Blackbaud (BLKB) Risk Factors

Fundamental to the use of our solutions is the secure collection, storage and transmission of confidential donor, customer and end user data, personally identifiable information and transaction data, including in our payment services. Despite the network, application and physical security procedures and internal control measures we employ to safeguard our systems, we have been, and in the future may be, vulnerable to a security breach, intrusion, loss or theft of confidential donor data and transaction data, which has in the past harmed and may in the future harm our business, reputation and future financial results. Furthermore, our reliance on remote access to information systems increases our exposure to potential cybersecurity incidents. Like virtually all major businesses, we are, from time to time, a target of cyberattacks, such as the Security Incident (as described below and in Note 11 to our consolidated financial statements in this report), information systems interruptions, phishing, social engineering schemes and other systems disruptions. We expect these threats to continue, some of which have been, and in the future may be, successful to varying degrees. Because the numerous and evolving cybersecurity threats used to obtain unauthorized access, disable, degrade or sabotage systems have become increasingly more complex and sophisticated, it may be difficult to anticipate these acts or to detect them for periods of time, as with the Security Incident, and we may be unable to respond adequately or timely. As these threats continue to evolve and increase, we have already devoted and expect to continue to devote significant resources in order to modify and enhance our security controls and to identify and remediate any security vulnerabilities. A compromise of our data security, such as the Security Incident, that results in customer or customer constituent personal or payment card data being obtained by unauthorized persons could adversely affect our reputation with our customers and others, as well as our operations, results of operations, financial condition and liquidity and has resulted in, and could in the future result in, litigation against us, government investigations or the imposition of fines and penalties. (See Note 11 to our consolidated financial statements in this report for information regarding litigation, government investigations, fines and penalties related to the Security Incident.) We have been, and in the future might be, required to expend significant additional capital and other resources to rectify problems caused by a security breach, including notification under data privacy laws and regulations, and incur expenses related to remediating our information security systems. Even though we may carry cyber-technology insurance policies that provide insurance coverage under certain circumstances, we have in the past suffered losses and may in the future suffer losses as a result of a security breach that exceed the coverage available under our insurance policies or for which we do not have coverage. (See Note 11 to our consolidated financial statements in this report for expense and insurance coverage information related to the Security Incident.) Furthermore, in the future such insurance may not be available on commercially reasonable terms, or at all. A security breach and any efforts we make to address such breach could also result in a disruption of our operations, particularly our online sales operations. The occurrence of actual cyber security events, such as the Security Incident, could magnify the severity of the adverse effects of future incidents on our business. The techniques used to obtain unauthorized access, disable or degrade service, or sabotage information systems can be difficult to detect for long periods of time and can involve difficult or prolonged assessment or remediation periods even once detected. We, therefore, cannot assure you that all potential causes of past significant incidents, including the Security Incident, have been fully identified and remediated. The steps we take may not be sufficient to prevent future significant incidents and, as a result, such incidents may occur again.

Certain of our solutions, in particular our financial management and payment services solutions, relate to activity heavily regulated by government agencies in the U.S., the U.K. and other countries in which we operate. The laws and regulations enforced by these agencies are proposed or enacted to deter fraud and other illicit financial transactions and to protect consumers and the financial system and are often revised or increased in scope. We have procedures and controls in place to monitor compliance with numerous federal, state and foreign laws and regulations. However, because these laws and regulations are complex, differ between jurisdictions, and are often subject to interpretation, or as a result of unintended errors, we may, from time to time, inadvertently violate these laws and regulations. Compliance with these laws and regulations is expensive and requires the time and attention of management. These costs divert capital and focus away from efforts intended to grow our business. If we do not successfully comply with laws, regulations, or policies, we could incur fines or penalties, be subject to litigation, lose existing or new customer contracts or other business, and suffer damage to our reputation. In addition, changes in certain laws, regulations or policies could impact our customers, alter our business environment and limit our operations. For example, various financial institutions subscribe to our EVERFI training solution, which they may then provide free of charge to schools in low-income and moderate-income communities as a means of satisfying their obligations under the Community Reinvestment Act of 1977, as amended (the "CRA"). Repeal or significant modification of the CRA or the many government agency regulations and policies implementing its provisions could cause financial institutions to limit or eliminate their purchases of these EVERFI solutions and thereby negatively impact our operating results and financial condition.

We are subject to income taxes in the United States and various other jurisdictions. Significant judgment is often required in the determination of our worldwide provision for income taxes. Our effective tax rate could be impacted by changes in our earnings and losses in countries with differing statutory tax rates, changes in operations, changes in non-deductible expenses, changes in excess tax benefits of stock-based compensation, changes in the valuation of deferred tax assets and liabilities and our ability to utilize them, the applicability of withholding taxes, effects from acquisitions, and changes in accounting principles and tax laws. Any changes, ambiguity or uncertainty in taxing jurisdictions' administrative interpretations, decisions, policies and positions could also materially impact our income tax liabilities. We may also be subject to additional tax liabilities and penalties due to changes in non-income-based taxes resulting from changes in federal, state, local or international tax laws, changes in taxing jurisdictions' administrative interpretations, decisions, policies and positions, results of tax examinations, settlements or judicial decisions, changes in accounting principles, or changes to our business operations, including as a result of acquisitions. For example, the U.S. Inflation Reduction Act of 2022 created an excise tax of 1% on the value of any stock repurchased by us after December 31, 2022. We could be subject to this excise tax, but the amount will vary depending on various factors, including the amount and frequency of any stock repurchases and any permitted reductions or exceptions to the amount subject to the tax. Any resulting increase in our tax obligation or cash taxes paid could adversely affect our financial position and cash flows. We are also subject to tax examinations or engaged in alternative resolutions in multiple jurisdictions. While we regularly evaluate new information that may change our judgment resulting in recognition, derecognition or changes in measurement of a tax position taken, there can be no assurance that the final determination of any examinations will not have an adverse effect on our operating results or financial position. As we utilize our tax credits and net operating loss carryforwards, we may be unable to mitigate our tax obligations to the same extent as in prior years, which could have a material impact to our future cash flows. In addition, changes to our operating structure, including changes related to acquisitions, may result in cash tax obligations. Global tax developments applicable to multinational businesses may have a material impact to our business, cash flow from operating activities, or financial results. Such developments, for example, may include certain United States' proposals as well as the Organization for Economic Co-operation and Development's, the European Commission's and certain major jurisdictions' heightened interest in and taxation of companies participating in the digital economy.

Our market is highly competitive and rapidly evolving, and there are limited barriers to entry for many segments of this market. The companies we compete with and other potential competitors may have greater financial, technical and marketing resources, generate greater revenue and have better name recognition than we do. Also, a large, diversified software enterprise could decide to enter the market directly, including through acquisitions. Competitive pressures can adversely impact our business by limiting the prices we can charge our customers and making the adoption and renewal of our solutions more difficult. Our competitors might also establish or strengthen cooperative relationships with resellers and third-party consulting firms or other parties with whom we have had relationships, thereby limiting our ability to promote our solutions. These competitive pressures could cause our revenue and market share to decline. In addition, the introduction of solutions encompassing new technologies can render existing solutions obsolete and unmarketable. As a result, our future success will depend, in part, upon our ability to continue to enhance existing solutions and develop and introduce in a timely manner or acquire new solutions that keep pace with technological developments, satisfy increasingly sophisticated customer requirements and achieve market acceptance. If we are unable to develop or acquire on a timely and cost-effective basis new software solutions or enhancements to existing solutions or if such new solutions or enhancements do not achieve market acceptance, we may be unable to compete successfully and our business, results of operations and financial condition may be materially adversely affected.

Many organizations in the social impact community, including nonprofits, foundations, companies, education institutions, and healthcare organizations, have not traditionally used integrated and comprehensive software and services for their specific needs. We cannot be certain that the market for such solutions and services will continue to develop and grow or that these organizations will elect to adopt our solutions and services rather than continue to use traditional, less automated methods, attempt to develop software internally, rely upon legacy software systems, or use software solutions not specifically designed for this market. Organizations that have already invested substantial resources in other fundraising methods or other non-integrated software solutions might be reluctant to adopt our solutions and services to supplement or replace their existing systems or methods. In addition, the implementation of one or more of our software solutions can involve significant capital commitments by our customers, which they may be unwilling or unable to make. If demand for and market acceptance of our solutions and services does not increase, we might not grow our business as we expect. Furthermore, our subscription arrangements are generally for a term of three years at contract inception with three-year renewals thereafter. Our maintenance arrangement renewals are generally for a term of three years. As the end of the contract term approaches, we seek the renewal of the agreement with the customer. Historically, subscription and maintenance renewals have represented a significant portion of our total revenue. Because of this characteristic of our business, if our customers choose not to renew their subscriptions or maintenance arrangements with us on beneficial terms or at all, our business, operating results and financial condition could be harmed. Our customers' renewal rates may decline or fluctuate as a result of a number of factors, including their level of satisfaction with our solutions and services and their ability to continue their operations and spending levels due to general economic conditions, extraordinary business interruptions, client-specific financial issues or otherwise.

Our solutions provide our customers payment processing capabilities that enable their constituents to make donations and purchase services using numerous payment options, including credit card and automated clearing house ("ACH") checking transactions, through secure online transactions. The provision of convenient, trusted, fast and effective payment processing services to our customers and potential customers is critical to our business, and revenue from payments processing constitutes a significant percentage of our total revenue. Increases in payment processing fees, material changes in our payment processing systems, changes to rules or regulations concerning payments or disruptions or failures in our payment processing systems or payment products, including products we use to update payment information, could materially adversely impact our customer retention and results of operation. In addition, from time to time, we encounter fraudulent use of payment methods that could result in substantial additional costs or delay, preclude planned transactions, product launches or improvements, require significant and costly operational changes, impose restrictions, limitations, or additional requirements on our business, products and services, prevent or limit us from providing our products or services in a given market and adversely impact customer retention. Furthermore, we continue to undertake system upgrades designed to improve the availability, reliability, resiliency and speed of our payments systems. These efforts are costly and time-consuming, involve significant technical complexity and risk, may divert our resources from new features and products and may ultimately not be effective. The rules of payment card associations in which we participate require that we comply with Payment Card Industry Data Security Standard ("PCI DSS") in order to preserve security of payment card data. Under PCI DSS, we are required to adopt and implement internal controls over the use, storage and security of payment card data to help prevent card fraud. Conforming our solutions and services to PCI DSS or other payment services related regulations or requirements imposed by payment networks or our customers or payment processing partners is expensive and time-consuming. However, failure to comply may subject us to fines, penalties, damages and civil liability, may impair the security of payment card data in our possession, and may harm our reputation and our business prospects, including by limiting our ability to process transactions. All Blackbaud products in scope for PCI DSS compliance meet applicable PCI DSS security requirements. In addition, we routinely subject our various data protection processes and controls to voluntary third-party review, audit or reporting, including, for example, the American Institute of Certified Public Accountants' System and Organization Controls reporting. Failure to conduct these voluntary data protection process and control reviews or to obtain and maintain audits or reports covering our data protection processes and controls may harm our reputation or our business prospects and our ability to market our solutions to our customers.

Our online social giving platforms receive a high degree of media coverage for particularly news-worthy or controversial fundraising campaigns, as well as for our fee-based business model. Although our terms of service provide express limitations on the platforms' user-initiated fundraising campaigns and reserve our right to remove content that violates our terms of service, it may not always be possible to remove such content prior to it receiving attention in the media. Negative publicity related to our online social giving platforms could have an adverse effect on the size, engagement and loyalty of our user base and could result in decreased revenue, which could adversely affect our business and financial results.

A large percentage of our customers are nonprofits, foundations, education institutions, healthcare organizations and other members of the social impact community that fully or partially rely on charitable donations. If charitable giving, including online giving, does not continue to grow or declines, it could limit our current and potential customers' ability to use and pay for our solutions and services, which could adversely affect our operating results and financial condition. In addition, we derive a significant portion of our revenue from transaction-based payment processing fees that we collect from our customers through our Blackbaud Merchant Services solution, which enables our customers' donors to make donations and purchase goods and services using various payment options. A reduction in the growth of, or a decline in, charitable giving to these customers, whether due to deteriorating general economic conditions, the impact of past or future changes to applicable tax laws, or otherwise, could negatively impact the volume and size of such payment processing transactions and thereby adversely affect our operating results and financial condition.

We currently have non-U.S. operations primarily in the U.K., Canada, Australia and Costa Rica, and we intend to expand further into international markets. Expansion of our international operations will require a significant amount of attention from our management and substantial financial resources and might require us to add qualified management in these markets. Our direct sales model requires us to attract, retain and manage qualified sales personnel capable of selling into markets outside the United States. In some cases, our costs of sales might increase if our customers require us to sell through local distributors. If we are unable to grow our international operations in a cost-effective and timely manner, our business and operating results could be harmed. Increases in our international revenues denominated in foreign currencies subject us to fluctuations in foreign currency exchange rates. If we expand our international operations, exposures to gains and losses on foreign currency transactions may increase. (See Foreign Currency Exchange Rates on page 59 for more information regarding the impact of foreign currency exchange rates on our operations.) Doing business internationally involves additional risks that could harm our operating results. Along with risks similar to those faced by our U.S. operations, our international operations are also subject to risks related to differing legal, political, social and regulatory requirements and economic conditions, including: - the imposition of additional withholding taxes or other tax on our foreign income, tariffs or restrictions on foreign trade or investment, including currency exchange controls;- greater risk of a failure of our employees and partners to comply with both U.S. and foreign laws, including antitrust regulations, the U.S. Foreign Corrupt Practices Act, the U.K. Bribery Act of 2010, and any trade regulations ensuring fair trade practices;- the imposition of, or unexpected adverse changes in, foreign laws or regulatory requirements, including those pertaining to export restrictions, privacy and data protection, trade and employment restrictions and intellectual protections; and - general business disruptions caused by geopolitical situations and developments.

As previously disclosed, on July 16, 2020, we contacted certain customers to inform them about the Security Incident, including that in May 2020 we discovered and stopped a ransomware attack. Prior to our successfully preventing the cybercriminal from blocking our system access and fully encrypting files, and ultimately expelling them from our system with no significant disruption to our operations, the cybercriminal removed a copy of a subset of data from our self-hosted environment that affected over 13,000 customers. Based on the nature of the incident, our research and third party (including law enforcement) investigation we believe that no data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly. To date, we have received approximately 260 specific requests from customers for reimbursement of expenses incurred by them related to the Security Incident, all of which have been fully resolved and closed or are inactive and are considered by us to have been abandoned by the customers. We have also received approximately 400 reservations of the right to seek expense recovery in the future from customers or their attorneys in the U.S., U.K. and Canada related to the Security Incident, none of which resulted in claims submitted to us and are considered by us to have been abandoned by the customers. We have also received notices of proposed claims on behalf of a number of U.K. data subjects, which we are reviewing. In addition, insurance companies representing various customers' interests through subrogation claims have contacted us, and certain insurance companies have filed subrogation claims in court, of which two cases remain active and unresolved. In addition, presently, we are a defendant in putative consumer class action cases in U.S. federal courts (most of which have been consolidated under multi district litigation to a single federal court) and in Canadian courts alleging harm from the Security Incident. The plaintiffs in these cases, who generally purport to represent various classes of individual constituents of our customers, generally claim to have been harmed by alleged actions and/or omissions by us in connection with the Security Incident and assert a variety of common law and statutory claims seeking monetary damages, injunctive relief, costs and attorneys' fees, and other related relief. On May 14, 2024, the Court issued a memorandum opinion and order (1) denying the multi district litigation plaintiffs' motion for class certification because of the plaintiffs' failure to meet their burden of proof as to ascertainability, (2) granting our motion to exclude the multi district litigation plaintiffs' expert on the issue of ascertainability, and (3) denying the multi district litigation plaintiffs' motion to exclude our expert on the issue of ascertainability. Further, the Court denied as moot all other pending motions. On May 28, 2024, the plaintiffs filed a petition for permission to appeal under Rule 23(f) of the Federal Rules of Civil Procedure with the Fourth Circuit Court of Appeals (the "Fourth Circuit"), and we subsequently filed an opposition to such petition. On July 30, 2024, the Fourth Circuit denied the plaintiffs' petition. This litigation remains ongoing. We are subject to pending governmental actions or investigations by the U.S. Department of Health and Human Services, the Office of the Australian Information Commissioner and the Office of the Privacy Commissioner of Canada. (See Note 9 to our unaudited, condensed consolidated financial statements included in this report for a more detailed description of the Security Incident and related matters.) On March 9, 2023, the Company reached a settlement with the SEC in connection with the Security Incident that fully resolved the previously disclosed SEC investigation of the Security Incident. On October 5, 2023, the Company entered into separate, substantially similar Administrative Orders with each of 49 state Attorneys General and the District of Columbia in connection with the Security Incident which fully resolved the previously disclosed multi-state Civil Investigative Demand and the separate Civil Investigative Demand from the Office of the Indiana Attorney General relating to the Security Incident. On May 20, 2024, the U.S. Federal Trade Commission (the "FTC") finalized an Order (the "FTC Order") evidencing its settlement with us in connection with the Security Incident. As part of the FTC Order, we were not fined and were not otherwise required to make any payment. Furthermore, we agreed to the FTC Order without admitting or denying any of the FTC's allegations, except as expressly stated otherwise in the FTC Order. The settlement described in the FTC Order fully resolved the FTC investigation. For more information, see the form of proposed order that was furnished as Exhibit 99.2 to our Current Report on Form 8-K filed with the SEC on February 2, 2024 and is identical in substance to the final FTC Order, and in Note 11 to our audited consolidated financial statements contained in our Annual Report on Form 10-K filed with the SEC on February 21, 2024. On June 13, 2024, we agreed to a Final Judgment and Permanent Injunction with the Attorney General of the State of California (the "California Judgment") relating to the Security Incident. This settlement fully resolved the last remaining U.S. state attorney general investigation into the Security Incident. Under the terms of the settlement, we agreed to comply with applicable laws; not to make misleading statements related to our data protection, privacy, security, confidentiality, integrity, breach notification requirements, and similar matters; and to implement and improve certain cybersecurity programs and tools. The terms of the settlement with California are generally consistent with those to which we agreed in settling with the other 49 state Attorneys General and the District of Columbia on October 5, 2023, as discussed below. As part of the settlement, we also agreed to pay a total of $6.8 million to the State of California. This amount was fully accrued as a contingent liability in the Company's financial statements as of March 31, 2024 and June 30, 2024, and subsequently paid in the third quarter of 2024. Nothing contained in the California Judgment is intended to be, and shall not in any event be construed or deemed to be, an admission or concession or evidence of any liability or wrongdoing whatsoever on the part of Blackbaud or any fact or violation of law, rule, or regulation. For more information, see the Final Judgment and Permanent Injunction of the State of California, County of San Diego that was furnished as Exhibit 99.1 to our Current Report on Form 8-K filed with the SEC on June 14, 2024. As noted above, the terms of the California Judgment, FTC Order, the Attorneys General Administrative Orders and our settlement with the SEC require that we implement and maintain certain processes and programs and comply with certain legal requirements related to cybersecurity and data protection. Any future regulatory investigation or litigation settlements may also contain such requirements. Effectively implementing, monitoring and updating these requirements has been, and is expected to be over an extended period of time, expensive and time-consuming. Our failure to do so in accordance with the terms of our agreements with FTC, the Attorneys General and with the SEC, and possibly others, could expose us to additional material liability under the terms of the Administrative Orders, the SEC settlement, or otherwise. See Note 9 to our unaudited, condensed consolidated financial statements in this report for a more detailed description of the Security Incident and related matters. We may be named as a party in additional lawsuits, other claims may be asserted by or on behalf of our customers or their constituents, and we may be subject to additional governmental inquires, requests or investigations. Responding to and resolving these current and any future lawsuits, claims and/or investigations could result in material remedial and other expenses that will not be covered by insurance. It is reasonably possible that our estimated or actual losses may change in the near term for those matters and be materially in excess of the amounts accrued. Certain governmental authorities have imposed, and others may in the future impose, undertakings, injunctive relief, consent decrees, or other civil or criminal penalties, which have materially increased our data security costs or otherwise required us to alter how we operate our business, and could further do so in the future. Although we intend to defend ourselves vigorously against the claims asserted against us, we cannot predict the potential outcomes, cost and expenses associated with current and any future claims, lawsuits, inquiries and investigations. In addition, any legislative or regulatory changes adopted in reaction to the Security Incident or other companies' data breaches could require us to make modifications to the operation of our business that could have an adverse effect and/or increase or accelerate our compliance costs. Significant management time and Company resources have been, and are expected to continue to be, devoted to the Security Incident. For example, for the nine months ended September 30, 2024, we incurred net pre-tax expenses of $12.8 million related to the Security Incident, which included $6.0 million for ongoing legal fees and additional accruals for loss contingencies of $6.8 million. During the nine months ended September 30, 2024, we had cash outlays of $15.1 million related to the Security Incident for ongoing legal fees and the $6.8 million paid during the third quarter of 2024 related to our settlement with the Attorney General of the State of California. For full year 2023, we currently expect pre-tax expenses of approximately $5.0 million to $10.0 million and cash outlays of approximately $8.0 million to $13.0 million for ongoing legal fees related to the Security Incident. Although we carry insurance against certain losses related to the Security Incident, we exceeded the limit of that insurance coverage in the first quarter of 2022. As a result, we will be responsible for all expenses or other losses (including penalties, fines or other judgments) or all types of claims that may arise in connection with the Security Incident, which could materially and adversely affect our liquidity and results of operations. (See Note 9 to our unaudited, condensed consolidated financial statements in this report.) If any such fines, penalties or judgments were great enough that we could not pay them through funds generated from operating activities and/or cause a default under the 2024 Credit Facilities, we may be forced to renegotiate or obtain a waiver under the 2024 Credit Facilities and/or seek additional debt or equity financing. Such renegotiation or financing may not be available on acceptable terms, or at all. In these circumstances, if we were unable to obtain sufficient financing, we may not be able to meet our obligations as they come due. In addition, publicity or developments related to the Security Incident could in the future have a range of other adverse effects on our business or prospects, including causing or contributing to loss of customer confidence, reduced customer demand, reduced customer retention, strategic growth opportunities, and associated retention and recruiting difficulties, some or all of which could be material.

To meet our objectives successfully, we must attract and retain highly qualified personnel with specialized skill sets. If we are unable to attract and retain suitably qualified management, there could be a material adverse impact on our business. Further, we use equity incentive programs and equity awards in lieu of cash as part of our overall employee compensation agreements to both attract and retain personnel. A decline in our stock price could negatively impact the value of these equity incentive and related compensation programs as retention and recruiting tools. We may need to create new or additional equity incentive programs and/or compensation packages to remain competitive, which could be dilutive to our existing stockholders and/or adversely affect our results of operations.

We expect to continue licensing technologies from third parties, including applications used in our research and development activities, technologies that are integrated into our solutions and solutions that we resell. We believe that the loss of any third-party technologies currently integrated into our solutions could have a material adverse effect on our business. Our inability in the future to obtain any third-party licenses on commercially reasonable terms, or at all, could delay future solution development until equivalent technology can be identified, licensed or developed and integrated. This inability in turn could harm our business and operating results. Our use of third-party technologies also exposes us to increased risks including, but not limited to, risks associated with the integration of new technology into our solutions, the diversion of our resources from development of our own proprietary technology and our inability to generate revenue from licensed technology sufficient to offset associated acquisition and maintenance costs.