internal privacy and security policies, contracts, and other obligations that govern the processing of personal data by us and on our behalf. In the United States, federal, state, and local governments have enacted numerous data privacy security laws, including data breach notification laws, data privacy laws, consumer protection laws (e.g., Section 5 of the Federal Trade Commission Act), and other similar laws (e.g., wiretapping laws). In the past few years, numerous U.S. states-including California, Virginia, Colorado, Connecticut, and Utah-have enacted comprehensive privacy laws that impose certain obligations on covered businesses, including providing specific disclosures in privacy notices and affording residents with certain rights concerning their personal data. As applicable, such rights may include the right to access, correct, or delete certain personal data, and to opt-out of certain data processing activities, such as targeted advertising, profiling, and automated decision-making. The exercise of these rights may impact our business and ability to provide our products and services. Certain states also impose stricter requirements for processing certain personal data, including sensitive information, such as conducting data privacy impact assessments. These state laws allow for statutory fines for noncompliance. For example, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, CPRA or collectively, the CCPA, imposes obligations on covered businesses to provide specific disclosures in privacy notices and honor requests of California residents to exercise certain rights related to their personal data. The CCPA applies to personal data of business representatives and employees and provides for fines for noncompliance (up to $7,500 per intentional violation). Further, the CPRA's recent amendments expanded the CCPA's requirements, including by adding a new right for individuals to correct their personal data and by establishing a new regulatory agency to implement and enforce the law, which could increase the risk of an enforcement action. Similar laws have been passed or are being considered in several other states, as well as at the federal and local levels, and we expect more states to pass similar laws in the future. These developments may further complicate compliance efforts and may increase legal risk and compliance costs for us, the third parties upon whom we rely, and our customers. Additionally, under various privacy laws and other obligations, we may be required to provide certain notices and obtain consents to process certain types of personal data. For example, some of our data processing practices may be challenged including in relation to our use of chatbot and session replay providers. Our inability or failure to obtain consent for these practices could result in adverse consequences. Outside the United States, an increasing number of laws, regulations, and industry standards govern data privacy and security. For example, the European Union's General Data Protection Regulation, or EU GDPR, and the United Kingdom's GDPR, or UK GDPR, impose strict requirements for processing the personal data of individuals. Violations of these obligations carry significant potential consequences. For example, under the EU GDPR, government regulators may impose temporary or definitive bans on processing, as well as fines of up to €20 million or 4% of the annual global revenue, whichever is greater. We have an internal data privacy function that oversees and supervises our compliance with European and UK data protection regulations but, despite our efforts, we may fail, or be perceived to have failed, to comply. Canada's Personal Information Protection and Electronic Documents Act, or PIPEDA, and various related provincial laws, Canada's Anti-Spam Legislation, or CASL, and Brazil's General Data Protection Law (Law No. 13,709/2018), or Lei Geral de Proteção de Dados Pessaois, or LGPD, may apply to our operations. The LGPD broadly regulates processing personal data of individuals in Brazil and imposes compliance obligations and penalties comparable to those of the EU GDPR. Additionally, we also target customers in Asia and may be subject to new and emerging data privacy regimes in Asia, including China's Personal Information Protection Law, Japan's Act on the Protection of Personal Information, and Singapore's Personal Data Protection Act. In addition, we may be unable to transfer personal data from Europe and other jurisdictions to the United States or other countries due to data localization requirements or limitations on cross-border data flows. Europe and other jurisdictions have enacted laws requiring data to be localized or limiting the transfer of personal data to other countries. In particular, the European Economic Area, or EEA, and the United Kingdom, or UK, have significantly restricted the transfer of personal data to the United States and other countries whose privacy laws it believes are inadequate. Other jurisdictions may adopt similarly stringent interpretations of their data localization and cross-border data transfer laws. Although there are currently various mechanisms that may be used to transfer personal data from the EEA and UK to the United States in compliance with law, such as the EEA standard contractual clauses, the UK's International Data Transfer Agreement/Addendum, and the EU-U.S. Data Privacy Framework and the UK extension thereto (which allows for transfers to relevant U.S.-based organizations who self-certify compliance and participate in the Framework), these mechanisms are subject to legal challenges, and there is no assurance that we can satisfy or rely on these measures to lawfully transfer personal data to the United States. If there is no lawful manner for us to transfer personal data from the EEA, the UK, or other jurisdictions to the United States, or if the requirements for a legally-compliant transfer are too onerous, we could face significant adverse consequences, including the interruption or degradation of our operations, the need to relocate part of or all of our business or data processing activities to other jurisdictions at significant expense, increased exposure to regulatory actions, substantial fines and penalties, the inability to transfer data and work with partners, vendors and other third parties, and injunctions against our processing or transferring of personal data necessary to operate our business. Additionally, companies that transfer personal data out of the EEA and UK to other jurisdictions, particularly to the United States, are subject to increased scrutiny from regulators, individual litigants, and activist groups. For example, some European regulators have significantly restricted some companies from transferring certain personal data out of Europe for allegedly violating the GDPR's cross-border data transfer limitations. In addition to data privacy and security laws, we are contractually subject to industry standards adopted by industry groups and may become subject to such obligations in the future. Furthermore, we are bound by other contractual obligations relating to data privacy and security, and our efforts to comply with such obligations may not be successful. For example, certain privacy laws, such as the GDPR and the CCPA, require our customers to impose specific contractual restrictions on their service providers. Additionally, some of our customer contracts require us to host personal data locally. We have published privacy policies, marketing materials and other statements, such as compliance with certain certifications or self-regulatory principles, regarding data privacy and security. If these policies, materials or statements are found to be deficient, lacking in transparency, deceptive, unfair, or misrepresentative of our practices, we may be subject to investigation, enforcement actions by regulators, or other adverse consequences. Our obligations related to data privacy and security (and customers' data privacy expectations) are quickly becoming increasingly stringent, and creating uncertainty. Additionally, these obligations may be subject to differing applications and interpretations, which may be inconsistent or in conflict among jurisdictions. Preparing for and complying with these obligations requires us to devote significant resources. These obligations may necessitate changes to our services, information technologies, systems, and practices and to those of any third parties that process personal data on our behalf. Existing and proposed laws and regulations can be costly to comply with, can delay or impede the development or adoption of our products and services and require significant management time and attention. Although we endeavor to comply with all data privacy and security obligations, we may at times fail (or be perceived to have failed) to do so. Moreover, despite our efforts, our personnel or third parties upon which we rely may fail to comply with such obligations, which could negatively impact our business operations and compliance posture. If we or the third parties upon which we rely fail, or are perceived to have failed, to address or comply with applicable data privacy and security obligations, we could face significant consequences. These consequences include, but are not limited to: government enforcement actions (such as investigations, fines, penalties, audits, inspections, and similar actions); litigation (including class-action related claims) and mass arbitration demands; additional reporting requirements and/or oversight; bans on processing personal data; and orders to destroy or not use personal data. In particular, plaintiffs have become increasingly more active in bringing privacy-related claims against companies, including class claims and mass arbitration demands. Some of these claims allow for the recovery of statutory damages on a per violation basis, and, if viable, carry the potential for significant statutory damages, depending on the volume of data and the number of violations. Any of these events could have a material adverse effect on our reputation, business, or financial condition, including but not limited to: interruptions or stoppages in our business operations, inability to process personal data or operate in certain jurisdictions; limited ability to develop or commercialize our products; expenditure of time and resources to defend any claim or inquiry; reputational harm; loss of customers; reduction in the use of our products; or revision or restricting of our operations.

At December 31, 2023 we had U.S. federal, state and foreign net operating loss carryforwards, or NOLs, of $372.5 million, $246.6 million, and $469.3 million, respectively, available to offset future taxable income, some of which will begin to expire in 2030. A lack of future taxable income would adversely affect our ability to utilize certain of our NOLs before they expire. Under current law, Federal NOLs incurred in taxable years beginning after December 31, 2017 can be carried forward indefinitely, but the deductibility of such federal NOLs is limited to 80% of taxable income. In addition, under the provisions of the Internal Revenue Code of 1986, as amended, or the Internal Revenue Code, changes in our ownership may limit the amount of pre-change NOLs that can be utilized annually in the future to offset taxable income. Section 382 of the Internal Revenue Code imposes limitations on a company's ability to use its NOLs to offset its taxable income if one or more stockholders or groups of stockholders that each own at least 5% of the company's stock increase their aggregate ownership (by value) by more than 50 percentage points over their lowest ownership percentages within a rolling three-year period. Similar rules may apply under state and foreign tax laws. Based upon an analysis at December 31, 2023, we do not expect these limitations to materially impair our ability to use our NOLs prior to expiration. However, if changes in our ownership occurred after such date, or occur in the future, our ability to use our NOLs may be limited. Subsequent statutory or regulatory changes in respect of the utilization of NOLs for federal, state or foreign purposes, such as suspensions on the use of NOLs or limitations on the deductibility of NOLs carried forward, or other unforeseen reasons, may result in our existing NOLs expiring or otherwise being unavailable to offset future income tax liabilities. For these reasons, we may not be able to utilize a material portion of our NOLs, even if we achieve profitability.

Certain U.S. government contracts may require our employees to maintain various levels of security clearances, and may require us to maintain a facility security clearance, to comply with Department of Defense, or DoD, requirements. The DoD has strict security clearance requirements for personnel who perform work in support of classified programs. Obtaining and maintaining a facility clearance and security clearances for employees can be a difficult, sometimes lengthy process. If we do not have employees with the appropriate security clearances, then a customer requiring classified work could terminate an existing contract or decide not to renew the contract upon its expiration. To the extent we are not able to obtain or maintain a facility security clearance, we may not be able to bid on or win new classified contracts, and existing contracts requiring a facility security clearance could be terminated.

Our success is dependent in part upon establishing and maintaining relationships with a variety of channel partners that we utilize to extend our geographic reach and market penetration. We typically use a two-tiered,channel model whereby we sell our products and services to our distributors, who in turn sell to our resellers, who then sell to our end users, who we call customers. We anticipate that we will continue to rely on this two-tiered sales model in order to help facilitate sales of our offerings as part of larger purchases in the United States and to grow our business internationally. In the nine months ended September 30, 2024 and 2023, we derived 94% and 93%, respectively, of our revenue from subscriptions and perpetual licenses sold through channel partners, and the percentage of revenue derived from channel partners may continue to increase in future periods. Ingram Micro, Inc., a distributor, accounted for 34% and 36% of our revenue in the nine months ended September 30, 2024 and 2023, respectively, and 32% of our accounts receivable at September 30, 2024 and December 31, 2023. Our agreements with our channel partners, including our agreement with Ingram Micro, are non-exclusive and do not prohibit them from working with our competitors or offering competing solutions, and some of our channel partners may have more established relationships with our competitors. Similarly, our channel partners have no obligations to renew their agreements with us on commercially reasonable terms or at all, and certain of the agreements governing these relationships may be terminated by either party at any time, with no or limited notice. For example, our agreement with Ingram Micro allows Ingram Micro to terminate the agreement in their discretion upon 30 days' written notice to us. If our channel partners choose to place greater emphasis on products of their own or those offered by our competitors or as a result of an acquisition, competitive factors or other reasons do not continue to market and sell our solutions in an effective manner or at all, our ability to grow our business and sell our solutions, particularly in key international markets, may be adversely affected. In addition, our failure to recruit additional channel partners, or any reduction or delay in their sales of our solutions and professional services, including as a result of economic uncertainty, legal or regulatory actions, such as government investigations or law enforcement activities, impacting their business, or conflicts between channel sales and our direct sales and marketing activities may harm our results of operations. Finally, even if we are successful, our relationships with channel partners may not result in greater customer usage of our solutions and professional services or increased revenue. Item 2.        Unregistered Sales of Equity Securities and Issuer Purchases of Equity Securities

The global economy, including credit and financial markets, has recently experienced extreme volatility and disruptions, including severely diminished liquidity and credit availability, declines in consumer confidence, declines in economic growth, increases in unemployment rates, increases in inflation rates, higher interest rates and uncertainty about economic stability. For example, in recent years the COVID-19 pandemic, high rates of inflation, high interest rates and concerns about an economic recession in the United States or other major markets resulted in widespread unemployment, economic slowdown and extreme volatility in the capital markets. The Federal Reserve recently raised interest rates multiple times in response to concerns about inflation and is expected to continue to raise rates. Higher interest rates, coupled with reduced government spending and volatility in financial markets, including with respect to foreign exchange, may increase economic uncertainty and affect consumer spending. For example, during periods with a relatively strong U.S. dollar, our products are more expensive for existing and prospective international customers, which has impacted, and could in the future impact, the budgets and purchasing decisions of certain of our existing and prospective international customers. If the equity and credit markets deteriorate, including as a result of political unrest or war, it may make any necessary debt or equity financing more difficult to obtain in a timely manner or on favorable terms, more costly or more dilutive. Increased inflation rates can adversely affect us by increasing our costs, including labor and employee benefit costs. In addition, higher inflation also could increase our customers' operating costs, which could result in reduced budgets for our customers, longer sales cycles and potentially less demand for our products. Any significant increases in inflation and related increase in interest rates could have a material adverse effect on our business, results of operations and financial condition.