TTEC Holdings (TTEC) Risk Analysis

Cyberattacks. Our business involves the use, storage, and transmission of clients', their customers', and our employees' information. We also monitor and support information technology systems for certain clients through cloud-based and on-client-premises managed services model. While we believe we take reasonable security measures to prevent unauthorized access to our information technology systems and to our clients' systems, and to protect the privacy of personal and proprietary information that we access and store, our security controls over our systems have not prevented in the past and may not prevent in the future improper access to these systems or unauthorized disclosure of this information. Such unauthorized access or disclosure could subject, and in the past has subjected us to significant liability under relevant laws, our contracts, and our licenses to perform certain regulated services; and could harm our reputation, resulting in material impacts to our results of operations, loss of future revenue and business opportunities. These risks may further increase as our business model now relies on a higher percentage of work delivered from home, in addition to our traditional delivery center model. The risks may also increase, as we expand geographically into new locations, where cybersecurity is difficult to assure. In recent years, there have been an increasing number of high-profile security breaches at companies and government agencies, when hackers, cyber criminals and state actors launch a broad range of ransomware, data exfiltration, and other cyberattacks targeting information technology systems. Information security breaches, computer viruses, service interruption, loss of business data, DDoS (distributed denial of service) attacks, ransomware and other cyberattacks on any of our systems or on our clients' systems, through our channels, have and in the future could disrupt our normal operations, our cloud platform digital offerings, our clients' on-premise managed service offerings, and our corporate functions, impeding our ability to provide critical services to our clients and financial reporting of our results of operations. Techniques used by cyber criminals to obtain unauthorized access, disable or degrade services, or sabotage systems evolve frequently and may not immediately be detected, and we may be unable to implement adequate preventative measures. As we previously reported, in 2021, we experienced two significant cybersecurity incidents. One involved a global supply chain compromise that impacted thousands of companies worldwide, including a TTEC Digital subsidiary and its managed services clients. Another involved a ransomware attack that temporarily disrupted a portion of the TTEC Engage business. Although neither of these incidents resulted in material impact on our results of operations in 2021, there can be no assurances that future cybersecurity incidents, which are unavoidable, would not have material impact on our results of operations. Following these cybersecurity incidents, we have made and continue to make significant investments to enhance our information technology environment, but we, like many other companies, continue to be attacked by cybercriminals and there can be no assurances that investments made to date and the investments planned to be made in the future would be sufficient to mitigate these ongoing attacks or to prevent material impact from future cybersecurity incidents. Cybersecurity events may have cascading effects that unfold over time and result in additional costs, including costs associated with investigations, government enforcement actions, regulatory inquiries, fines and penalties, contractual claims, litigation, financial judgement or settlements in excess of insurance, disputes with insurance carriers concerning coverage and the availability of cyber insurance in the future, loss of clients' trust, future business cancelations and other losses. Any client perceptions that our systems or the information system environments that we support for our clients are not sufficiently secure could result in a material loss of business and revenue and could damage our reputation and competitiveness. Cyber fraud. As others, we are experiencing an increase in frequency of cyber fraud attempts, including phishing and smishing attempts, and so-called "social engineering" or "deep fake" attacks, which typically seek unauthorized access into the environment, money transfers or unauthorized information disclosure. We train our employees to recognize these attacks and have implemented proactive risk mitigation measures to curb them. There are no assurances, however, that these attacks, which are growing in sophistication and frequency, would not deceive our employees, resulting in a material loss and impacts to our operations and corporate functions. While we believe we have taken reasonable measures to protect our systems and processes from unauthorized intrusions and cyber fraud, we cannot be certain that advances in cybercriminal capabilities, discovery of new system vulnerabilities, and attempts to exploit such vulnerabilities will not compromise or breach the technologies protecting our systems and the information that we manage and control, which could result in damage to our systems, our reputation, and our profitability.

Some of our TTEC Digital clients are rapidly transitioning their IT functions from on premises platforms that we help them support to public cloud solutions and SaaS services. They rely on us for these transitions, which contribute to the growth of our higher margin consulting services, while at the same time impacting our future revenue from managed IT services, and system hardware and software resales. If we cannot continue to replace our resale and maintenance revenue with other high margin services, our results of operations in the Digital business may be impacted.

We plan to continue growing our business through the growth of clients' wallet share, increased sales efforts, and new technology offerings, while maintaining tight controls on our expenses and overhead. Lean overhead functions combined with growth targets may place a strain on our management systems, infrastructure, and resources, resulting in internal control failures, missed opportunities, and staff attrition. If we fail to manage our growth and cost containment measures effectively, our business, financial condition, and results of operations could be adversely affected.

Our TTEC Engage business relies on strategic, long-term relationships with large, global companies in targeted industries and certain government agencies. As a result, our Engage business derives a substantial portion of its revenue from relatively few clients. Our five and ten largest clients, collectively, represented 32% and 49% of our revenue in 2024, respectively, with one client representing over 10% of our revenue. While we have multiple engagements with our largest clients and all contracts are unlikely to terminate at the same time, the contracts with our five largest clients expire between 2025 and 2027; and there can be no assurance that these contracts will continue to be renewed at all or be renewed on favorable terms. While our ongoing sales and marketing activities aim to add new commercial and public sector clients and new opportunities with existing clients, there can be no assurance that such additional work can be secured or that it would yield financial benefits comparable to expiring contracts. The loss of all or part of major clients' business could have a material adverse effect on our financial condition, and results of operations, if the loss of revenue is not replaced with profitable business from other clients. We serve clients in industries that have historically experienced a significant level of consolidation. If one of our clients is acquired (by a new owner or by another of our clients) our business volumes and revenue may materially decrease due to the termination or phase out of an existing client contract, volume discounts, or other contract concessions which could have an adverse effect on our business, financial condition, and results of operations.

Transfer pricing regulations in the United States, Australia, India, Mexico, the Netherlands, the Philippines, and other countries where we operate, require that cross-border transactions between affiliates be on arm's-length terms. We carefully consider pricing for operations delivery, marketing, sales, and other services among our domestic and foreign subsidiaries to assure that they are at arm's-length. If tax authorities determine that the transfer prices and terms that we have applied are not appropriate, our tax liability may increase, including accrued interest and penalties, thereby impacting our profitability and cash flows, and potentially resulting in a material adverse effect to our operations, effective tax rate and financial condition.

We depend on our employees to follow strict processes and controls when delivering services to our clients and their customers. Although we believe our controls are effective and our employees are trained in their responsibilities before they have access to our and our clients' environments and data, when managing an employee population of approximately 52,000 in dozens of countries around the globe, we cannot prevent all misconduct. When our employees disregard or intentionally breach our or our client's established controls, acting alone or in collusion with others, we are responsible to our clients for the resulting impacts, and could be subject to significant liability, fines, and penalties that could impact our financial performance and our reputation. Unauthorized access to and/or disclosure of sensitive or confidential information of our clients or their customers, other losses resulting from acts or failure to act by our employees and our failure to quickly detect and deter negligence, fraud, criminal activity or other misconduct could lead to negative publicity and damage to our reputation, loss of our clients' trust, contractual and regulatory liability, loss of business and market share, impacting results of our operations and financial condition.

As we continue to transition and consolidate our information technology and data repositories from on premises IT and data centers controlled by us to public cloud and SaaS providers, and as we increase our reliance on third-party software providers, the vulnerability of our business to the reliability of these third parties is increasing. We have taken steps to mitigate our exposure to service disruptions from these third-party providers but there can be no assurance that these service providers can maintain security, confidentiality, availability and integrity of products and services on which we rely. The failures of these third parties to meet their service level commitments to us because of cybersecurity or data breaches, inadequate information technology infrastructure, insufficient updates to software, non-conformance to servicing standards and other reasons for their business operations' disruption can damage our reputation and cause financial losses to us, impacting our results of operations. Our agreements with third-party technology and software providers often have limitations of liability that do not fully protect us against liability to our clients nor against costs of business interruption that we may incur due to the technology failures.

Our business is subject to extensive, and at times conflicting, regulations by the U.S. federal, state, local, foreign national, and provincial authorities relating to sensitive client and customer data, data privacy, customer communications, and telemarketing practices; licensed healthcare, financial services, collections, insurance, and gaming/gambling support activities; trade restrictions and sanctions, tariffs, import/export controls; taxation; labor regulations, mandatory healthcare and wellness regulations, wages, breaks and severance regulations; health and safety regulations; disclosure obligations; and immigration laws, among other areas. As we provide services to clients' customers residing in countries where we do not have in-country operations or if we use telecommunication channels and airways in countries where we do not have physical presence, we may also be subject to laws and regulations of these countries. Costs and complexity of compliance with existing and future regulations that could apply to our business may adversely affect our profitability; and if we fail to comply with these mandates, we could be subject to contractual, civil and even criminal liability, monetary damages and fines. Enforcement actions by regulatory agencies could also materially increase our costs of operations and impact our ability to serve our clients. Adverse changes in laws or regulations that impact our business may negatively affect the sale of our services, slow the growth of our operations, or mandate changes to how we deliver our services, including our ability to use and how we use offshore resources. These changes could threaten our ability to continue to serve certain markets.

Our clients demand service providers who can support them anywhere in the world and sometimes, to maintain competitiveness, we must establish new operations, quickly, in countries where we previously have not done business. New market entry is fraught with operational, security, regulatory compliance, safety, and corruption risks, and these risks are exacerbated when new operations are launched quickly. We have experience in new market entry around the globe, but there can be no assurance that new operations in new countries would not result in financial losses, operational instability and reputational impact. If we elect not to follow our clients to markets where they wish to have services, we may lose lucrative contracts, including contracts in multiple jurisdictions where we have experience, or to competitors who are already established in the markets new to us, which would impact our financial results of operations.