Alkami Technology (ALKT) Risk Analysis

We rely heavily on hardware, software, technology infrastructure, digital networks and a range of other information technology systems for both internal and external operations that are critical to our business (collectively, "IT Systems"). We own and manage some of these IT Systems but also rely for on IT Systems and related services that are operated, managed, integrated or otherwise provided by a host of third partners service providers, vendors, and business partners. In addition certain elements of our solutions process and store PI, including banking and payment data and other PI regarding our clients' customers, such as social security numbers, and we may also have access to PI during various stages of the implementation process or during the course of providing client support. We, like other organizations, particularly in the financial technology sector, routinely are subject to and vulnerable to cybersecurity threats, privacy breaches, insider threats, data breaches or other incidents that threaten the confidentiality, integrity and availability of critical IT Systems and may either result in threatened or actual exposure resulting in unauthorized access, disclosure and misuse of PI or other information regarding clients, client customers, vendors, employees, third-party providers, or our company and business, and our technologies, IT Systems and networks have been subject to attempted cybersecurity attacks. Information security risks for banking and technology companies such as ours have significantly increased in recent years in part because of the proliferation of new technologies, the use of the internet and telecommunications technologies to conduct financial transactions, and the increased sophistication and activities of organized crime, hackers, terrorists and other external parties. Because of our position in the financial services industry, we expect to continue to be a target of such threats and attacks. Additionally, geopolitical events and resulting government activity could also lead to information security threats and attacks by affected jurisdictions and their sympathizers. Although we maintain policies, procedures and technological safeguards and administrative controls designed to protect our information technology system and applications, violations of such policies, procedures and safeguards have occurred in the past and, despite the security measures we have in place, there can be no assurance that our cybersecurity risk management program and processes (or those of our third-party providers or partners) will prevent damage to, or interruption or breach of, our IT Systems and operations. Given the unpredictability of the timing, nature and scope of cybersecurity attacks and other security-related incidents, our technology may fail to adequately secure IT Systems or the data and PI we maintain in our databases, and we cannot entirely eliminate the risk of improper or unauthorized access to or disclosure of data or PI, other security events that impact the confidentiality, integrity or availability of data, PI or our IT Systems, or the related costs we may incur to mitigate the consequences from such events. Additionally, we cannot guarantee that our insurance coverage would be sufficient to cover all losses or that relevant insurance will be available in the future on economic terms or at all. Further, the Alkami Digital Banking Platform involves flexible and complex software solutions, which by their very nature are subject to misconfigurations, implementation errors, "bugs," defects or other security vulnerabilities that can lead to security breaches or incidents. We have experienced unlawful attempts to disrupt or gain access to our IT Systems, and we are vulnerable to future attacks that may result in unauthorized access to or disclosure of client customer PI or other data and disruption of our or our clients' operations. We may be unable to anticipate or prevent techniques used to obtain unauthorized access or to sabotage systems, react in a timely manner or implement adequate preventative measures. Additionally, we and client customers integrate our solutions with certain third-party systems used by our clients which may have access to PI and other data about our clients. Our ability to monitor such third parties' security measures is limited, and a vulnerability in a third-party system with which we integrate could result in a disruption to our IT Systems or unauthorized access to or disclosure, modification, misuse, loss or destruction of our clients' and client customers' PI and other data, including our business information. Any of the foregoing could result in a material adverse effect on our business, reputation, financial condition and results of operations. In addition, because we leverage third-party providers, including cloud, software, data center and other critical technology vendors to deliver our solutions to our clients and their customers, we rely heavily on the data security technology practices and policies adopted by these third-party providers. Such third-party providers have access to PI and other data about our clients and employees, and some of these providers in turn subcontract with other third-party providers. Our ability to monitor our third-party providers' data security is limited. A vulnerability in our third-party providers' software or systems, a failure of our third-party providers' safeguards, policies or procedures, or a breach of a third-party provider's software or systems could result in the compromise of the confidentiality, integrity or availability of our IT Systems or the data housed in our third-party solutions. Due to the size and complexity of our technology platform and services, the amount of PI and other data that we store and the number of clients, employees and third-party providers with access to PI and other data, we are potentially vulnerable to a variety of cybersecurity attacks and other security-related incidents and threats, which could result in a material adverse effect on our business, financial condition and results of operations. Cybersecurity attacks and other malicious internet-based activity continue to increase, evolve in nature and become more sophisticated, and providers of digital products and services have been and are expected to continue to be targeted. Furthermore, the use of generative artificial intelligence has made it easier for threat actors to develop and evolve attacks. Threats to our IT Systems and those of our third-party providers or clients may result from human error, fraud or malice on the part of employees or third parties, including state-sponsored organizations with significant financial and technological resources, or from accidental technological failure. In addition to traditional computer "hackers," malicious code (such as viruses and worms), phishing, ransomware, social engineering attacks, employee theft, unauthorized access or misuse and denial-of-service attacks, sophisticated criminal networks as well as nation-state and nation-state supported actors now engage in attacks, including advanced persistent threat intrusions. Current or future criminal capabilities, including by the use of generative artificial intelligence, discovery of existing or new vulnerabilities and attempts to exploit those vulnerabilities or other developments, may compromise or breach our IT Systems or solutions. In the event our or our third-party providers' protection efforts are unsuccessful and our IT Systems or solutions are compromised, we could suffer substantial harm. Any cybersecurity attacks, security breaches, phishing attacks, ransomware attacks, computer malware, computer viruses, computer hacking attacks, unauthorized access, coding or configuration errors or similar incidents experienced by us or our third-party providers could result in operational disruptions and the loss, compromise or corruption of client or client customer data (including PI) or data we rely on to provide our solutions, including our analytics initiatives and offerings, and impair our ability to provide our solutions and meet our clients' requirements, resulting in decreased revenues and otherwise adversely affecting our business, financial condition and results of operations. Any such incidents may also result in regulatory investigations and orders, litigation (including class actions), disputes, investigations, indemnity obligations, damages for contract breach or penalties for violation of applicable laws or regulations. Also, our reputation could suffer irreparable harm, causing our current and prospective clients to decline to use our solutions in the future. Further, we could be forced to expend significant financial and operational resources in response to a security breach, including repairing system damage, increasing security protection costs by deploying additional personnel and modifying or enhancing our protection technologies, investigating and remediating any information security vulnerabilities and defending against and resolving legal and regulatory claims, all of which could divert resources and the attention of our management and key personnel away from our business operations and materially and adversely affect our business, financial condition and results of operations. Federal, state and international regulations, including new regulations promulgated by the SEC, may require us or our clients to notify governmental entities, individuals and/or investors of data security incidents involving certain types of PI or IT Systems or that materially impact our business. Security compromises experienced by others in our industry, our clients, our third-party providers or us may lead to public disclosures and widespread negative publicity. Any security compromise in our industry, whether actual or perceived, could erode client confidence in the effectiveness of our security measures, negatively impact our ability to attract new clients, cause existing clients to elect not to renew or expand their use of our solutions or subject us to third-party lawsuits, regulatory fines or other actions or liabilities, which could materially and adversely affect our business, financial condition and results of operations. If we are not able to detect and identify activity on our platform that might be nefarious in nature or design processes or systems to reduce the impact of similar activity at a third-party provider, our clients and/or client customers could suffer harm, including because many of our products and services are integrated with or connected to our clients' systems and processes. In such cases, we could face exposure to legal claims, particularly if the client and/or client customer suffered actual harm. We cannot ensure that any limitations of liability provisions in our client and user agreements, contracts with third-party providers and other contracts for a security lapse or breach or other security-related matter would be enforceable or adequate or would otherwise protect us from any liabilities or damages with respect to any particular claim. We also cannot ensure that our existing insurance coverage will continue to be available on acceptable terms or will be available in sufficient amounts to cover one or more large claims related to a security incident or breach, or that the insurer will not deny coverage as to any future claim. The successful assertion of one or more large claims against us that exceed available insurance coverage, or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could adversely affect our reputation and our business, financial condition and results of operations. In addition, our clients contractually require notification of certain data security compromises and include representations and warranties in their contracts with us that our solutions comply with certain legal and technical standards related to data security and privacy and meet certain service levels. In our contracts, a data security compromise or operational disruption impacting us or one of our critical vendors, or system unavailability or damage due to other circumstances, may constitute a material breach and give rise to a client's right to terminate its contract with us. In these circumstances, it may be difficult or impossible to cure such a breach in order to prevent clients from potentially terminating their contracts with us. Furthermore, although our client contracts typically include limitations on our potential liability, we cannot ensure that such limitations of liability would be adequate. We also cannot be sure that our existing general liability insurance coverage and coverage for errors or omissions will be available on acceptable terms or will be available in sufficient amounts to cover one or more claims, or that our insurers will not deny or attempt to deny coverage as to any future claim. The successful assertion of one or more claims against us, the inadequacy or denial of coverage under our insurance policies, litigation to pursue claims under our policies or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or coinsurance requirements, could materially and adversely affect our business, financial condition and results of operations.

The market for digital solutions for financial service providers is intensely competitive and characterized by rapid changes in technology and frequent new product introductions and improvements. We anticipate continued challenges from current competitors, including point solution vendors and core processing vendors, many of whom are well-established and enjoy greater resources, as well as from new entrants into the industry, which could include well-established companies with distinct advantages, such as cloud providers, search providers, social media providers and large providers of software to businesses and consumers. If we are unable to anticipate or react to these competitive challenges, our competitive position could weaken, and we could experience a decline in revenues that could adversely affect our business, financial condition and results of operations. Many of our existing competitors have, and some of our potential competitors could have, substantial competitive advantages such as: - greater name recognition and larger client bases;- larger sales and marketing budgets and resources;- greater client support resources;- larger research and development budgets; and - substantially greater financial, technical and other resources. Potential clients may also prefer to continue their relationship with their existing partner rather than change to a new partner regardless of product performance or features. As a result, even if the features of the Alkami Digital Banking Platform are superior, clients may not purchase our solution. In addition, innovative start-up companies, and larger companies that are making significant investments in research and development, may develop similar or superior products and technologies that compete with our solutions. Our current and potential competitors may also establish cooperative relationships among themselves or with third parties that may further enhance their market position. As a result, our current or potential competitors might be able to adapt more quickly to new technologies and client customer needs, devote greater resources to the promotion or sale of their products and services, initiate or withstand substantial price competition, take advantage of acquisitions or other opportunities more readily, or develop and expand their product and service offerings more quickly than we can. Further, conditions in our industry could change rapidly and significantly as a result of technological advancements. These competitive pressures in our market or our failure to compete effectively may result in price reductions, reduced revenues and gross margins and loss of market share. If our clients do not renew their subscriptions for our solutions on similar or more favorable terms to us, our revenues may decline and it could have a material and adverse effect on our business, financial condition and results of operations.

We believe that a strong brand is necessary to continue to attract and retain clients. We need to maintain, protect and enhance our brand in order to expand our base of clients. This will depend largely on the effectiveness of our marketing efforts, our ability to provide reliable services that continue to meet the needs of our clients at competitive prices, our ability to maintain our clients' trust, our ability to continue to develop new functionality and use cases, and our ability to successfully differentiate our services and platform capabilities from competitive products and services, which we may not be able to do effectively. While we may choose to engage in a broader marketing campaign to further promote our brand, this effort may not be successful or cost effective. Our brand promotion activities may not generate customer awareness or yield increased revenues, and even if they do, any increased revenues may not offset the expenses we incur in building our brand. If we are unable to maintain or enhance client awareness in a cost-effective manner, our brand and our business, financial condition and results of operations could be materially and adversely affected. Our corporate reputation is susceptible to damage by actions or statements made by adversaries in legal proceedings, current or former employees or clients, competitors and vendors, as well as members of the investment community and the media. There is a risk that negative information about our company, even if based on false rumor or misunderstanding, could adversely affect our business. In particular, damage to our reputation could be difficult and time-consuming to repair, could make potential or existing clients reluctant to select us for new engagements, resulting in a loss of business, and could adversely affect our employee recruitment and retention efforts. Damage to our reputation could also reduce the value and effectiveness of our brand name and could reduce investor confidence in us and materially and adversely affect our business, financial condition and results of operations.

Our clients and prospective clients, as FIs, are highly regulated and are generally required to comply with stringent regulations in connection with managing their vendors, in particular those that are performing business functions that our solutions address. As a provider of technology services to such FIs, we may in the future be subject to examination by various federal and state regulatory agencies, including those agencies that comprise the Federal Financial Institutions Examination Council ("FFIEC"), and we are also required to review and perform due diligence on certain of our third-party providers. Matters subject to review and examination by the FFIEC, federal and state regulatory agencies and external auditors include, but are not limited to, our internal information technology controls in connection with our performance of data processing services, the agreements giving rise to those processing activities and the design of our solutions, as well as our systems and technical infrastructure, our cybersecurity posture, our business recovery planning, our management and our financial condition. In addition, while we are not regulated by the National Credit Union Administration ("NCUA"), as a result of our registration as a CUSO, we are subject to disclosure, annual reporting and other requirements imposed by the NCUA. In addition, the Dodd-Frank Act granted the CFPB authority to promulgate rules and interpret certain federal consumer financial protection laws, some of which apply to the solutions we offer to our clients. In certain circumstances, the CFPB also has examination and supervision powers with respect to service providers who provide a material service to an FI offering consumer financial products and services. While many of our operations are not directly subject to the same regulations applicable to FIs, we are legally and contractually obligated to our clients to provide software solutions and maintain internal systems and processes that comply with certain federal and state regulations applicable to them. Compliance with current or future digital accessibility, privacy, data protection and information security laws to which we or our FI clients are subject could result in higher compliance and technology costs and could restrict our ability to fully exploit our capabilities or provide certain products and services, which could materially and adversely affect our ability to operate profitably. Our failure to offer products and solutions that directly or indirectly comply with such laws, including as interpreted and applied by courts and regulators, could result in potentially significant regulatory and/or governmental investigations and/or actions, litigation, fines, sanctions and damage to our reputation and our brand. In recent years, there has been increasing enforcement activity in the areas of digital accessibility, privacy, data protection and information security in various markets in which our customers operate. For example, as a result of obligations under our client contracts, we are required to comply with certain provisions of the Gramm-Leach-Bliley Act ("GLBA") related to the privacy of consumer information and may be subject to other privacy, security and digital accessibility requirements because of the solutions we provide to FIs. We may also be subject to other laws because of the solutions we provide to FIs. Any inability to satisfy regulatory or contractual expectations in connection with applicable regulations and guidance could adversely affect our ability to conduct our business, including attracting and maintaining clients, require significant costs to correct, harm our reputation, or lead to liability to third parties, including our customers or their consumers. Further, if we have to make changes to our internal processes and solutions as result of applicable regulations or guidance or findings from examinations, we could be required to invest substantial additional time and funds and divert time and resources from other corporate purposes to remedy any identified deficiency or gap. In addition, individual claimants and other third parties, including advocates for the blind or other persons with disabilities, have filed lawsuits or issued cease and desist requests to FIs, including our clients, on grounds that websites or mobile applications offered to consumers do not meet the needs of individuals with a disability within the meaning of Section 3(2) of the Americans with Disabilities Act of 1990, 42 U.S.C. §§ 12101, 12102(2) ("ADA") and the Title III regulations implementing the ADA contained in 28 C.F.R. §§ 36.101, et seq. Third-party advocates and individuals with disabilities seek changes to existing law and regulation, or advocate for novel legal rulings in court, against FIs when desktop websites or mobile applications do not meet or exceed the Web Content Accessibility Guidelines 2.1 digital accessibility standard, which was developed in part to help ensure that the content developed for banks, credit unions and other financial institutions can be accessed and used by people with or without disabilities. The evolving, complex and often unpredictable regulatory and litigation environment in which our clients operate could result in our failure to provide compliant solutions, which could result in clients not purchasing our solutions or terminating their contracts with us or the imposition of fines or other liabilities for which we may be responsible or for which our clients may seek indemnity from us. In addition, federal, state and/or foreign agencies may attempt to further regulate our activities in the future which could materially and adversely affect our business, financial condition and results of operations. For example, existing laws, regulations and guidance could be amended or interpreted differently by regulators in a manner that imposes additional costs and has a negative impact on our existing operations or that limits our future growth. In addition, new regulations could require costly changes in our processes, infrastructure or personnel. Finally, actions by regulatory authorities could influence both the decisions our clients make concerning the purchase of our solutions and the timing and implementation of these decisions. Substantial research and development and other corporate resources have been and will continue to be applied to adapt our solutions to this evolving, complex and often unpredictable regulatory environment.

We are subject to federal, state, and local income taxes. Our future effective tax rate could be affected by changes in the valuation of our deferred tax assets and liabilities, certain non-deductible expenses related to acquisitions, and changes in federal, state, or local tax laws or their interpretation. If such changes take place, there is a risk that our effective tax rate may be favorably or unfavorably affected, impacting our result of operations. Additionally, an increasing number of states have adopted laws or administrative practices that impose new taxes on all or a portion of gross revenue or impose additional tax collection obligations on out-of-state companies. Each jurisdiction has different rules and regulations governing sales and use, consumption, and similar taxes. These rules are subject to varying interpretation and could be changed, modified, or applied adversely to us as a result of factors outside of our control. One or more states where we do not collect taxes may successfully assert that such taxes are applicable, which could result in material tax assessments, including for past sales, as well as penalties and interest.

In operating our business and providing services and solutions to our clients, we collect, use, store, transmit and otherwise process sensitive employee and client data, including PI regarding client customers and other individuals, in and across multiple jurisdictions, including at times, across national borders. As a result, we are subject to a variety of laws and regulations in the United States, Europe and around the world, as well as contractual obligations and industry standards, regarding data privacy, security and protection. In many cases, these laws, regulations and industry standards apply not only to third-party transactions, but also to transfers of information between or among us, our subsidiary and other parties with which we have commercial relationships. Data privacy, information security, and data protection are significant issues in the United States and globally. The regulatory framework governing the collection, processing, storage, use and sharing of certain information, particularly financial and other PI, is rapidly evolving and is likely to continue to be subject to uncertainty and varying interpretations. The occurrence of unanticipated events and development of evolving technologies often rapidly drives the adoption of legislation or regulation affecting the use, collection or other processing of data and manner in which we conduct our business. We publicly post documentation regarding our practices concerning the collection, processing, use and disclosure of information. Although we endeavor to comply with our published policies and documentation, we may at times fail to do so or be alleged to have failed to do so. Any failure or perceived failure by us to comply with our privacy policies or any applicable privacy, security or data protection, information security or consumer protection-related laws, regulations, orders or industry standards in one or more jurisdictions could expose us to costly litigation, significant awards, fines or judgments, civil and/or criminal penalties or negative publicity, and could materially and adversely affect our business, financial condition and results of operations. The publication of our privacy policy and other documentation that provide promises and assurances about data privacy and security can subject us to potential global or U.S. state and federal action if they are found to be deceptive, unfair, or misrepresentative of our actual practices, which could materially and adversely affect our business, financial condition and results of operations. We expect that there will continue to be new proposed and adopted laws, regulations and industry standards concerning privacy, data protection and information security in the United States and other jurisdictions in which we operate. For example, in the United States, we are subject to the rules and regulations promulgated under the authority of the Federal Trade Commission. Additionally, the GLBA (along with its implementing regulations) restricts certain collection, processing, storage, use and disclosure of personal information, requires notice to individuals of privacy practices and provides individuals with certain rights to prevent the use and disclosure of certain nonpublic or otherwise legally protected information. These rules also impose requirements for the safeguarding and proper destruction of personal information through the issuance of data security standards or guidelines. In addition, every state in which we operate (and the District of Columbia) has laws that protect the privacy and security of sensitive and personal information. Certain U.S. state laws may be more stringent or broader in scope, or offer greater individual rights, with respect to sensitive and personal information than international, federal, or other state laws, and such laws may differ from each other, which may complicate compliance efforts. For example, California enacted the California Consumer Privacy Act of 2018 ("CCPA") which, among other things, requires companies covered by the legislation to provide new disclosures to California consumers and afford such consumers new rights, including the right to access and delete certain personal information, as well as the right to opt-out of certain sales of personal information. The CCPA provides for civil penalties for violations, as well as a private right of action for certain data breaches that result in the loss of personal information. This private right of action may increase the likelihood of, and risks associated with, data breach litigation. Additionally, the California Privacy Rights Act ("CPRA"), passed in November 2020, imposes additional obligations on companies covered by the legislation and significantly modifies the CCPA, including by expanding consumers' rights with respect to certain sensitive personal information. The CPRA also created a new state agency vested with authority to implement and enforce the CCPA and the CPRA. The effects of existing state legislation, including the CCPA and the CPRA, are significant and has required and may require us in the future to modify our data collection or processing practices and policies and to incur substantial costs and expenses in an effort to comply and increase our potential exposure to regulatory enforcement and/or litigation. In addition, new privacy and security legislation may add additional complexity, variation in requirements, restrictions and potential legal risk, require additional investment of resources in compliance programs, impact strategies and the availability of previously useful data and could result in increased compliance costs and/or changes in business practices and policies Internationally, many jurisdictions have established their own data privacy and security legal framework with which we or our clients may need to comply as client customers travel outside of the United States, including, but not limited to, the European Union ("EU"). The EU's data protection landscape is currently evolving, resulting in possible significant operational costs for internal compliance and risk to our business. The EU has adopted the General Data Protection Regulation ("GDPR"), which contains numerous requirements and changes from previously existing EU law, including more robust obligations on data processors and heavier documentation requirements for data protection compliance programs by companies. In particular, under the GDPR, fines of up to 20 million euros or up to 4% of the annual global revenues of the noncompliant company, whichever is greater, could be imposed for violations of certain of the GDPR's requirements. Such penalties are in addition to any civil litigation claims by clients and data subjects. Because the interpretation and application of many data privacy and protection laws along with contractually imposed industry standards are uncertain, it is possible that these laws may be interpreted and applied in a manner that is inconsistent with our existing data management practices, solutions or platform capabilities. Any failure or perceived failure by us, or any third parties with which we do business, to comply with our posted privacy policies, changing consumer expectations, evolving laws, rules and regulations, industry standards, or contractual obligations to which we or such third parties are or may become subject, may result in actions or other claims against us by governmental entities or private actors, the expenditure of substantial costs, time and other resources or the incurrence of significant fines, penalties or other liabilities. In addition, any such action, particularly to the extent we were found to be guilty of violations or otherwise liable for damages, would damage our reputation and adversely affect our business, financial condition and results of operations. We cannot yet fully determine the impact these or future laws, rules, regulations and industry standards may have on our business or operations. Any such laws, rules and regulations may be inconsistent among different jurisdictions, subject to differing interpretations or may conflict with our current or future practices. Additionally, our clients may be subject to differing privacy laws, rules and legislation, which may mean that they require us to be bound by varying contractual requirements applicable to certain other jurisdictions. Adherence to such contractual requirements may impact our collection, use, processing, storage, sharing and disclosure of various types of information including financial information and other PI, and may mean we become bound by, or voluntarily comply with, self-regulatory or other industry standards relating to these matters that may further change as laws, rules and regulations evolve. Complying with these requirements and changing our policies and practices may be onerous and costly, and we may not be able to respond quickly or effectively to regulatory, legislative and other developments. These changes may in turn impair our ability to offer our existing or planned features, products and services and/or increase our cost of doing business. As we expand our client base, these requirements may vary from client to client, further increasing the cost of compliance and doing business.

Any of our operating facilities or infrastructure may be harmed or rendered inoperable by natural or man-made disasters, including hurricanes, tornadoes, wildfires, floods, earthquakes, nuclear disasters, acts of terrorism or other criminal activities, infectious disease outbreaks or pandemic events, such as the COVID-19 pandemic, power outages and other infrastructure failures, which may render it difficult or impossible for us to operate our business for some period of time. Our facilities would likely be costly to repair or replace, and any such efforts would likely require substantial time. Any disruptions in our operations could harm our reputation and materially and adversely affect our business, financial condition and results of operations. Moreover, although we have disaster recovery plans, they may prove inadequate. We may not carry sufficient business insurance to compensate for losses that may occur, and if such events become more frequent it may adversely impact the cost or availability of insurance going forward. Any such losses or damages could have a material adverse effect on our business and results of operations. In addition, the facilities of our third-party providers, including AWS, may be harmed or rendered inoperable by such natural or man-made disasters, which could cause disruptions, difficulties or otherwise materially and adversely affect our business, financial condition and results of operations.