CoStar Group (CSGP) Risk Analysis

Our business relies on IT Systems and involves the generation, collection, storage, processing, and transmission of Confidential Information, including personal information and proprietary business information, by us and by third-party providers we rely on. We own and manage IT Systems but also rely on third-party managed IT Systems and a broad array of third-party products and services to support our business operations. An increasing number of organizations, including large merchants, businesses, technology companies, and financial institutions, as well as government institutions, have disclosed security incidents, disruptions to, and breaches of their or third-party providers' IT Systems, some of which have involved sophisticated and highly targeted attacks, including on websites, mobile applications, and infrastructure, following a trend of cyberattacks increasing in frequency and magnitude on a global basis. Our IT Systems, or those of third parties on which we rely, may be disrupted or damaged and our Confidential Information may be compromised, corrupted, lost, or stolen. The tools and techniques (including AI) used to obtain unauthorized, improper, or illegal access to a target's systems, data, or customers' data, disable or degrade services, or sabotage systems are constantly evolving and have become increasingly complex and sophisticated. It is difficult to detect, investigate, and remediate cyber-attacks quickly and attacks often are not recognized or detected until after they have been launched against a target. We expect that unauthorized parties will continue to attempt to gain access to or disrupt our IT systems or facilities through various means, including hacking into IT Systems or facilities or those of our customers or vendors, installing malware (including ransomware) or attempting to fraudulently induce (for example, through spear phishing attacks or social engineering) our employees, customers, vendors, or other users of IT Systems into disclosing access credentials or other sensitive information to access our IT Systems. Numerous and evolving cybersecurity risks, including from diverse threat actors, such as state-sponsored organizations, opportunistic hackers and hacktivists, as well as through diverse attack vectors, such as advanced cyberattacks, phishing, social engineering schemes, malware (including ransomware), malfeasance by insiders, human or technological error, and as a result of bugs, misconfigurations, or exploited vulnerabilities in software or hardware, could threaten the confidentiality, availability, and integrity of Confidential Information and our IT systems. Efforts by us, our customers, our vendors and other users of our IT Systems to prevent, detect, and respond to data security incidents cannot guarantee protection due to attackers increasingly using tools and techniques that are designed to circumvent controls, to avoid detection, and to remove or obfuscate forensic evidence. There can be no assurance that our cybersecurity risk management program and processes, including our policies, controls, or procedures, will be fully implemented, complied with or effective in protecting our IT Systems and Confidential Information. Our IT Systems are vulnerable to cyberattacks and security breaches involving our customers' or our employees' Confidential Information, including personal or proprietary information, that is stored on or accessible through those systems. We have experienced and expect to continue to experience in the future, cyberattacks as well as breaches of our security measures due to human error, malfeasance, system errors or vulnerabilities, or other irregularities. In the past, for example, one of our vendors providing IT infrastructure management software was compromised by cyberattacks. We are also regularly exposed to vulnerabilities in widely deployed third-party software that we use in the ordinary course of business, such as the Log4J vulnerability. Moreover, given the nature of complex software and services like ours, and the scanning tools that we deploy across our networks, infrastructure, and products, we regularly identify and track security vulnerabilities. We are unable to comprehensively apply patches or confirm that measures are in place to mitigate all such vulnerabilities, or that patches will be applied before vulnerabilities are exploited by a threat actor. While these cyberattacks and vulnerabilities have not had a material adverse effect on our operations, they and similar incidents require us to devote time and resources to monitoring and remediation on a regular basis, and there can be no guarantee that future attacks or incidents will not be material. In the past three years, we have not experienced a material cybersecurity incident, but any actual or perceived cybersecurity incidents or breaches of our security could result in any or all of the following, among other things, any of which could adversely affect our business and results of operations: - Interruption of our operations;- Unavailability of our systems or services;- Improper disclosures of data;- Improper payments;- Harm to our reputation and brands;- Regulatory scrutiny, enforcement actions, legal proceedings and claims, (including class action lawsuits), and other legal and financial exposure;- Remediation, system restoration, incident response, and compliance costs;- Loss of customer confidence in, or decreased use of, our products and services;- Diversion of the attention of management from the operation of our business; and - Contractual penalties or other payments as a result of third-party losses or claims. In addition, any cyberattacks or data security breaches affecting companies that we acquire and/or that provide us services (including data center and cloud computing providers) could materially impact our business. Further, we may not be able to recover any or all damages suffered as a result of security breaches or other security incidents from such third-party providers. The coverage under our insurance policies for cybersecurity and related issues may not be adequate to reimburse us for losses caused by cyberattacks or other security incidents or be available on economically reasonable terms or at all.

New tax laws or regulations, or changes in existing laws or regulations, or the manner of their interpretation or enforcement, could increase our cost of doing business. In addition, from time to time, U.S. and foreign tax authorities, including state and local governments, consider legislation that could increase our effective tax rate. Further, the Organization for Economic Co-operation and Development has a framework to implement a global minimum corporate tax of 15% for companies with global revenues and profits above certain thresholds (referred to as Pillar 2), with certain aspects of Pillar 2 effective January 1, 2024 and other aspects effective January 1, 2025. While it is uncertain whether the U.S. will enact legislation to adopt Pillar 2, certain countries in which we operate have adopted legislation, and other countries are in the process of introducing legislation to implement Pillar 2. Although we do not expect Pillar 2 to have a material impact on our effective tax rate or our consolidated results of operations, financial position, and cash flows at this time, certain implementation details have yet to be developed, and the enactment of certain of these changes has not yet taken effect in all jurisdictions in which we operate. As a result, these changes may have adverse consequences for us, may increase our compliance costs, and may increase the amount of tax we are required to pay in certain jurisdictions.

If we are unable to compete successfully against our existing or future competitors, our business, results of operations, or financial condition could be adversely affected. Our existing or future competitors may have greater name recognition, larger customer bases, better technology or data, lower prices, easier access to data, greater user traffic or greater financial, technical, or marketing resources than we have to provide services that users might view as superior to our offerings. Competition in these markets may increase if economic conditions or other circumstances cause customer bases and customer spending to decrease and service providers to compete for fewer customer resources. Competitors may introduce different solutions that attract users away from our services or provide solutions similar to ours that have the advantage of better branding or marketing resources. Our competitors may be able to undertake more effective marketing campaigns, obtain more data, adopt more aggressive pricing policies, make more attractive offers to potential employees, subscribers, advertisers, distribution partners, and content providers, or may be able to respond more quickly to new or emerging technologies or changes in user requirements. Increased competition could result in lower revenues and higher expenses, which would reduce our profitability. Also, we compete to attract advertisers. To compete successfully for advertisers, we must continue to invest resources in developing our advertising platform and proving the effectiveness and relevance of our advertising services. Pressure from competitors seeking to acquire a greater share of our advertisers' overall marketing budget could adversely affect our pricing and margins, lower our revenue, and increase our research and development and marketing expenses.

We rely heavily on our brands, which we believe are key assets of our company. Awareness and differentiation of our brands are important for attracting and expanding the number of users of, and subscribers to, our online marketplaces, such as the LoopNet Network, the Apartments.com Network, the Homes.com and OnTheMarket residential marketplaces, and the Land.com Network. We continue to invest significantly in sales and marketing as we seek to grow the numbers of users of, subscribers to and advertisers on, our marketplaces. Our methods of advertising may not be successful in increasing brand awareness or, ultimately, be cost-effective. If we are unable to maintain or enhance user and advertiser awareness of our brands, or if we are unable to recover our marketing and advertising costs through increased usage of our services and increased advertising on our websites, our business, results of operations, and financial condition could be adversely affected.

Our ability to attract agents and consumers to Homes.com, its websites, and mobile applications, and other residential real estate tools depends, to some degree, on us providing timely access to comprehensive and accurate real estate listings and information. We get listings data primarily from MLSs in the markets we serve. We also source listings data from public records, other third-party listing providers, and other sources. Many of our agreements with real estate listing providers may be terminated with limited notice or cause. Many of our competitors and other real estate websites have similar access to MLSs and listing data and may be able to source certain real estate information faster or more efficiently than we can. Because MLS participation is voluntary, brokers and homeowners may decline to post their listings data to their local MLS or may seek to change or limit the way that data is distributed. Another industry participant or group could create a new listings data service, which could impact the relative quality or quantity of information of our listing providers. The loss of existing relationships with MLSs and other listing providers, whether due to termination of agreements, loss of MLS memberships, or otherwise, changes to our rights to use or timely access listing data or an inability to continue to add new listing providers or changes to the way real estate information is shared, may negatively impact our listing data quality and our ability to maintain stable data feeds. Data feeds could also be disrupted as a result of class action lawsuits, settlements, or governmental investigations involving the MLSs or other industry organizations, regardless of whether we are involved. This could markedly decrease the quantity and quality of the sale and rental data we provide, reduce customer confidence in our products and services, and cause customers to go elsewhere for real estate listings and information, which could severely harm our business, results of operations, and financial condition.

In December 2021, we announced our plans to expand our research and technology center in Richmond, Virginia. These plans have required and will continue to require significant capital expenditures over the next several years and our business plans may change. Future changes in growth or fluctuations in cash flow may also negatively impact our ability to finance this project. Additionally, actual capital expenditures could vary materially from our projected capital expenditures, which could negatively impact our business, operating results, and financial condition. If we are provided with any grants, tax credits, abatements, or other incentives related to this expansion effort and do not meet requirements associated with those incentives, we may not be able to benefit from those incentives, which could cause the cost of the project to be significantly more than anticipated or significantly increase our taxes above what we currently expect. To date, we have financed construction with cash on hand and plan to finance the remainder of construction in the same way. Use of cash on hand to finance construction has and will continue to reduce the amount of cash available for other corporate uses and could also reduce our ability to meet our scheduled debt service obligations or to meet the covenants required to borrow additional funds under our 2024 Credit Agreement. Any of the foregoing may adversely affect our financial position and results of operations.

Global economic uncertainties or downturns could adversely affect our business and results of operations, including financial and credit market fluctuations, changes in economic policy, elevated inflation and responsive actions, elevated interest rates, labor shortages, supply chain disruptions, trade uncertainty, political unrest, geographical instability, unanticipated disasters or global health events, or other impacts from the macroeconomic environment. These macroeconomic conditions could cause a decrease in customer spending and negatively affect the rate of growth of our business. The real estate market may be adversely impacted by many different factors, including lower than expected job growth or job losses resulting in reduced real estate demand; reduced real estate demand due to continued remote work policies or a period of or rising elevated interest rates, elevated inflation, slowing transaction volumes, and other macroeconomic trends that negatively impact investment returns; excessive speculative new construction in localized markets resulting in increased vacancy rates and diminished rent growth; unanticipated disasters or global health events; and other adverse events such as decreased growth in the working age population resulting in reduced demand for all types of real estate. A downturn in the real estate market, including as a result of increased interest rates or a decline in leasing activity and absorption rates may affect our ability to generate revenues and may lead to more cancellations by our current or future customers, either of which could cause our revenues or our revenue growth rate to decline and reduce our profitability. A depressed real estate market has a negative impact on our core customer base, which could decrease demand for our online marketplaces, information, and analytics. Also, companies in this industry may consolidate, often in order to reduce expenses. Consolidation, or other cost-cutting measures by our customers, may lead to cancellations of our online marketplace services, information, and analytics by our customers, reduce the number of our existing clients, reduce the size of our target market, or increase our clients' bargaining power, all of which could cause our revenues to decline and reduce our profitability. If cancellations, reductions of services, and failures to pay increase, and we are unable to offset the resulting decrease in revenues by increasing sales to new or existing customers, our revenues may decline or grow at lower rates.

Our international operations and expansion subject us to additional business risks, including: currency exchange rate fluctuations; difficulty in adapting to the differing business practices and laws in foreign countries, including differing laws regarding privacy and data protection; difficulty in managing foreign operations; limited protection for intellectual property rights in some countries; difficulty in collecting accounts receivable and longer collection periods; costs of enforcing contractual obligations; impact of recessions in economies outside the U.S.; geopolitical instability, terrorism, and war; and potentially adverse tax consequences. In addition, international expansion imposes additional burdens on our executive and administrative personnel, systems development, research, and sales departments, and general managerial resources. If we are not able to manage our international operations successfully, we may incur higher expenses and our profitability may be reduced. Finally, the investment required for additional international expansion sometimes exceeds the profit generated from such expansion, which reduces our profitability and may adversely affect our financial position.

Natural disasters, disease outbreaks and pandemics, power shortages, terrorism, political unrest, telecommunications failure, vandalism, geopolitical instability, war, climate related events, and other events beyond our control could negatively impact our operations or otherwise harm our business. Such events may result in damage or loss of service to our data centers or other infrastructure that our operations rely on, potentially reduce the attractiveness of real estate in areas we provide services, cause delays in product development or availability, or result in losses of critical data, any of which may adversely impact our operations. In addition, the impacts of climate-related events on the global economy and our industry are rapidly evolving. Physical impacts of climate related events (including, but not limited to, floods, droughts, more frequent and/or intense storms, and wildfires) may disrupt our operations, as well as the operations of our suppliers and customers. Longer-term physical impacts may also result in changing consumer preferences, which may adversely impact demand for certain of our products. Transition impacts of climate-related events can also subject us to increased regulations, reporting requirements (such as the State of California disclosure rules and the European Union's Corporate Sustainability Reporting Directive), standards, or expectations regarding the environmental and/or social impacts, risks, and opportunities of our business. Failure to disclose accurate information in a timely manner may also adversely affect our reputation, business, or financial performance.

A portion of our business is denominated in foreign currencies. We translate sales and other results denominated in foreign currency into U.S. dollars for our financial statements. During periods of a strengthening U.S. dollar, our reported international sales and earnings could be reduced because foreign currencies may translate into fewer U.S. dollars. Foreign currency exchange rates have fluctuated and may continue to fluctuate. Significant foreign currency exchange rate fluctuations may negatively impact our international revenue, which in turn affects our consolidated revenue. Currently, we are not party to any hedging transactions intended to reduce our exposure to exchange rate fluctuations. We may seek to enter into hedging transactions in the future, but we may be unable to enter into these transactions successfully, on acceptable terms or at all. We cannot predict whether we will incur foreign exchange losses in the future. Further, significant foreign exchange rate fluctuations resulting in a decline in the respective local currency may decrease the value of our foreign assets, as well as decrease our revenues and earnings from our foreign subsidiaries, which would reduce our profitability and adversely affect our financial position.