Vital Farms (VITL) Risk Analysis

Our success and future growth depend largely upon the continued services of our executive officers as well as our other key crew members. These executives and key crew members are primarily responsible for determining the strategic direction of our business and for executing our growth strategy and are integral to our brand, culture and the reputation we enjoy with farmers, suppliers, co-manufacturers, distributors, customers and consumers. From time to time, there may be changes in our senior leadership team or other key crew members resulting from the hiring or departure of these personnel. The loss of one or more of our executive officers, the failure by our senior leadership team to effectively work with our crew members and lead our company or our failure to establish appropriate succession plans for our executive officers and other key crew members could harm our business. In addition, our success depends in part upon our ability to attract, train, develop and retain a sufficient number of crew members who understand and appreciate our culture and can represent our brand effectively and establish credibility with our business partners and consumers. If we are unable to win in a competitive market for top talent capable of meeting our business needs and expectations, our business and brand image may be impaired. For example, our planned Vital Crossroads facility in Seymour, Indiana will require the recruitment, training and retention of a significant number of new crew members, and, due to market conditions or otherwise, we may be unable to attract and retain crew members for this facility with the skills we require. Additionally, substantially all of our crew members outside of our Egg Central Station facility are working remotely on a permanent basis. Although we believe we manage our operations to handle remote working conditions efficiently, it is possible that such remote work arrangements could adversely impact crew member cohesiveness, efficiency, professional development, operational agility and retention. Any failure to meet our staffing needs or any material increase in turnover rates of our crew members may adversely affect our business, financial condition and results of operations.

Federal government shutdowns have at times impacted our ability to receive governmental approvals for products and labeling of new products, our farmers' ability to obtain organic certifications, and FDA inspections of our farms. Additionally, many of our farmers seek federal government loans from the USDA or other forms of government assistance. Any current or future U.S. federal government shutdown, federal staffing reduction or other limitation or elimination of sources of U.S. government assistance could adversely impact our business, which could have a material adverse effect on our results of operations and financial condition.

We compete with large egg companies such as Cal-Maine Foods, Inc. and large international food companies such as Ornua Co-operative Limited (Kerrygold). Our competitors also include local and regional egg and dairy companies, as well as private-label products processed by other egg and dairy companies. We compete with such companies for new and existing consumers, for shelf space at our retail customers and for the services of family farmers. Furthermore, if additional competitors elected to list their stock on the public markets, investor interest in our common stock could decline as a result. Our competitors may have substantially greater financial and other resources than us, and some of our competitors' products are well accepted in the marketplace today. Such competitors may also have lower operational costs, and as a result may be able to offer comparable or substitute products to customers at lower costs. This could put pressure on us to lower our prices, resulting in lower profitability or, in the alternative, cause us to lose market share if we fail to reduce prices. Conversely, if we were to increase prices, including as a result of fluctuations in the shell egg market, increased commodity or raw material costs, increased packaging or transportation costs or otherwise, any resulting decline in consumer demand for our products may be exacerbated by the competitiveness of our market. Generally, the food industry is dominated by multinational corporations with substantially greater resources and operations than we have. We cannot be certain that we will successfully compete with larger competitors that have greater financial, sales and technical resources. Conventional food companies may acquire our competitors or launch their own egg and butter products, and they may be able to use their resources and scale to respond to competitive pressures and changes in consumer preferences by introducing new products, reducing prices or increasing promotional activities, among other things. Retailers also market competitive products under their own private labels, which are generally sold at lower prices, and may change the merchandising of our products so they have less favorable placement. Larger competitors may also be less affected by economic disruption and uncertainty, including with respect to inflation, global economic conditions or agricultural diseases such as avian influenza, than we are. In recent years, there has been increasing market consolidation among local, regional and national specialty egg and dairy companies. These competitive pressures could cause us to lose market share, which may require us to lower prices, increase marketing and advertising expenditures or increase the use of discounting or promotional campaigns, each of which could adversely affect our margins and could result in a decrease in our operating results and profitability.

Adverse and uncertain economic conditions, including uncertainty related to inflation, tariff regimes, market volatility, outbreaks of contagious disease or pandemics, domestic or geopolitical tensions and wars, or disruption in global financial and credit markets may impact distributor, retailer, foodservice and consumer demand for our products. In addition, our ability to manage normal commercial relationships with our farmers, suppliers, co-manufacturers, distributors, retailers, foodservice consumers, service providers and creditors may suffer. Consumers may shift purchases to lower-priced or other perceived value offerings, including private-label products, during economic downturns, and an economic downturn may cause customers to be less receptive to price increases on our products. Adverse economic conditions may also affect our farmers. For example, inflationary pressures and elevated interest rates have resulted in increased costs for our farmers to build, equip and operate their farms. If our relationship with our existing farmers, or our ability to attract new farmers, is disrupted due to economic conditions or otherwise, our operating results may be adversely affected. Further, our foodservice product sales will be reduced if consumers reduce the amount of food they consume away from home at our foodservice customers, including as a result of inflationary concerns or other economic uncertainties. Distributors and customers may become more conservative in response to these conditions and seek to reduce their inventories. Our results of operations depend upon, among other things, our ability to maintain and increase sales volume with our existing distributors, retail and foodservice customers, our ability to attract new consumers, the financial condition of our consumers and our ability to provide products that appeal to consumers at the right price. Prolonged unfavorable economic conditions may have an adverse effect on our sales and profitability. In addition, historically, our deposit accounts have held deposits in excess of the amounts insured by the Federal Deposit Insurance Corporation, or FDIC. In the event of a bank failure at any of the institutions where we maintain deposits, there can be no assurance that regulators will agree to guarantee such deposits above and beyond amounts insured by the FDIC.

We utilize intellectual property in our business. Our trademarks are valuable assets that reinforce our brand and consumers' favorable perception of our products. We have invested a significant amount of money in establishing and promoting our trademarked brands. We also rely on unpatented proprietary expertise and copyright protection to develop and maintain our competitive position. Our continued success depends, to a significant degree, upon our ability to protect and preserve our intellectual property, including our trademarks and copyrights. We rely on confidentiality agreements and trademark and copyright law to protect our intellectual property rights. Our confidentiality agreements with our crew members and certain of our consultants, contract employees, suppliers and independent contractors, including some of our co-manufacturers who use our formulations to manufacture our products, generally require that all information made known to them be kept strictly confidential. Further, some of our formulations have been developed by or with our suppliers and co-manufacturers. As a result, we may not be able to prevent others from using similar formulations. We cannot be certain that the steps we have taken to protect our intellectual property rights are adequate, that our intellectual property rights can be successfully defended and asserted in the future or that third parties will not infringe upon or misappropriate any such rights. In addition, our trademark rights and related registrations may be challenged in the future and could be canceled or narrowed. Failure to protect our trademark rights could prevent us in the future from challenging third parties who use names and logos similar to our trademarks, which may in turn cause consumer confusion or negatively affect consumers' perception of our brand and products. Moreover, intellectual property disputes and proceedings and infringement claims may result in a significant distraction for management and significant expense, which may not be recoverable regardless of whether we are successful. Such proceedings may be protracted with no certainty of success, and an adverse outcome could subject us to liabilities, force us to cease use of certain trademarks or other intellectual property or force us to enter into licenses with others. Any of these occurrences may have an adverse effect on our business, financial condition and results of operations.

In the ordinary course of our business, we and the third parties with whom we work process sensitive data, and, as a result, we and the third parties with whom we work face a variety of evolving threats that could cause security incidents. We also use mobile devices, social networking and other online activities and third parties to connect with our crew members, farmers, suppliers, co-manufacturers, distributors, customers and consumers. Cyber-attacks, malicious internet-based activity, online and offline fraud, physical threats or vandalism, and other similar activities threaten the confidentiality, integrity, and availability of our sensitive data and information technology systems, and those of the third parties with whom we work. Such threats are prevalent and continue to rise, are increasingly difficult to detect, and come from a variety of sources, including, but not limited to traditional computer "hackers," threat actors, "hacktivists," organized criminal threat actors, personnel (such as through theft or misuse), sophisticated nation states and nation-state-supported actors. Further, as we pursue new initiatives that improve our operations and cost structure, we have, and will continue to, expand and improve our information technologies, resulting in a larger technological presence and corresponding exposure to cybersecurity risk. Some actors now engage and are expected to continue to engage in cyber-attacks, including without limitation nation-state actors for geopolitical reasons and in conjunction with military conflicts and defense activities. During times of war and other major conflicts, we and the third parties with whom we work may be vulnerable to a heightened risk of these attacks, including retaliatory cyber-attacks, that could materially disrupt our systems and operations, supply chain, and ability to produce, sell and distribute our services. We and the third parties with whom we work are subject to a variety of evolving threats, including but not limited to social-engineering attacks (including through deep fakes, which may be increasingly more difficult to identify as fake, and phishing attacks), malicious code (such as viruses and worms), malware (including as a result of advanced persistent threat intrusions), denial-of-service attacks, credential stuffing, credential harvesting, personnel misconduct or error, ransomware attacks, supply-chain attacks, software bugs, server malfunctions, software or hardware failures, loss of data or other information technology assets, adware, attacks enhanced or facilitated by AI, physical threats or vandalism, telecommunications failures, earthquakes, fires, floods and other similar threats. In particular, severe ransomware attacks are becoming increasingly prevalent and could lead to significant interruptions in our operations, ability to provide our products or services, loss of sensitive data and income, reputational harm, and diversion of funds. Extortion payments may alleviate the negative impact of a ransomware attack, but we may be unwilling or unable to make such payments due to, for example, applicable laws or regulations prohibiting such payments. It may be difficult and/or costly to detect, investigate, mitigate, contain, and remediate a security incident. Our efforts to do so may not be successful. Actions taken by us or the third parties with whom we work to detect, investigate, mitigate, contain, and remediate a security incident could result in outages, data losses, and disruptions of our business. Threat actors may also gain access to other networks and systems after a compromise of our networks and systems. For example, threat actors may use an initial compromise of one part of our environment to gain access to other parts of our environment, or leverage a compromise of our networks or systems to gain access to the networks or systems of third parties with whom we work, such as through phishing or supply chain attacks. Additionally, future or past business transactions (such as acquisitions or integrations) could expose us to additional cybersecurity risks and vulnerabilities, as our systems could be negatively affected by vulnerabilities present in acquired or integrated entities' systems and technologies. Furthermore, we may discover security issues that were not found during due diligence of such acquired or integrated entities, and it may be difficult to integrate companies into our information technology environment and security program. In addition, our reliance on third-party service providers presents new cybersecurity risks and vulnerabilities, including supply chain attacks and other threats to our business operations. We rely on third-party service providers and technologies to operate critical business systems to process sensitive data in a variety of contexts. We also rely on third-party service providers to provide other products, services, parts, or otherwise to operate our business. Our ability to monitor these third parties' information security practices is limited, and these third parties may not have adequate information security measures in place. If the third parties with whom we work experience a security incident or other interruption, we could experience adverse consequences. While we may be entitled to damages if third parties with whom we work fail to satisfy their privacy or security-related obligations to us, any award may be insufficient to cover our damages, or we may be unable to recover such award. In addition, supply chain attacks have increased in frequency and severity, and we cannot guarantee that third parties' infrastructure in our supply chain or our third-party partners' supply chains have not been compromised. For example, in June 2025, one of our distributors experienced a cybersecurity incident that resulted in temporary disruptions to logistics and order fulfillment services for a period of approximately two weeks. While the incident did not have a material adverse impact on our operations or financial results, future cybersecurity incidents or interruptions affecting our third-party service providers or other elements of our supply chain may have a more adverse effect on our business, financial condition or results of operations. We recently completed a multi-year transition to a new cloud-based enterprise resource planning, or ERP, system to support our future growth and more fully optimize our existing processes. The ERP system implementation required, and is likely to continue to require, investment of significant financial resources and the time and attention of our management and key crew members. It is possible that the system will not yield the benefits we anticipate and could result in disruptions, delays or deficiencies in the processes it supports. For example, in the fourth quarter of fiscal 2025, we experienced temporary disruptions in order and fulfillment levels following the launch date of the new ERP system. Any disruptions, delays or deficiencies related to the new ERP system or the implementation thereof, or the design, integration or implementation of other technology systems we may choose to implement in the future, could materially impact our operations and adversely affect our ability to process orders, manage our inventory, fulfill obligations to customers or otherwise operate our business. While we have implemented security measures designed to protect against and respond to cybersecurity incidents, there can be no assurance that these incident response measures will be effective. We take steps designed to detect, mitigate, and remediate vulnerabilities in our information systems (such as our hardware and/or software, including that of third parties with whom we work). We may have not and may not in the future, however, detect and remediate all such vulnerabilities including on a timely basis. Further, we have and may in the future experience delays in developing and deploying remedial measures and patches designed to address identified vulnerabilities. Vulnerabilities could be exploited and result in a security incident. The theft, destruction, loss, misappropriation or release of sensitive information or intellectual property, or interference with our information technology systems or the technology systems of third parties with whom we work, could result in business disruption, negative publicity, brand damage, violation of privacy laws, loss of customers and distributors, potential liability and competitive disadvantage all of which could have an adverse effect on our business, financial condition or results of operations. Such risks are increased by the fact that substantially all of our crew members outside of our Egg Central Station facility are working remotely on a permanent basis. Technologies and security systems in place at our crew members' homes may be less secure than those used in a physical office, and while we have implemented controls and safeguards to help protect our systems as our crew members work from home, there can be no assurance that these measures will be effective. Any of the previously identified or similar threats have in the past and may in the future cause a security incident or other interruption that have in the past and may in the future result in unauthorized, unlawful, or accidental acquisition, modification, destruction, loss, alteration, encryption, disclosure of, or access to our sensitive data or our information technology systems, or those of the third parties with whom we work. For example, we have been the target of phishing campaigns in the past and expect such campaigns to continue into the future, with risks associated with such campaigns magnified by their heightened sophistication as AI technologies are increasingly utilized to craft phishing attempts. A security incident or other interruption could disrupt our ability (and that of third parties with whom we work) to provide our services. We may expend significant resources or modify our business activities to try to protect against security incidents. Additionally, certain data privacy and security obligations have required us to implement and maintain specific security measures or industry-standard or reasonable security measures to protect our information technology systems and sensitive data. Applicable data privacy and security obligations may require us to notify relevant stakeholders, including affected individuals, customers, regulators, and investors, of security incidents. Such disclosures are costly, and the disclosure or the failure to comply with such requirements could lead to adverse consequences. Furthermore, given our operations and economic role, regulatory requirements related to critical infrastructure have and may impose additional compliance burdens on us, including, reporting requirements, increased costs, and other obligations. If we or a third party with whom we work experience a security incident or are perceived to have experienced a security incident, we may experience material adverse consequences, such as: government enforcement actions (for example, investigations, fines, penalties, audits, and inspections); additional reporting requirements and/or oversight; restrictions on processing sensitive data (including personal data); litigation (including class claims); indemnification obligations; negative publicity; reputational harm; monetary fund diversions; diversion of management attention; interruptions in our operations (including availability of data); competitive disadvantage; financial loss; and other similar harms. Security incidents and attendant material consequences may prevent or cause customers to stop using our services, deter new customers from using our services, and negatively impact our ability to grow and operate our business. Our contracts may not contain limitations of liability, and even where they do, there can be no assurance that limitations of liability in our contracts are sufficient to protect us from liabilities, damages, or claims related to our data privacy and security obligations. We cannot be sure that our insurance coverage will be adequate or sufficient to protect us from or to mitigate liabilities arising out of our privacy and security practices, that such coverage will continue to be available on commercially reasonable terms or at all, or that such coverage will pay future claims. In addition to experiencing a security incident, third parties may gather, collect, or infer sensitive data about us from public sources, data brokers, or other means that reveals competitively sensitive details about our organization and could be used to undermine our competitive advantage or market position. Further, use of artificial intelligence platforms by our crew members, whether authorized or unauthorized, may increase the risk that our intellectual property and other proprietary information will be unintentionally disclosed. If we fail to identify and address cybersecurity risks associated with new initiatives, we may become increasingly vulnerable to such risks.