Unity Software (U) Risk Analysis

We have been and may in the future become subject to legal proceedings and claims that arise from time to time, such as claims brought by our customers in connection with commercial disputes, employment claims made by our current or former employees, or securities class action litigation suits. Any litigation or dispute, whether meritorious or not, and whether or not covered by insurance, could harm our reputation, will increase our costs and may divert management's attention, time and resources, which may in turn harm our business, financial condition and results of operations.

In response to the increasing restrictions of global privacy and data security laws, our customers have sought and may continue to seek increasingly stringent contractual assurances regarding our handling of personal information and may adopt internal policies that limit their use of our Grow Solutions. In addition, privacy advocates and industry groups have regularly proposed, and may propose in the future, self-regulatory standards by which we are legally or contractually bound. If we fail to comply with these contractual obligations or standards, we may face substantial contractual liability or fines.

Operating our business and platform involves the collection, processing, storage and transmission of sensitive, proprietary and confidential information, including personal information of our personnel,customers and their end users, our proprietary and confidential information and the confidential information and confidential intellectual property we collect from our partners, customers and creators. Cyber-attacks, malicious internet-based activity, online and offline fraud, and other similar activities threaten the confidentiality, integrity, and availability of our sensitive information and information technology systems, and those of the third parties with whom we work. Such threats are prevalent and continue to rise, are increasingly difficult to detect, and come from a variety of sources, including traditional computer "hackers," threat actors, "hacktivists" organized criminal threat actors, personnel (such as through theft, misuse, or accident), sophisticated nation states, and nation-state-supported actors. During times of war and other major conflicts, we, the third parties with whom we work, and our customers may be vulnerable to a heightened risk of these attacks, including retaliatory cyber-attacks, that could materially disrupt our systems and operations, supply chain, and ability to produce, sell and distribute our services. For example, the increased hostilities and militarization in and around Israel, where a significant part of our Grow Solutions operations is based, may lead to an increase in politically motivated cyber-attacks which could impact our operations and harm our business. We and the third parties with whom we work are subject to a variety of constantly evolving threats, including but not limited to, computer malware (including as a result of advanced persistent threat intrusions), software bugs and vulnerabilities, malicious code, viruses and worms, social engineering (including through deep fakes, which are increasingly more difficult to identify as fake, spear phishing and ransomware attacks), denial-of-service attacks, credential stuffing attacks, credential harvesting, personnel misconduct or error, supply chain attacks, server malfunctions, software or hardware failures, loss of data or other information technology assets, adware, telecommunications failures, attacks enhanced or facilitated by AI and other similar threats. Such threats have become more prevalent in our industry in recent years and the emergence of new AI technologies presents risks of further vulnerabilities. For example, attempts by malicious actors to fraudulently induce our personnel into disclosing usernames, passwords or other information that can be used to access our systems have increased and could be successful. Ransomware attacks are becoming increasingly prevalent and severe and can lead to significant interruptions, delays, or outages in our operations, loss of data, loss of income, significant extra expenses and resources to restore data or systems, reputational harm, and the diversion of funds. Extortion payments may alleviate the negative impact of a ransomware attack, but we may be unwilling or unable to make such payments due to, for example, applicable laws or regulations prohibiting payments. Our security measures could also be compromised by personnel, theft or errors, and have been in the past and may in the future be insufficient to prevent harm resulting from security vulnerabilities in our platform or the software or systems on which we rely. Additionally, our remote workforce poses increased risks to our IT assets and data. Future or past business transactions (such as acquisitions or integrations) could expose us to additional cybersecurity risks and vulnerabilities, as our systems could be negatively affected by vulnerabilities present in acquired or integrated entities' systems and technologies. Furthermore, we may discover security issues that were not found during due diligence of such acquired or integrated entities, and it may be difficult to integrate companies into our information technology environment and security program. We take steps designed to detect, mitigate, and remediate vulnerabilities in our information security systems, platform, and solutions. Investigations into potential incidents and insecure configurations of our services and the software we use are also an integral part of our security program. For example, we detected through our bug bounty program a vulnerability in our product that we released patched versions for in October 2025. However we have not always been, and may in the future not be, able to detect, mitigate, and remediate all such vulnerabilities. Moreover, we have experienced and may in the future experience delays in developing and deploying remedial measures and patches designed to address any identified vulnerabilities. Any such remediation or patching may also be costly, difficult or impractical to implement. This is especially the case where there are multiple platforms or third-party partners involved and/or there is a lack of cooperation from other parties necessary for remediation. Security incidents could also damage our IT systems, our ability to provide our products and services, and our ability to make the financial reports and other public disclosures required of public companies. Additionally, vulnerabilities in our products may cause reputational harm resulting in customer loss, and it also may lead to legal liability if such vulnerabilities are exploited before we are able to release patches. Threat actors have used, and may in the future use, an initial compromise of one part of our environment to gain access to other parts of our environment, or to try to leverage a compromise of our networks or systems to gain access to the networks or systems of third parties with whom we work. They may also try to leverage potential vulnerabilities or other information in our platform or code for future attacks. We rely on third parties to provide critical services that help us deliver our solutions and operate our business. In the course of providing their services, these third parties may support or operate critical business systems for us or store or process personal, sensitive, proprietary and/or confidential information on our behalf. Our ability to monitor these third parties' information security practices is limited and these third-party providers may not have adequate security measures, and have experienced and could experience in the future security incidents that compromise the confidentiality, integrity or availability of the systems they operate for us or the information they process on our behalf. Supply chain attacks are increasing in frequency, and we cannot guarantee that third parties' infrastructure in our supply chain or that of the third parties with whom we work have not been compromised. Certain of our third party suppliers have experienced and may in the future experience attacks that could impact us. Such occurrences could adversely affect our business to the same degree as if we had experienced these occurrences directly and we may not have recourse to the responsible third parties for the resulting liability we incur. We employ a shared responsibility model where our customers are responsible for using, configuring and otherwise implementing security measures related to our platform, services and products in a manner that meets applicable cybersecurity standards, complies with laws, and addresses their information security risk. As part of this shared responsibility security model, we make certain security features available to our customers that can be implemented at our customers' discretion, or identify security areas or measures for which our customers are responsible. For example, our customers are responsible for implementing multi-factor authentication to access their accounts. In certain cases where our customers choose not to implement, or incorrectly implement, those features or measures, misuse our services, or otherwise experience their own vulnerabilities, policy violations, credential exposure or security breaches, even if we are not the cause of a resulting customer security issue or incident, our customer relationships reputation, and revenue may be adversely impacted. Because there are many different cybercrime and hacking techniques and such techniques continue to evolve, we have in the past been and may in the future be unable to anticipate attempted security breaches, react in a timely or effective manner or implement adequate preventative measures. While we have developed systems and processes designed to protect the integrity, confidentiality and security of our and our customers' confidential, proprietary, and personal information under our control or under the control of third parties with whom we work, we cannot assure you that any security measures that we or our third-party service providers have implemented has been or will in the future be effective against current or future security threats. Security breaches and other incidents have occurred in the past, and may occur in the future, resulting in unauthorized, unlawful or inappropriate access to, inability to access, disclosure of or loss of sensitive, proprietary or confidential information. A security breach or other security incident, or the perception that one has occurred, could result in a loss of customer confidence in the security of our platform and damage to our reputation and brand, reduce demand for our solutions, disrupt normal business operations, require us to incur material costs to investigate and remedy the incident and prevent recurrence, expose us to litigation, regulatory enforcement action, fines, penalties and damages and adversely affect our business, financial condition and results of operations. These risks are likely to increase as we continue to grow and process, store and transmit an increasingly large volume of data. We have contractual and legal obligations to notify relevant stakeholders of security breaches or to take other actions, such as providing credit monitoring and identifying theft protection services. Most jurisdictions have enacted laws requiring companies to notify individuals, regulatory authorities and others of security breaches involving certain types of data. In addition, our agreements with certain customers and partners may require us to notify them in the event of a security breach. Such mandatory disclosures are costly, could lead to negative publicity and may cause our customers to lose confidence in the effectiveness of our security measures. A security breach could lead to claims by our customers, their end users or other relevant parties that we have failed to comply with contractual obligations to implement specified security measures. As a result, we could be subject to legal action or our customers could end their relationships with us. We cannot assure you that the limitations of liability in our contracts would be enforceable or adequate or would otherwise protect us from liabilities or damages. Security breaches could similarly result in enforcement actions by government authorities alleging that we have violated laws requiring us to maintain reasonable security measures. Additionally, we cannot be certain that our insurance coverage will be adequate for data security liabilities actually incurred, will cover any indemnification claims against us relating to any incident, will continue to be available to us on economically reasonable terms, or at all, or that any insurer will not deny coverage as to any future claim. The successful assertion of one or more large claims against us that exceed available insurance coverage, or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could adversely affect our reputation, business, financial condition and results of operations. In addition, we continue to expend significant costs to seek to protect our platform and solutions and to introduce additional security features for our customers, and we expect to continue to have to expend significant costs in the future. Any increase in these costs will adversely affect our business, financial condition and results of operations.

The markets in which we operate are highly competitive. Specifically, we have faced and may continue to face competition as a result of: - rapid technological change, such as the rise of AI, and machine learning and increasing use of data and trained models as well as changing customer needs, requirements and preferences;- the impact of evolving industry standards and changing regulations, which may affect us differently than some our competitors, including, for example, increased costs for advertisers to target users due to changes in the data privacy landscape;- reduced supply from game publishers, who may also use channels beyond in-app advertising to grow revenue;- the development of alternative solutions by a significant number of companies, including other gaming and ad-tech companies;- lower prices or free solutions offered by our competitors, some of whom may offer more favorable payment terms to publishers;- the introduction of alternative solutions by larger, more experienced companies that offer 2D and 3D design solutions in the industries in which we currently operate or may expand into; and - mergers, acquisitions and other strategic relationships amongst our competitors which may allow them to provide more comprehensive offerings or achieve greater economies of scale than us, and which may introduce new competitors in our markets. Our competitors include other game development engines and platforms and large technology and ad-tech companies, many of which have greater name recognition, longer operating histories, more established customer relationships, larger marketing budgets and greater financial and operational resources than we do. We cannot assure you that we will not be forced to engage in price-cutting or revenue limiting initiatives, change payment terms or increase our advertising and other expenses to attract and retain customers in response to competitive pressures. In addition, some of our competitors are also our partners and/or customers. We compete to various degrees on the basis of price, technical performance, product features, system compatibility, quality and sales and technical support. These competitors may decide to stop buying our products, compete more aggressively with us, use technical capabilities to hinder the performance of our products, or use our products or the information they obtain about or derived from our products and technology to develop or improve their own competing solutions, which could materially and adversely affect our business, financial condition and results of operations. If we are unable to compete successfully against our current or future competitors, it could result in the failure of our platform and products to continue to achieve or maintain market acceptance, which would harm our business, financial condition, and results of operations.

We believe that maintaining and enhancing our brand reputation is important to our ability to compete and to support the marketing and sale of our platforms and products to new and existing customers and grow our strategic partnerships. Successfully maintaining and enhancing our brand will depend largely on the effectiveness of our marketing efforts, our ability to offer a reliable platform that continues to meet the needs and preferences of our customers at competitive prices, our ability to maintain our customers' trust, our ability to continue to develop new functionality to address a wide variety of use cases and our ability to successfully differentiate our platform from competitors. We have in the past and may in the future experience public scrutiny of our business decisions and announcements. Our ability to manage potential social and ethical issues arising out of emerging technologies, including AI, could impact our brand and customer adoption of our solutions. Our brand promotion activities may not generate customer awareness or yield increased revenue, and even if they do, any increased revenue may not offset the expenses we incur in building our brand. If we fail to successfully promote and maintain our brand, our business, financial condition and results of operations may suffer.

Because our continued business operations in China, including our joint venture in China, constitute a significant part of our current and future revenue growth plans, adverse changes in economic and political policies relating to China could have an adverse effect on our business. An escalation of trade tensions in recent years between the U.S. and China has resulted in trade restrictions that harm our ability to participate in Chinese markets. For example, U.S. export control regulations relating to China have created restrictions with respect to the sale of our solutions to various Chinese customers and further changes to regulations have occurred in 2025 that could result in additional restrictions on our sales when effective in October 2026. China also regulates the gaming industry, including content distribution restrictions and other regulations which has impacted our growth rates in the past and any changes by the Chinese government with respect to the gaming industry could have a negative impact on our business. Sustained uncertainty about, or worsening of, current global economic conditions and further escalation of trade tensions between the U.S. and its trading partners, especially China, could result in a global economic slowdown and long-term changes to global trade, including retaliatory trade restrictions that further restrict our ability to operate in China. Any actions and policies adopted by the government of the People's Republic of China ("PRC"), particularly with regard to intellectual property rights and existing cloud-based and Internet restrictions for non-Chinese businesses, or any prolonged slowdown in China's economy, could have an adverse effect on our business, results of operations and financial condition. In particular, PRC laws and regulations impose restrictions on foreign ownership of companies that engage in internet, market survey, game publishing, cloud-based services and other related businesses from time to time. Accordingly, our ability to offer game publishing and cloud-based services in China depends on our ability to implement and maintain structures that are acceptable under PRC laws. Our failure to do so could harm our business, financial condition, and operating results.

We currently have operations and customers across all major global markets. We also have a sales presence in multiple countries. We expect that our global activities will continue to grow for the foreseeable future as we continue to pursue growth opportunities, which will require significant dedication of management attention and financial resources. Our current and future global business and operations involve a variety of risks, including: - slower than anticipated availability and adoption of our platform by creators outside the U.S., for example, in China where we experienced softness throughout 2023 and 2024;- the need to adapt and localize our platform for specific countries;- maintaining our company culture, which emphasizes developing and launching new and innovative solutions and which we believe is essential to our business, across all of our offices globally and requires aligning our values across cultures and viewpoints;- difficulty collecting accounts receivable and potential for longer payment cycles, including due to disruptions or delays in global payment operations, and international payments or money transfers resulting from trade restrictions or sanctions or banking processes and procedures adopted in response;- increased reliance on resellers and other third parties for our global expansion;- burdens of complying with a variety of foreign laws, including costs associated with legal structures, accounting, statutory filings and tax liabilities;- stringent and evolving regulations relating to privacy and data security and the unauthorized use of, or access to, commercial and personal information, particularly in Europe and China and certain U.S. states;- differing and potentially more onerous labor regulations and practices, especially in Europe;- challenges inherent in efficiently managing, and the increased costs associated with, having a geographically diverse workforce, including the need to implement appropriate systems, policies, benefits, statutory equity requirements and compliance programs that are specific to each jurisdiction;- changes in trade relations, particularly between the U.S. and China, regulations, laws or enforcement, including changes to export control restrictions, economic sanctions, and trade embargoes;- difficulties in managing a business in new markets with diverse cultures, languages, customs, legal systems, alternative dispute systems, and regulatory systems;- increased travel, real estate, infrastructure and legal compliance costs associated with multiple global locations and subsidiaries;- currency exchange rate fluctuations and the resulting effect on our revenue and expenses, and the cost and risk of hedging transactions;- higher levels of credit risk and payment fraud, particularly the risk that excessive fraudulent activity could harm our ability to meet credit card association merchant standards and our right to accept credit cards for payment;- restrictions on the transfer of funds, such as limitations on our ability to reinvest earnings from operations in one country to fund the capital needs of our operations in other countries;- laws and business practices favoring local competitors or general market preferences for local vendors;- reduced or uncertain intellectual property protection or difficulties obtaining, maintaining, protecting or enforcing our intellectual property rights, including foreign government interference with our intellectual property that resides outside of the U.S.;- political instability, societal unrest, hostilities, war, or terrorist activities, including in Israel or the surrounding region where a significant portion of our Grow Solutions team is located; and subsequent retaliatory measures and sanctions;- exposure to liabilities under anti-corruption and anti-money laundering laws, including the U.S. Foreign Corrupt Practices Act ("FCPA"), U.S. bribery laws, the United Kingdom ("UK") Bribery Act, and similar laws and regulations in other jurisdictions; and - adverse tax burdens and foreign exchange controls that could make it difficult to repatriate earnings and cash. We invest substantial time and resources to grow our business in markets outside the U.S. and if we are unable to do so successfully and in a timely manner, our business and results of operations will suffer.

Any catastrophic event, including earthquake, fire, flood, tsunami or other weather event, power loss, telecommunications failure, software or hardware malfunction, cyber-attack, war or terrorist attack, explosion, or pandemic could impact our business. In particular, our corporate headquarters are located in the San Francisco Bay Area, a region known for seismic activity, and are thus vulnerable to damage in an earthquake. Our insurance coverage may not compensate us for losses that may occur in the event of an earthquake or other significant natural disaster. If any disaster were to occur, our ability to operate our business at our facilities could be impaired and we could incur significant losses, require substantial recovery time and experience significant expenditures in order to resume operations. If we are unable to develop adequate plans to ensure that our business functions continue to operate during and after a disaster and to execute successfully on those plans in the event of a disaster or emergency, our business would be harmed. In addition, certain of our operations or those of our customers could be impacted by militarization, war and other geopolitical disputes, including any renewal of the recent conflict in and around Israel, where we have a significant number of employees, any escalation of hostilities or conflict between China and Taiwan, which could adversely impact availability of computing components and resources, any of which could adversely affect our results of operations and business condition.

Our success and future growth depend upon the continued services of our management team and other key employees. Changes in our management team could disrupt our business. We have experienced significant management turnover in the last two years and any inability to successfully manage executive transitions, or to retain senior executives or key employees, or find adequate replacements, could disrupt our operations and harm our business. In addition, we must attract and retain highly qualified personnel, such as software engineers because of the complexity of our solutions. We have had difficulty quickly filling certain open positions in the past, and we expect to have future hiring needs. Competition is intense, particularly in the San Francisco Bay Area and other areas in which we have offices, for engineers experienced in designing and developing cloud-based platform solutions, data scientists and engineers with experience in AI and ML, as well as experienced sales professionals. The market for AI and ML engineers and data scientists is extremely competitive and expensive and we have in the past faced, and continue to face, challenges in hiring and subsequently retaining such personnel. Failure to secure or retain adequate AI/ML talent could put us at a competitive disadvantage and result in slower product development. Failure to retain such talent could also result in the potential loss of valuable skills, know-how and intellectual property to competitors. New employees may not become as productive as we expect, and we may be unable to hire or retain sufficient numbers of qualified individuals. As a global workforce, we must align our company values across employees from different cultures and value systems, and often with employees who are geographically remote from one another. Failure to successfully create a cohesive company culture could harm our ability to attract and retain talent. In addition, prospective and existing employees often consider the value of the equity awards they receive in connection with their employment. If the perceived or actual value of our equity awards declines, it may not be as effective an incentive for attracting, retaining, and motivating employees. If we fail to attract new personnel or fail to retain and motivate our current personnel, our business and future growth prospects would be harmed.