Verra Mobility (VRRM) Risk Factors

Our ability to retain, increase and engage our customer base and to increase our revenue depends, in large part, on our ability to continue to evolve existing solutions and to create successful new solutions. We may introduce significant changes to our existing solutions or acquire or introduce new and unproven products and services, including using technologies or entering markets or industries in which we have little or no experience. For example, as Government Solutions customers increase their requirements related to data security, privacy and IT architecture, we may be unable to develop new solutions to keep up with increasing requirements. The failure of any new or enhanced solution to achieve customer adoption or our failure to otherwise successfully monetize our development efforts could have a material adverse effect on our business, financial condition and results of operations. Further, changes to the hardware solutions we offer to our government customers may require certification by a government agency, and failure to achieve such certification may result in an inability to operate photo enforcement systems in a particular jurisdiction. Any failure to evolve existing solutions or create new successful solutions could have a material adverse effect on our business, financial condition and results of operations.

We act as a trusted business partner in both front office and back office platforms, interacting with our customers and other third parties. Our customers include large, multinational corporations and government agencies who depend upon our operational efficiency, non-interruption of service, and accuracy and security of information. We receive, process, transmit and store substantial volumes of information relating to identifiable individuals, both in our role as a back-end or direct-to-consumer service provider and as an employer, and receive, process and implement financial transactions, and disburse funds, which requires us to receive debit and credit card information. We also use third-party providers such as subcontractors, software vendors, utility providers and network providers, upon whom we rely to offer our products, services and solutions. As a result of these and other aspects of our business, the integrity,security and accuracy of our systems and information technology, and that of the third parties with which we interact, including our customers and other government agencies with which we work, are extremely important. Our cybersecurity and processing systems, as well as those of the third parties with which we interact, may be damaged, disrupted or otherwise breached for a number of reasons, including power outages, computer and telecommunication failures, computer viruses, malware or other destructive software, internal design, manual or usage errors, cyber-attacks, terrorism, workplace violence or wrongdoing, catastrophic events, natural disasters and severe weather conditions. Our visibility and role as a processor of transactions containing personally identifiable information may also put us at a greater risk of being targeted by hackers. In the normal course of our business, we have been the target of malicious cyber-attack attempts. In addition, numerous and evolving cybersecurity threats, including advanced and persistent cyber-attacks, phishing and social engineering schemes could compromise our systems and the confidentiality, availability and integrity of data in our systems, as well as the systems and data of the third parties with which we interact. The security measures and procedures we and the third parties with which we interact have in place to protect sensitive consumer data and other information may not be successful or sufficient to counter all data breaches, cyber-attacks, or system failures. Further, employee error or malfeasance, faulty password management or other irregularities may result in a defeat of security measures or a system breach. Although we devote significant resources to our cybersecurity programs and have implemented security measures to protect our systems and data, and to prevent, detect and respond to data security incidents, in each case that we believe are reasonable and appropriate, these efforts, and the efforts of third parties with which we interact, may not prevent these or other threats. Moreover, because the techniques used to obtain unauthorized access, or to disable or degrade systems change frequently, have become increasingly more complex and sophisticated, and may be difficult to detect for periods of time, we and the third parties with which we interact may not anticipate these acts or respond adequately or timely. As these threats continue to evolve and increase, we may be required to devote significant additional resources in order to modify and enhance our security controls and to identify and remediate any security vulnerabilities or diligencing those of third parties. If we are sued in connection with any data security breach or system failure, we could be involved in protracted litigation. In addition, a breach could lead to unfavorable publicity and significant damage to our brand, the loss of existing and potential customers, allegations by customers that we have not performed or have breached our contractual obligations, or decreased use and acceptance of our solutions. A breach or failure may also subject us to additional regulations or governmental or regulatory scrutiny, which could result in significant compliance costs, fines or enforcement actions, or potential restrictions imposed by regulators on our ability to operate our business. A security breach would also likely require us to devote significant management and other resources to address the problems created by the security breach. Any of the foregoing could have a material adverse effect on our business, financial condition and results of operations.

We rely heavily on the satisfactory performance and availability of our information technology infrastructure and systems, including our websites and network infrastructure, to conduct our business. We rely on third-party communications service and system providers to provide technology services and link our systems with our customers' networks and systems, including a reliable network backbone with the necessary speed, data capacity and security. We also rely on third-party vendors, including data center, bandwidth and telecommunications equipment providers. A failure or interruption that results in the unavailability of any of our information systems or a major disruption of communications between a system and the customers we serve could disrupt the effective operation of our solutions and otherwise adversely impact our ability to manage our business effectively. We may experience system and service interruptions or disruptions for a variety of reasons, including as the result of network failures, power outages, cyber-attacks, employee errors, software errors, an unusually high volume of transactions, or localized conditions such as fire, explosions or power outages or broader geographic events such as earthquakes, storms, floods, epidemics, strikes, acts of war, civil unrest or terrorist acts. We have taken steps to mitigate our exposure to certain service disruptions by investing in redundant or blended circuits, although the redundant or blended circuits may also suffer disruption. Because we are dependent in part on independent third parties for the implementation and maintenance of certain aspects of our systems and because some of the causes of system interruptions may be outside of our control, we may not be able to remedy such interruptions in a timely manner, or at all. Any interruption or delay in or cessation of these services and systems could significantly disrupt operations, impact customers, damage our reputation, result in litigation, decrease the overall use and acceptance of our solutions, result in lost data and be costly, time consuming and difficult to remedy, any of which could have a material adverse effect on our business, financial condition and results of operations.

From time to time, and as more discussed in the section entitled "Legal Proceedings," we may be involved in litigation and other disputes or regulatory investigations that arise in and outside the ordinary course of business. We expect that the number, frequency and significance of these matters may increase as our business expands and we grow as a company. Litigation, disputes, or regulatory investigations may relate to, among other things, intellectual property, antitrust claims, commercial arrangements, negligence and fiduciary duty claims, vicarious liability based upon conduct of individuals or entities outside of our control, including our third-party service providers, deceptive trade practices, claims related to invoicing, personal injury claims, claims related to licensing, general fraud claims and employment law claims, including compliance with wage and hour regulations and contractual requirements. An adverse determination may result in liability to us for the claim and may also result in the imposition of penalties and/or fines. Like other companies that handle sensitive personal and payment information, we also face the possibility of allegations regarding employee fraud or misconduct. In addition to more general litigation, at times we are also a named party in claims made against our customers, including putative class actions challenging the legality and constitutionality of automated photo enforcement and other similar programs of our Government Solutions customers and consumer fraud claims brought against our RAC customers alleging faulty disclosures regarding our services. As a public company, we may also be subject to securities class action and stockholder derivative lawsuits. From time to time, we may also be reviewed or investigated by U.S. federal, state, or local regulators or regulators in the foreign jurisdictions in which we operate regarding similar and other matters, including tax assessments. These investigations can be commenced at the initiative of the governmental authority or as a result of complaints by private citizens, regardless of whether the complaint has any merit. At times, we are also required to obtain licensing and permitting, including with respect to matters such as general contracting, performance of engineering services, performance of electrical work and performance of private investigative work. Although we carry general liability insurance coverage, our insurance may not cover all potential claims to which we are exposed, whether as a result of a dispute, litigation or governmental investigation, and it may not adequately indemnify us for all liability that may be imposed. Any potential claims against us or investigation into our business and activities, whether meritorious or not, could be time consuming, result in significant legal and other expenses, require significant amounts of management time and result in the diversion of significant operational resources. Class action lawsuits can often be particularly burdensome given the breadth of claims, large potential damages and significant costs of defense. In the case of intellectual property litigation and proceedings, adverse outcomes could include the cancellation, invalidation or other loss of material intellectual property rights used in our business and injunctions prohibiting our use of business processes or technology that is subject to third-party patents or other third-party intellectual property rights. Legal or regulatory matters involving our directors, officers or employees in their individual capacities can also create exposure for us because we may be obligated or may choose to indemnify the affected individuals against liabilities and expenses they incur in connection with such matters. Regulatory investigations, including with respect to proper licensing, payment of wages, procurement practices or permitting, can also lead to enforcement actions, fines and penalties, the loss of a license or permit or the assertion of private litigation claims. Risks associated with these liabilities are often difficult to assess or quantify and their existence and magnitude can remain unknown for significant periods of time, making the amount of any legal reserves related to these legal liabilities difficult to determine and, if a reserve is established, subject to future revision. Future results of operations could be adversely affected if any reserve that we establish for a legal liability is increased or the underlying legal proceeding, investigation or other contingency is resolved for an amount in excess of established reserves. Because litigation and other disputes and regulatory investigations are inherently unpredictable, the results of any of these matters may have a material adverse effect on our business, financial condition and results of operations.

Personal information is used both as part of our business and in our role as an employer. In addition, as part of our Government Solutions, Commercial Services and Parking Solutions businesses, we process other data which may be considered personal information or sensitive personal information in certain jurisdictions, such as photographs and video recordings. As a result, we are subject to various laws and regulations regarding personal information, privacy and data security, including those promulgated by the United States federal government and its agencies, and state, local and foreign governments, agencies, and public authorities. Our personal information handling also is subject to our published privacy policies and notices, contractual obligations and industry standards. Laws, regulations and industry standards relating to privacy are rapidly evolving, can be subject to significant change and may result in ever-increasing regulatory and public scrutiny and escalating levels of enforcement and sanctions. These laws and regulations may also be subject to new or different interpretations. For example, in June 2018, California enacted the CCPA, which took effect on January 1, 2020. The CCPA was amended and expanded (including to apply to employee and business-to-business data) by the California Privacy Rights Act, which took effect on January 1, 2023. The CCPA created several new obligations for companies which process personal information. It also gives California residents expanded rights to access, delete and obtain a copy of their personal information; opt out of certain personal information disclosures; and receive detailed information about how their personal data is processed. The law provides for civil penalties against companies that fail to comply. Several other states have enacted privacy laws, including Virginia (effective January 1, 2023); Colorado and Connecticut (both effective July 1, 2023); Utah (effective December 31, 2023); Oregon, Texas, and Florida (all effective July 1, 2024); Montana (effective October 1, 2024); Delaware and Iowa (both effective January 1, 2025); New Jersey (effective January 16, 2025); Tennessee (effective July 1, 2025); and Indiana (effective January 1, 2026). Additional states have introduced privacy bills, and Congress has considered several privacy bills at the federal level. Regulations implementing the CCPA and Colorado have also been published, though many questions remain as to how all of the new statutes will be interpreted and enforced. In addition, the FTC uses its consumer protection authority to initiate enforcement actions against companies relating to their use and disclosure of personal information, particularly in response to actual or perceived unfair or deceptive acts or practices. Various U.S. state laws and regulations may also require us to notify affected individuals and state agencies in the event of a data breach involving personal information. Penalties for failure to adequately protect personal information, notify as required, or provide timely notice vary by jurisdiction. In the United States, most state data breach notification laws consider violations to be unfair or deceptive trade practices and give the relevant state attorneys general the authority to levy fines or bring enforcement actions. Some laws, such as the CCPA, also grant affected individuals a private right of action for certain data breaches. Class action lawsuits against companies which experience a data breach involving personal information are also common. Foreign laws concerning personal information, privacy and data security may be more restrictive and burdensome than those of the United States. Given that data is highly mobile and transferable, many data protection and privacy laws of foreign nations seek to have wide extraterritorial jurisdiction over conduct occurring outside geographical boundaries of the relevant jurisdiction. For example, on May 25, 2018, the GDPR replaced the 1995 Data Protection Directive. The GDPR extends the scope of E.U. data protection law to non-E.U. companies processing data of E.U. residents when certain conditions are satisfied. The GDPR contains numerous, more stringent requirements and changes from prior E.U. law, including more robust privacy and compliance obligations for both companies and their service providers, greater rights for individuals, heavier documentation requirements for data protection compliance programs, restrictions on transfers of personal data to non-E.U. countries, and prompt notice of data breaches to data subjects and supervisory authorities in certain circumstances. The GDPR fine framework can be up to 20 million Euros, or up to 4% of the company's total global turnover of the preceding fiscal year, whichever is higher. Further, our customers, through contractual requirements, could require us to comply with certain of these stringent requirements regardless of whether our business is actually subject to the GDPR. The costs could be high and deadlines short for compliance with these privacy- and data security-related laws, regulations, contractual requirements and industry standards, each of which may limit our ability to compete for new business, do business with certain government agencies, including our existing customers, or continue to access certain data, and may limit the use or adoption of our smart mobility technology solutions and services, reduce overall demand for our solutions and services, slow the pace at which we generate revenue, subject us to fines or penalties, or cause us to breach contractual commitments to our customers. As these laws, regulations, and standards continue to develop in the United States and internationally, we may be required to expend significant time and resources in order to update existing processes or implement additional mechanisms as necessary to ensure compliance. Moreover, if our policies, procedures or measures relating to these issues fail to comply, or regulators assert we have failed to comply, with applicable laws, regulations or industry standards, we may be subject to governmental enforcement actions, litigation, regulatory investigations, fines, algorithmic disgorgement, the inability to use previously-collected personal information or the inability to collect new personal information, other penalties and negative publicity, and our application providers, customers and partners may lose trust in or stop doing business with us entirely. We expect that there will continue to be new proposed laws, regulations and industry standards concerning personal information, privacy and data retention in the United States, the E.U. and other jurisdictions, and we cannot yet determine the impact of such future laws, regulations and industry standards may have on our business. Any of the foregoing could have a material adverse effect on our business, financial condition and results of operations.

The markets for our solutions are increasingly competitive, rapidly evolving and fragmented, and are subject to changing technology, shifting customer needs, contract renewals and new laws and policies. A number of vendors develop and market products and services that compete to varying extents with our offerings, and we expect this competition to intensify. The rapid rate of technological change in our industry could increase the chances that we will face competition from new products or services designed by companies that we do not currently compete with. Moreover, we face competition from our own customers as they may choose to invest in developing their own internal solutions. Some of our existing competitors and potential new competitors have longer operating histories, greater name recognition, less debt, more established customer bases and significantly greater financial, technical, research and development, marketing and other resources than we do. As a result, our competitors may be able to respond more quickly and effectively than we can to new or changing opportunities, technologies, standards or customer requirements. In some cases, our competitors may be better positioned to initiate or withstand substantial price competition, and we may have to reduce our pricing to retain existing business or obtain new business. If we are not able to maintain favorable pricing for our solutions, our profit margin and profitability could suffer. In addition, if a prospective customer is currently using a competing solution, the customer may be unwilling to switch to our solution without setup support services or other incentives. Certain existing and new competitors may be better positioned to acquire competitive solutions, develop new solutions, modify existing solutions, effectively negotiate third-party licenses and other strategic relationships, and take advantage of acquisition or other similar expansion opportunities. Any failure to achieve our target pricing levels, maintain existing customer relationships, generate additional customer wins or otherwise successfully compete would have a material adverse effect on our business, financial condition and results of operations.

Our business model depends in large part on our ability to retain existing work and attract new work from existing customers. If a customer is not satisfied with our products, services or solutions or the timeliness or quality of our work, we may incur additional costs to address the problem, the profitability of that contract may be impaired, we may experience payment delays, it could do harm to our reputation and hinder our ability to win new work from prospective customers. Failure to properly transition new customers to our systems or existing customers to our different systems, properly budget transition costs or accurately estimate contract costs could also result in delays and general customer dissatisfaction. Many of our contracts may be terminated by the customer upon specified advance notice without cause. Any failure to properly perform under our contracts or meet our customers' expectations could have a material adverse effect on our business, financial condition and results of operations.

We rely heavily on third-party providers, including subcontractors, manufacturers, software vendors, software application developers, and utility and network providers, to meet their obligations to us in a timely and high-quality manner. For example, we rely on third parties such as the National Law Enforcement Telecommunications System, Polk, DMVDesk, CVR and Dealertrack to provide a direct connection to state departments of motor vehicles (and their European equivalents) and other governmental agencies with which we do not have direct relationships for the driver and other information we use in our business. Our ability to offer our solutions would be materially affected if this access was unavailable or materially restricted, or if the price we pay increased significantly. Our Government Solutions business also relies on a number of third-party manufacturers, including camera manufacturers and automated license plate recognition providers, and outsources some engineering, construction, maintenance, printing and mailing, call center, image review and event processing work. Further, if one or more tolling authorities cancels our accounts, or stops providing transponders and we are unable to obtain transponders through other sources, our Commercial Services business would be affected. Our Parking Solutions business also relies on a number of domestic and foreign third-party manufacturers in the production of our Pay Station, PARCS and PE hardware solutions, and our inability to access third-party providers could have a material adverse effect on our business. We also outsource a meaningful percentage of our software development work to third parties. Some of our agreements with these third parties include termination rights, allowing the third party to terminate the arrangement in certain circumstances. For example, the agreements with our third-party payment processors give them the right to terminate the relationship if we fail to keep credit card chargeback and retrieval rates below certain thresholds. If any of our third-party providers are unable or unwilling to meet their obligations to us, fail to satisfy our expectations or those of our customers, including those imposed through flow-down provisions in prime contracts, or if they terminate or refuse to renew their relationships with us on substantially similar terms, we may be unable to find adequate replacements within a reasonable time frame, on favorable commercial terms or at all, and our business, financial condition and results of operations could be materially and adversely affected. While we perform some due diligence on these third parties and take measures to ensure that they comply with applicable laws and regulations, we do not have an extensive screening or review process and ultimately cannot guarantee our third-party providers will comply with applicable laws, the terms of their agreements or flow-down requirements from our customers. Misconduct or performance deficiencies by any of our third-party providers may be perceived as misconduct or poor performance by us, cause us to fall short on our contractual obligations to our customers or harm our reputation, any of which could have a material adverse effect on our business, financial condition and results of operations.

Adverse and uncertain macroeconomic conditions, including higher interest rates, inflation, slower growth or recession, barriers to trade, changes to fiscal and monetary policy, tighter credit, high unemployment, currency fluctuations, and other events beyond our control, such as economic sanctions, natural disasters, pandemics, epidemics, political instability, armed conflicts and wars, can materially adversely affect demand for our products and services. In addition, consumer spending and activities may be materially adversely affected in response to financial market volatility, negative financial news, conditions in the real estate and mortgage markets, declines in income or asset values, energy shortages and cost increases, labor and healthcare costs and other economic factors, all of which may have a negative affect on our business and results of operations. Additionally, uncertainty about, or a decline in, global or regional economic conditions may have a significant impact on our suppliers, manufacturers, logistics providers, distributors and other partners. Potential effects on our suppliers and partners include financial instability, inability to obtain credit to finance operations, and insolvency. A downturn in the economic environment can also lead to increased credit and collectability risk on our trade receivables, the failure of derivative counterparties and other financial institutions, limitations on our ability to issue new debt, reduced liquidity, and declines in the fair value of our financial instruments. These and other economic factors can materially adversely affect our business, results of operations, financial condition and stock price.