Alight (ALIT) Risk Factors

Our success depends, in part, on our ability to develop and implement new or revised solutions that anticipate and keep pace with rapid and continuing changes in technology, industry standards and client preferences. We may not be successful in anticipating or responding to these developments on a timely and cost-effective basis, and our ideas may not be accepted in the marketplace. Additionally, the effort to gain technological expertise and develop new technologies requires us to incur significant expenses. If we cannot offer new technologies as quickly as our competitors or if our competitors develop more cost-effective technologies, it could have a material adverse effect on our ability to obtain and complete client engagements. Innovations in software, cloud computing or other technologies that alter how our services are delivered could significantly undermine our investments in our business if we are slow or unable to take advantage of these developments or experience any unanticipated consequences from the deployment of such technologies. We are continually developing and investing in innovative and novel service offerings, including a recent transition to a business process as a service ("BPaaS") offering, which we believe will address needs that we identify in the markets. In some cases, our BPaaS offerings may require new or unique pricing structures, which may include performance guarantees or fees at risk that differ significantly from our historical practices. These initiatives carry the risks associated with any new solution development effort, including cost overruns, delays in delivery and implementation and performance issues. There can be no assurance that we will be successful in developing, marketing and selling new solutions or enhancements that meet these changing demands, that we will not experience difficulties that could delay or prevent the successful development, implementation, introduction and marketing of these solutions or enhancements, or that our new solutions and enhancements will adequately meet the demands for the marketplace and achieve market acceptance. Any of these developments could have an adverse impact on our future revenue and/or business prospects. Nevertheless, for those efforts to produce meaningful value, we are reliant on a number of other factors, some of which are outside of our control, to deem them suitable, and whether those parties will find them suitable will be subject to their own particular circumstances.

To protect our intellectual property rights, we rely on a combination of trademark laws, copyright laws, patent laws, trade secret protection, confidentiality agreements and other contractual arrangements with our affiliates, employees, clients, strategic partners and others. However, the protective steps that we take may be inadequate to deter misappropriation of our proprietary information and technology. In addition, we may be unable to detect the unauthorized use of, or take appropriate steps to enforce, our intellectual property rights. Further, effective trademark, copyright, patent and trade secret protection may not be available in every country in which we offer our services or competitors may develop products similar to our products that do not conflict with our related intellectual property rights. Failure to protect our intellectual property adequately could harm our reputation and affect our ability to compete effectively. In addition, to protect or enforce our intellectual property rights, we may initiate litigation against third parties, such as infringement suits or interference proceedings. Third parties may assert intellectual property rights claims against us, which may be costly to defend, could require the payment of damages and could limit our ability to use or offer certain technologies, products or other intellectual property. Any intellectual property claims, with or without merit, could be expensive, take significant time and divert management's attention from other business concerns. Successful challenges against us could require us to modify or discontinue our use of technology or business processes where such use is found to infringe or violate the rights of others, or require us to purchase licenses from third parties (which may not be available on terms acceptable to us, or at all), any of which could adversely affect our business, financial condition and operating results.

One of our significant responsibilities is to maintain the security, including cybersecurity, and privacy of our employees' and clients' confidential and proprietary information and the confidential information about clients' employees' health, financial and wellbeing information and other personally identifiable information. However, all information technology systems are potentially vulnerable to damage or interruption from a variety of sources, including but not limited to cyber-attacks, computer viruses, malware, hacking, fraudulent use attempts, "ransomware" and phishing attacks and security breaches. Our systems are also subject to compromise from internal threats such as improper action by employees, vendors and other third parties with otherwise legitimate access to our systems. Despite our efforts, from time-to-time, we experience attacks and other cyber-threats to our systems and networks and have from time-to-time experienced cyber security incidents such as computer viruses, unauthorized parties gaining access to our information technology systems and similar matters, which to date have not had a material impact on our business. These attacks can seek to exploit, among other things, known or unknown vulnerabilities in technology included in our information systems or those of third-party providers. Because the techniques used to obtain unauthorized access are constantly changing and becoming increasingly more sophisticated and often are not recognized until launched against a target, we or our third-party providers may be unable to anticipate these techniques or implement sufficient preventative measures. If we are unable to efficiently manage the vulnerability of our systems and effectively maintain and upgrade our system safeguards, we may incur unexpected costs and certain of our systems may become more vulnerable to unauthorized access. For example, there has been a stark increase in new financial fraud schemes akin to ransomware attacks on large companies whereby a cybercriminal installs a type of malicious software, or malware, that prevents a user or enterprise from accessing computer files, systems, or networks and demands payment of a ransom for their return. Cyber criminals may also attempt to fraudulently induce employees, clients or other users of our systems to disclose sensitive information in order to gain access to our data or that of our clients or users. In addition, while we have certain standards for all vendors that provide us services, our vendors, and in turn, their own service providers, have experienced and in the future may continue to become subject to the same types of security breaches. In the future, these types of incidents could result in intellectual property or other confidential information being lost or stolen, including client, employee or business data. In addition, we may not be able to detect breaches in our information technology systems or assess the severity or impact of a breach in a timely manner. We have implemented various measures to manage our risks related to system and network security and disruptions, but an actual or perceived security breach, a failure to make adequate disclosures to the public or law enforcement agencies following any such event or a significant and extended disruption in the functioning of our information technology systems could damage our reputation and cause us to lose clients, adversely impact our operations, sales and operating results and require us to incur significant expense to address and remediate or otherwise resolve such issues. We maintain policies, procedures and technological safeguards designed to protect the security and privacy of this information. These include, for example, the appropriate encryption of information, the use of anti-virus, anti-malware and other protections. Nonetheless, we cannot eliminate the risk of human error or inadequate safeguards against employee or vendor malfeasance or cyber-attacks that could result in improper access to, misappropriation, destruction or disclosure of confidential, personal or proprietary information and we may not become aware in a timely manner of any such security breach. Such unauthorized access, misappropriation, destruction or disclosure could result in the loss of revenue, reputational damage, indemnity obligations, damages for contract breach, civil and criminal penalties for violation of applicable laws, regulations or contractual obligations, and significant costs, fees and other monetary payments for remediation. Furthermore, our clients may not be receptive to services delivered through our information technology systems and networks following an actual or perceived security breach due to concerns regarding transaction security, user privacy, the reliability and quality of internet service and other reasons. The release of confidential information as a result of a security breach could also lead to litigation or other proceedings against us by affected individuals or business partners, or by regulators, and the outcome of such proceedings, which could include penalties or fines, could have a significant negative impact on our business. Additionally, in order to maintain the level of security, service and reliability that our clients require, we may be required to make significant additional investments in our methods of delivering services. In many jurisdictions, including North America and the European Union, we are subject to laws and regulations relating to the collection, use, retention, security and transfer of information including the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA") and the HIPAA regulations governing, among other things, the privacy, security and electronic transmission of individually identifiable protected health information, the Personal Information Protection and Electronic Documents Act ("PIPEDA") and the European Union General Data Protection Regulation ("GDPR"). California also enacted legislation, the California Consumer Privacy Act of 2018 ("CCPA") and the related California Privacy Rights Act ("CPRA"), that afford California residents expanded privacy protections and a private right of action for security breaches affecting their personal information. Virginia and Colorado have similarly enacted comprehensive privacy laws, the Consumer Data Protection Act and Colorado Privacy Act, respectively, both laws of which emulate the CCPA and CPRA in many respects. We anticipate federal and state regulators to continue to consider and enact regulatory oversight initiatives and legislation related to privacy and cybersecurity. These and other similar laws and regulations are frequently changing and are becoming increasingly complex and sometimes conflict among the various jurisdictions and countries in which we provide services both in terms of substance and in terms of enforceability. This makes compliance challenging and expensive. Our failure to adhere to or successfully implement processes in response to changing regulatory requirements in this area could result in legal liability or impairment to our reputation in the marketplace. Further, regulatory initiatives in the area of data protection are more frequently including provisions allowing authorities to impose substantial fines and penalties, and therefore, failure to comply could also have a significant financial impact.

We depend upon the members of our senior management team who possess extensive knowledge and a deep understanding of our business and our strategy. The unexpected loss of any of our senior management team could have a disruptive effect adversely impacting our ability to manage our business effectively and execute our business strategy. Competition for experienced professional personnel is intense, particularly for technology professionals in the areas in which we operate, and we are constantly working to retain and attract these professionals. If we cannot successfully do so, our business, operating results and financial condition could be adversely affected. We must develop our personnel to provide succession plans capable of maintaining continuity in the midst of the inevitable unpredictability of personnel retention. While we have plans for key management succession and long-term compensation plans designed to retain the senior employees, and continue to review and update those plans, if our succession plans do not operate effectively, particularly in an increasingly competitive job market, our business could be adversely affected.

We provide our outsourcing services over long-term periods for variable or fixed fees that generally are less than our clients' historical costs to provide for themselves the services we contract to deliver. Clients' demand for cost reductions may increase over the term of the agreement. As a result, we bear the risk of increases in the cost of delivering services to our clients, and our margins associated with particular contracts will depend on our ability to control our costs of performance under those contracts and meet our service commitments cost-effectively. Over time, some of our operating expenses will increase as we invest in additional infrastructure and implement new technologies to maintain our competitive position and meet our client service commitments. We must anticipate and respond to the dynamics of our industry and business by using quality systems, process management, improved asset utilization and effective supplier management tools. We must do this while continuing to grow our business so that our fixed costs are spread over an increasing revenue base. If we are not able to achieve this, our ability to sustain and increase profitability may be reduced.

Our competitors may have greater resources, larger client bases, greater name recognition, stronger presence in certain geographies and more established relationships with their clients and suppliers than we have. In addition, new competitors, alliances among competitors or mergers of competitors could result in our competitors gaining significant market share and some of our competitors may have or may develop a lower cost structure, adopt more aggressive pricing policies or provide services that gain greater market acceptance than the services that we offer or develop. Large and well-capitalized competitors may be able to respond to the need for technological changes (including the implementation of AI and ML) and innovate faster, or price their services more aggressively. They may also compete for skilled professionals, finance acquisitions, fund internal growth and compete for market share more effectively than we do. If we are unable to compete successfully, we could lose market share and clients to competitors, which could materially adversely affect our results of operations. To respond to increased competition and pricing pressure, we may have to lower the cost of our solutions or decrease the level of service provided to clients, which could have an adverse effect on our financial condition or results of operations.

Our reputation is a key asset of our business. Our ability to attract and retain clients is highly dependent upon the external perceptions of our level of service, trustworthiness, business practices, financial condition and other subjective qualities. Negative perceptions or publicity regarding these matters could erode trust and confidence and damage our reputation among existing and potential clients, which could make it difficult for us to attract new clients and maintain existing ones as mentioned above. Negative public opinion could also result from actual or alleged conduct by us or those currently or formerly associated with us in any number of activities or circumstances, including operations, regulatory compliance, and the use and protection of data and systems, satisfaction of client expectations, and from actions taken by regulators or others in response to such conduct. This damage to our reputation could further affect the confidence of our clients, rating agencies, regulators, stockholders and the other parties in a wide range of transactions that are important to our business having a material adverse effect on our business, financial condition and operating results.

The results of our business are generally affected by the level of business activity of our clients, which in turn is affected by the level of economic activity in the industries, markets and regions these clients serve. The level of economic activity may be affected by unforeseen events, such as adverse weather conditions, natural disasters (including those as a result of climate change), catastrophic events, war (including the ongoing conflict between Russia and Ukraine), terrorism or public health conditions. Additionally, substantial changes to trade, inflation rates, interest rates, currency exchange rates, monetary and fiscal policies, political conditions, employment rates (including as a result of an increasingly competitive job market), limitations on a government's spending and/or ability to issue debt, and constriction and volatility in the credit markets, may occur and would affect our business. For example, rising interest rates and challenging credit markets may adversely impact our clients' ability to grow their business and contract with us. Economic downturns in some markets may cause reductions in technology and discretionary spending by our clients, which may result in reductions in the growth of new business as well as reductions in existing business. If our clients become financially less stable, enter bankruptcy, liquidate their operations or consolidate, our revenues and/or collectability of receivables could be adversely affected. Our contracts also depend upon the number of our clients' employees or the number of participants in our clients' employee benefit plans. If our clients become financially less stable, change their staffing models, enter bankruptcy, liquidate their operations or consolidate, that could result in layoffs or other reductions in the number of participants in our clients' employee benefit plans. We may also experience decreased demand for our services as a result of postponed or terminated outsourcing of human resource ("HR") functions. Reduced demand for our services could increase price competition and have an adverse effect on our financial condition or results of operations.

Our operations are conducted globally. Additionally, one aspect of our growth strategy is to expand in key markets around the world. Accordingly, we are subject to legal, economic and market risks associated with operating in, and sourcing from, foreign countries, including: - difficulties in staffing and managing our foreign offices, such as unexpected wage inflation, worker attrition, or job turnover, increased travel and infrastructure costs, as well as legal and compliance costs associated with multiple international locations;- fluctuations or unexpected volatility in foreign currency exchange rates and interest rates;- imposition or increase of investment and other restrictions by foreign governments;- longer payment cycles;- greater difficulties in accounts receivable collection;- insufficient demand for our services in foreign jurisdictions;- our ability to execute effective and efficient cross-border sourcing of services on behalf of our clients;- restrictions on the import and export of technologies; and - trade barriers, tariffs or sanctions laws. If we are unable to manage the risks of our global operations and geographic expansion strategy, our results of operations and ability to grow could be materially adversely affected.

Our operations are dependent upon our ability to protect our personnel, offices and technology infrastructure against damage from business continuity events that could have a significant disruptive effect on our operations. Should we or a key vendor or other third party experience a local or regional disaster or other business continuity problem, such as an earthquake, fire, flood, hurricane, or other weather event, terrorist attack, pandemic, security breach, power loss, telecommunications failure, software or hardware malfunctions or other natural or man-made disaster, our continued success will depend, in part, on the availability of our personnel, office facilities and the proper functioning of existing, new or upgraded computer systems, telecommunications and other related systems and operations. In events like these, while our operational size, the multiple locations from which we operate and our existing back-up systems provide us with some degree of flexibility, we still can experience near-term operational challenges with regard to particular areas of our operations. We could potentially lose access to key executives and personnel, client data or experience material adverse interruptions to our operations or delivery of services to our clients in a disaster recovery scenario. We regularly assess and take steps to improve upon our existing business continuity plans and key management succession. However, a disaster on a significant scale or affecting certain of our key operating areas within or across regions, or our inability to successfully recover should we experience a disaster or other business continuity problem, could materially interrupt our business operations and cause material financial loss, loss of human capital, regulatory actions, reputational harm, damaged client relationships or legal liability.