Brightcove (BCOV) Risk Factors

Many of the problems, delays and expenses we may encounter may be beyond our control. Such problems may include, but are not limited to, problems related to the technical development of our products and services, problems with the infrastructure for the distribution and delivery of online media, including those from third party providers on which we rely, the competitive environment in which we operate, marketing problems, consumer acceptance and costs and expenses that may exceed current estimates. Problems, delays or expenses in any of these areas could have a negative impact on our business, financial conditions or results of operations. Delays in the timely design, development, deployment and commercial operation of our product and service offerings, and consequently the achievement of our revenue targets and positive cash flow, could result from a variety of causes, including many causes that are beyond our control. Such delays include, but are not limited to, delays in the integration of new offers into our existing offering, changes to our products and services made to correct or enhance their features, performance or marketability or in response to regulatory developments or otherwise, delays encountered in the development, integration or testing of our products and services and the infrastructure for the distribution and delivery of online media and other systems, unsuccessful commercial launches of new products and services, delays in our ability to obtain financing, insufficient or ineffective marketing efforts and slower-than-anticipated consumer acceptance of our products. Delays in any of these matters could hinder or prevent our achievement of our growth objectives and hurt our business.

In recent years, there has been significant litigation in the United States involving patents and other intellectual property rights. Companies providing Internet-related products and services are increasingly bringing and becoming subject to suits alleging infringement of proprietary rights, particularly patent rights. These risks have been amplified by the increase in third parties whose sole or primary business is to assert such claims, some of whom have sent letters to and/or filed suit alleging infringement against us and some of our customers. From time to time, third parties claim that we are infringing upon their intellectual property rights. We could incur substantial costs in prosecuting or defending any intellectual property litigation. Additionally, the defense or prosecution of claims could be time-consuming, and could divert our management's attention away from the execution of our business plan. Moreover, any settlement or adverse judgment resulting from a claim could require us to pay substantial amounts or obtain a license to continue to use the technology that is the subject of the claim, or otherwise restrict or prohibit our use of the technology. There can be no assurance that we would be able to obtain a license from the third party asserting the claim on commercially reasonable terms, if at all, that we would be able to develop alternative technology on a timely basis, if at all, or that we would be able to obtain a license to use a suitable alternative technology to permit us to continue offering, and our customers to continue using, our affected product or service. In addition, we may be required to indemnify our customers for third-party intellectual property infringement claims, which would increase the cost to us. An adverse determination could also prevent us from offering our products or services to others. Infringement claims asserted against us may have an adverse effect on our business, financial condition and results of operations. Our agreements with customers often include contractual obligations to indemnify them against claims that our products infringe the intellectual property rights of third parties. The results of any intellectual property litigation to which we might become a party, or for which we are required to provide indemnification, may force us to do one or more of the following: - cease selling or using products or services that incorporate the challenged intellectual property;- make substantial payments for costs or damages;- obtain a license, which may not be available on reasonable terms, to sell or use the relevant technology; or - redesign those products or services to avoid infringement. If we are required to make substantial payments or undertake any of the other actions noted above as a result of any intellectual property infringement claims against us or any obligation to indemnify our customers for such claims, such payments or costs could have a material adverse effect upon our business and financial results.

Our internal computer systems and those of our current and any future strategic collaborators, vendors, and other contractors or consultants are vulnerable to damage from cyber-attacks, computer viruses, unauthorized access, natural disasters, cybersecurity threats, terrorism, war and telecommunication and electrical failures, and have experienced cyber-attacks in the past. Cyber incidents have been increasing in sophistication and frequency and can include third parties gaining access to employee or customer data using stolen or inferred credentials, computer malware, viruses, spamming, phishing attacks, ransomware, business email compromise, card skimming code, and other deliberate attacks and attempts to gain unauthorized access or cause disruption. Because the techniques used by attackers who may attempt to penetrate and sabotage our network security, infrastructure, or our website change frequently and may not be recognized until launched against a target, we may be unable to anticipate these techniques or implement adequate preventative or mitigating measures. If an actual or perceived security incident or breach occurs, the market perception of our security measures could be harmed and we could lose sales and customers. Any significant violations of data privacy or security obligations or unauthorized disclosure of or access to information could result in the loss of business, litigation and regulatory investigations and penalties that could damage our reputation and adversely impact our results of operations and financial condition. Moreover, if a security breach or compromise occurs with respect to another software as a service, or SaaS, provider, our customers and potential customers may lose trust in the security of the SaaS business model generally, which could adversely impact our ability to retain existing customers or attract new ones. It is also possible that unauthorized access to customer or employee data or our systems or infrastructure may be obtained through inadequate use of security controls by customers, suppliers or other vendors. If any such computer system failure, accident or security incident or breach were to occur and cause interruptions in our operations, it could result in a material disruption of our development programs and our business operations, whether due to a loss of our trade secrets or other proprietary or protected information or other disruptions. These cyber-attacks could be carried out by threat actors of all types (including but not limited to nation states, organized crime, other criminal enterprises, individual actors and/or advanced persistent threat groups). In addition, we may experience intrusions on our physical premises by any of these threat actors. Any security breaches, unauthorized access, unauthorized usage, virus or similar security incident or disruption, or any perceived security breach or other incident could result in loss of confidential information, personal data and customer content, damage to our reputation, early termination of our contracts, litigation, regulatory investigations, increased costs or other liabilities. If our security measures, or those of our partners or service providers, are breached as a result of third-party action, employee error, malfeasance or otherwise and, as a result, someone obtains unauthorized access to confidential information, personal data or customer content, our reputation will be damaged, our business may suffer or we could incur significant liability. If the measures we have put in place to limit or restrict access to and use of functionality, usage entitlements and support for customers or prospective customers are breached, circumvented or ineffective as a result of third-party action, employee error, malfeasance or otherwise and, as a result, someone obtains unauthorized access to and use of functionality, usage entitlements and support, our business may suffer or we could incur significant liability and/or costs. There can be no assurance that any limitations of liability provisions in our contracts for a security breach or incident would be enforceable or adequate or would otherwise protect us from any such liabilities or damages with respect to any particular claim. We also cannot be sure that our existing general liability insurance coverage and coverage for errors or omissions will continue to be available on acceptable terms or will be available in sufficient amounts to cover one or more large claims, or that the insurer will not deny coverage as to any future claim. The successful assertion of one or more large claims against us that exceed available insurance coverage, or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could have a material adverse effect on our business, financial condition and operating results.

While we expect strong growth in the markets for our products and solutions, it is possible that the growth in some or all of these markets may not meet our expectations, or materialize at all. The methodology on which our estimate of our total potential market opportunity is based includes several key assumptions based on our industry knowledge and customer experience. If any of these assumptions proves to be inaccurate, then the actual market for our solutions could be significantly smaller than our estimates of our total potential market opportunity. If the customer demand for our offerings or the adoption rate in our target markets does not meet our expectations, our ability to generate revenue from customers and meet our financial targets could be adversely affected.

We sell our products pursuant to subscription agreements that are generally for annual terms. Our customers have no obligation to renew their subscriptions after their subscription period expires, and we have experienced losses of customers that elected not to renew, in some cases, for reasons beyond our control. For example, our largest customer during 2020 faced bankruptcy and, as a result, we lost substantially all of the revenue we expected to generate from this customer in 2020. In addition, even if subscriptions are renewed, they may not be renewed on the same or on more profitable terms. As a result, our ability to retain our existing customers and grow depends in part on subscription renewals. We may not be able to accurately predict future trends in customer renewals, and our customers' renewal rates have and may continue to fluctuate because of several factors, including their satisfaction or dissatisfaction with our services, the cost of our services and the cost of services offered by our competitors, a customer's ability to build a video streaming solution in-house, reductions in our customers' spending levels or the introduction by competitors of attractive features and functionality. If our customer retention rate decreases, we may need to increase the rate at which we add new customers in order to maintain and grow our revenue, which may require us to incur significantly higher sales and marketing expenses than we currently anticipate, or our revenue may decline. If our customers do not renew their subscriptions for our services, renew on less favorable terms, or do not purchase additional solutions or subscriptions, our revenue may grow more slowly than expected or decline, and our profitability and gross margins may be harmed or affected.

We and our customers may be subject to privacy and data protection-related laws and regulations that impose obligations in connection with the collection, use, storage, transfer, dissemination, security, and/or other processing ("Processing") of personally identifiable information (such personally identifiable information collectively with all information defined or described by applicable law as "personal data," "personal information," "PII" or any similar term, "Personally Identifiable Information") or other sensitive data. Existing U.S. federal and various state and foreign privacy and data protection-related laws and regulations are evolving and subject to potentially differing interpretations, and various legislative and regulatory bodies may expand current or enact new laws and regulations regarding privacy and data protection-related matters. International jurisdictions in which we have customers or employees have established data security and privacy frameworks with which we or our customers must comply. In addition, our business may be impacted by new regulations and guidance over machine learning and automated processing. In the United States, certain state laws may be more stringent or broader in scope, or offer greater individual rights, with respect to sensitive and personal information than federal or other state laws, and such laws may differ from each other, which may complicate compliance efforts. New laws, amendments to or re-interpretations of existing laws and regulations, rules of self-regulatory bodies, industry standards and contractual obligations may impact our business and practices, and we may be required to expend significant resources to adapt to these changes, or stop offering our products in certain countries. These developments could adversely affect our business, results of operations and financial condition. We may be subject to additional, more stringent privacy laws in other jurisdiction, such as the European Union's General Data Protection Regulation ("EU GDPR"). The EU GDPR, effective since May 25, 2018, imposes strict regulations and establishes a series of requirements regarding the collection, transfer, storage and processing of personal data. The EU GDPR has extra-territorial application and applies where a company, based outside the European Union, processes personal data of individuals based in the European Union as a result of offering goods or services to individuals based in the EU and/or monitoring their behavior. The EU GDPR governs the collection, use, disclosure, transfer or other processing of personal data of individuals in the EEA. Among other things, the EU GDPR imposes strict requirements regarding the security of personal data and notification of data breaches to the competent national data protection authorities, imposes limitations on retention of personal data, imposes stringent requirements relating to the consent of data subjects or ensuring another appropriate legal basis applies to the processing of personal data, requires us to maintain records of our processing activities and to document data protection impact assessments where there is high risk processing, ensuring certain measures are in place with third-party processors. The EU GDPR also confers a private right of action on data subjects and consumer associations to lodge complaints with competent national data protection authorities, seek judicial remedies, and obtain compensation for damages resulting from violations of the EU GDPR. Non-compliance could also result in the imposition of orders to stop data processing activities. The EU GDPR enhances data protection obligations for businesses and provides direct legal obligations for service providers processing personal data on behalf of customers, including with respect to cooperation with European data protection authorities, implementation of security measures and keeping records of personal data processing activities. Moreover, the EU GDPR requirements apply not only to third-party transactions, but also to transfers of information between us and our subsidiaries, including employee information. Noncompliance with the EU GDPR can trigger steep fines of up to €20 million or 4% of global annual revenues, whichever is higher. In addition, further to the UK's exit from the EU on January 31, 2020, the GDPR ceased to apply in the UK at the end of the transition period on December 31, 2020; however, the UK's European Union (Withdrawal) Act 2018 incorporated the EU GDPR (as it existed on December 31, 2020 but subject to certain UK specific amendments) into UK law, referred to as the UK GDPR. The UK GDPR and the UK Data Protection Act 2018 set out the UK's data protection regime, which is independent from but aligned to the EU's data protection regime. The UK has announced plans to reform the country's data protection legal framework in its Data Reform Bill, which will introduce significant changes from the EU GDPR. This may lead to additional compliance costs and could increase our overall risk exposure as we may no longer be able to take a unified approach across the EU and the UK. Non-compliance with the UK GDPR may result in monetary penalties of up to £17.5 million or 4% of worldwide revenue, whichever is higher. Although the UK is regarded as a third country under the EU's GDPR, the European Commission ("EC") has issued a decision recognizing the UK as providing adequate protection under the EU GDPR and, therefore, transfers of personal data originating in the EU to the UK remain unrestricted. Like the EU GDPR, the UK GDPR restricts personal data transfers outside the UK to countries not regarded by the UK as providing adequate protection. The UK government has confirmed that personal data transfers from the UK to the EEA remain free flowing. In addition to the EU GDPR, the European Union is also in the process of replacing the e-Privacy Directive (2002/58/EC) with a new set of rules taking the form of the ePrivacy Regulation, which will be directly implemented in the laws of each European member state, without the need for further enactment. Certain jurisdictions are actively applying the ePrivacy Directive to enforce cookie consent and consent requirements generally under the EU GDPR. Originally planned to be adopted and implemented at the same time as the EU GDPR, the ePrivacy Regulation is still going through the European legislative process. Any passed Regulation would go into effect two years from the twentieth day after its publication. In the meantime, the Directive is still in effect, and will continue to be in effect for the UK even after the Regulation has passed. Preparing for and complying with the EU GDPR, UK GDPR and the ePrivacy Regulation (if and when it becomes effective) has required and will continue to require us to incur substantial operational costs and may require us to change our business practices. Despite our efforts to bring practices into compliance with the EU GDPR and before the effective date of the ePrivacy Regulation, we may not be successful either due to internal or external factors such as resource allocation limitations and in inconsistency in interpretation of the law across EU regulatory bodies. Non-compliance could result in proceedings against us by governmental entities, customers, data subjects, consumer associations or others. The European Union has also passed regulations, such as the Digital Services Act (DSA), specific to intermediaries, cloud service providers and hosting services, including those that permit for user-generated content. These laws provide for specific requirements for removal of content, disclosures about the means used to generate targeted advertising and decisions made via automated decision making, and timelines for reporting compliance metrics. Given the scope of the responsibilities and specificity of the steps that apply respectively in different ways to portions of our business, compliance will require development and monitoring of processes, which increases costs beyond potential fines, such as human resources, investment in technology and potential losses from lost revenue from advertising. To enable the transfer of personal data outside of the EEA or the UK, adequate safeguards must be implemented in compliance with European and UK data protection laws, such as the Standard Contractual Clauses ("SCCs") published by the European Commission, binding corporate rules or certification to the EU-U.S. Data Privacy Framework that the European Commission adopted on July 10, 2023. The UK is not subject to the EC's new standard contractual clauses. The UK Information Commissioner's Office has published a version of a UK-specific transfer mechanism (the International Data Transfer Agreement), which came into effect on March 21, 2022, that enables transfers from the UK. The ICO has also permitted exporters to rely on the current version of the EU SCC's by implementing a UK Addendum stating as such. Moreover, on September 21, 2023, the UK Government adopted the Data Protection (Adequacy) Regulations 2023, also referred to as the "UK-U.S. Data Bridge", which will allow companies to transfer personal data from the UK to the US on the basis of the EU-U.S. Data Privacy Framework. We have implemented safeguards when conducting restricted data transfers under the EU and UK GDPR, and establishing and maintaining compliance will require significant effort and cost. While we have taken steps to mitigate the impact, such as implementing the new standard contractual clauses, certifying under the EU-US Data Privacy Framework and UK Extension and creating a risk assessment for transfers of personal information from our customers to the US, recent decisions indicate that the longevity of these mechanisms remains uncertain and may continue to evolve. Further action in this area could increase the risk of continued transfers or create costs for engaging a EU-based processor or cloud-service provider. Compliance obligations could cause us to incur costs or negatively affect the operations of our products and services in ways that harm our business. In the United States, many state legislatures have adopted or are considering legislation that regulates how businesses operate online, including measures relating to privacy. California enacted the California Consumer Privacy Act, or "CCPA," which creates new individual privacy rights for California consumers (as defined in the law) and places increased privacy and security obligations on entities handling personal data of consumers or households. The CCPA, effective since January 1, 2020, requires covered businesses, such as our company, to provide certain disclosures to consumers about its data collection, use and sharing practices, and to provide affected California residents with ways to opt-out of certain sales or transfers of personal information, in particular sharing for the purposes of targeted advertising. The California Privacy Rights Act ("CPRA"), an amendment expanding the rights of the CCPA to other types of California residents went into effect on January 1, 2023, creating a separate agency charged with enforcement and promulgating compliance guidelines and removing the 30-day cure period for alleged violations available under the CCPA. The CCPA provides for civil penalties for violations, as well as a private right of action for certain data breaches that result in the loss of personal information. This private right of action may increase the likelihood of, and risks associated with, data breach litigation. There continues to be uncertainty surrounding the enforcement and implementation of the CCPA exemplifying the vulnerability of our business to the evolving regulatory environment related to personal data and protected information. These penalties have been unchanged by the CPRA, but businesses no longer have a guaranteed 30-day cure period. Similar laws have been passed in numerous other states and other states have proposed similar new privacy laws. Such proposed legislation, if enacted, may add additional complexity, variation in requirements, restrictions and potential legal risk, require additional investment of resources in compliance programs, impact strategies and the availability of previously useful data and could result in increased compliance costs and/or changes in business practices and policies. The existence of comprehensive privacy laws in different states in the country would make our compliance obligations more complex and costly and may increase the likelihood that we may be subject to enforcement actions, rely on vendors for portions of our compliance obligations or otherwise incur liability for noncompliance. In addition, other states have proposed and/or passed legislation that regulates the privacy and/or security of certain specific types of information like controllers of health-related information. These various privacy and security laws may impact our business activities, including our identification of research subjects, relationships with business partners and ultimately the marketing and distribution of our products. State laws are changing rapidly and there is discussion in the U.S. Congress of a new comprehensive federal data privacy law to which we may likely become subject, if enacted. With respect to all of the foregoing, any failure or perceived failure by us to comply with U.S. federal or state, EU or other foreign privacy or data security laws, policies, industry standards or legal obligations, or any security incident that results in the unauthorized Processing of Personally Identifiable Information or other customer data may result in governmental investigations, inquiries, enforcement actions and prosecutions, private litigation, fines and penalties or adverse publicity. Efforts to ensure that our business arrangements will comply with applicable information privacy laws may involve substantial costs. Various jurisdictions around the world continue to propose new laws that regulate the privacy and/or security of certain types of personal data. Complying with these laws, if enacted, would require significant resources and leave us vulnerable to possible fines and penalties if we are unable to comply. It is possible that governmental and enforcement authorities will conclude that our business practices may not comply with current or future statutes, regulations or case law. If we are unable to comply, or have not fully complied, with such laws, we could face penalties, including, without limitation, civil, criminal, and administrative penalties, damages, fines, individual imprisonment, or restructuring of our operations.

Our success depends upon the continued service of our executive officers, senior management team and key technical employees, as well as our ability to continue to attract and retain additional highly qualified personnel. Each of our executive officers, senior management team, key technical personnel and other employees could terminate his or her relationship with us at any time. The loss of any member of our senior management team or key personnel might significantly delay or prevent the achievement of our business objectives and could materially harm our business and our customer relationships. Robert Noreck will step down from his position as our Chief Financial Officer (CFO) effective as of the earlier of May 31, 2024 and the appointment of a successor CFO, and he will thereafter serve as a consultant, assisting with the transition of his responsibilities until September 30, 2024, at which time Mr. Noreck's services to us will terminate. The Board has an active search process underway to select our next CFO, however, leadership transitions can be inherently difficult to manage, and if we are unable to attract and retain a qualified candidate for the CFO position in a timely manner or we have an inadequate transition of our CFO, it may cause disruption to our business, including to our relationships with customers, vendors and employees. In addition, because of the nature of our business, the loss of any significant number of our existing engineering, project management and sales personnel could have an adverse effect on our business, financial condition and results of operations.