Evertec (EVTC) Risk Analysis

Our trademarks, proprietary software, and other intellectual property, including technology/software licenses, are important to our future success. Limitations or restrictions on our ability to use such marks or a diminution in the perceived quality associated therewith could have an adverse impact on the growth of our businesses. It is possible that others will independently develop the same or similar software or technology, which would permit them to compete with us more efficiently. Unauthorized parties may attempt to copy or misappropriate certain aspects of our services, infringe upon our rights, or to obtain and use information that we regard as proprietary. Policing such unauthorized use of our proprietary rights is often very difficult and, therefore, we are unable to guarantee that the steps we have taken will prevent misappropriation of our proprietary software/technology or that the agreements entered into for that purpose will be effective or enforceable in all instances. Misappropriation of our intellectual property or potential litigation concerning such matters could have a material adverse effect on our results of operations or financial condition. Our registrations and/or applications for trademarks, copyrights, and patents could be challenged, invalidated, or circumvented by others and may not be of sufficient scope or strength to provide us with maximum protection or meaningful advantage. Managing any such challenges, even if they lack merit, could: (i) be expensive and time-consuming to defend; (ii) cause us to cease making, licensing, or using software or applications that incorporate the challenged intellectual property; (iii) require us to redesign our software or applications, if feasible; (iv) divert management's attention and resources; and (v) require us to enter into royalty or licensing agreements in order to obtain the right to use necessary technologies. The laws of certain foreign countries in which we do business or contemplate doing business in the future may not protect intellectual property rights to the same extent as do the laws of the United States or Puerto Rico. Adverse determinations in judicial or administrative proceedings related to intellectual property or licenses could prevent us from selling our services and products or prevent us from preventing others from selling competing services, impose liability costs on us, or result in a non-favorable settlement, all of which could result in a material adverse effect on our business, financial condition and results of operations.

We rely on computer systems, hardware, software, technology infrastructure, and online sites for both internal and external operations that are critical to our business (collectively, "IT Systems"). For example, we use our IT Systems to connect with our clients, business partners, people, and others. We own and manage some of these IT Systems, but also rely on third parties for a range of IT Systems and related products and services, including but not limited to cloud computing services. We and certain of our third-party providers also collect, store, transfer, process, and use business, personal, and financial data about our own business, clients, employees, business partners, and others, including information about individuals and proprietary information belonging to our business such as trade secrets. We face numerous and evolving cybersecurity risks that threaten the confidentiality, integrity, and availability of our IT Systems and data. These cybersecurity risks may arise from diverse threat actors, such as state-sponsored organizations and opportunistic hackers and hacktivists, as well as through diverse attack vectors, such as social engineering/phishing, malware (including ransomware), malfeasance by insiders, human or technological error, and as a result of malicious code embedded in open-source software, or misconfigurations, "bugs" or other vulnerabilities in commercial software that is integrated into our (or our suppliers' or service providers') IT Systems, products or services. Additionally, hardware, applications, or services that we develop or procure from third parties may contain defects in design or manufacture or other problems that could compromise the confidentiality, integrity, or availability of our data or IT Systems. Given the nature of complex systems, software and services like ours and the scanning tools that we deploy, we regularly identify and track security vulnerabilities. We are unable to comprehensively apply patches or mitigating measures for all vulnerabilities at all times or guarantee that patches will be applied before vulnerabilities can be exploited by a threat actor. Cybersecurity threats and attacks, including computer viruses, malware, hacking, ransomware or other destructive or disruptive software, are constantly evolving and pose a risk to our IT Systems and data. Cybersecurity attacks are expected to accelerate on a global basis in frequency and magnitude as threat actors are becoming increasingly sophisticated in using techniques and tools - including artificial intelligence - that circumvent security controls, evade detection, and remove forensic evidence. As a result, we may be unable to detect, investigate, remediate, or recover from future attacks or incidents, or to avoid a material adverse impact to our IT Systems, data, or business. There can also be no assurance that our cybersecurity risk management program and processes, including our policies, controls, or procedures, will be fully implemented, complied with, or effective in protecting our IT Systems and data, and our systems and processes may be unable to prevent material security breaches. Security breaches, improper use of our systems, and unauthorized access to our data and information by employees and others pose a risk that data may be exposed to unauthorized persons or to the public. Such occurrences could adversely affect our business, results of operations, financial position, and reputation, and could result in litigation (including class actions) or regulatory investigations or enforcement actions. We make extensive use of third-party service providers, including providers that store, transmit and process data. These third-party service providers are also subject to malicious attacks and cybersecurity threats that could adversely affect our business, results of operations, financial condition, and reputation. In addition, because our services are connected to or integrated with some of our customers' systems, the circumvention or failure of our cybersecurity defenses or measures could compromise the confidentiality, integrity, and availability of our customers' own IT Systems and sensitive information. Many of our services are based on sophisticated software, technology, computing systems, and other IT Systems, and we may encounter delays when developing new technology solutions and services. We and our third-party providers regularly experience cyberattacks and other incidents, and we expect such attacks and incidents to continue in varying degrees. In particular, we have experienced actual and attempted cyber-attacks of our IT Systems, such as through phishing scams, ransomware, exploitation of vulnerabilities in our IT Systems, and other methods of attack. Even though some of these attacks have been successful, none of these actual or attempted cyber-attacks has had a material adverse impact on our operations or financial condition but we cannot guarantee that material incidents will not occur in the future. The IT Systems underlying our services have occasionally contained, and may in the future contain, undetected errors or defects when first introduced or when new versions are released. We may experience difficulties in installing or integrating our IT Systems on platforms used by our customers. For example, in 2024, we identified a cybersecurity incident that exploited a third-party software vulnerability and resulted in unauthorized access to our IT systems that were utilized for servicing certain of our customers. We immediately activated our incident response plan and enlisted the support of third-party cybersecurity forensic experts to assist our team with the investigation. There was no impact on our operations due to the incident, which was swiftly contained and remediated following its detection without any material adverse effect on our operations or financial condition. Our businesses are dependent on our ability to reliably process, record and monitor a large number of transactions. We settle funds on behalf of financial institutions, other businesses and consumers and process funds transactions from clients, card issuers, payment networks and consumers on a daily basis for a variety of transaction types. Transactions facilitated by us include debit card, credit card, electronic bill payment transactions, ACH payments, electronic benefits transfer ("EBT") transactions and check clearing that supports consumers, financial institutions, and other businesses. These payment activities rely upon technology infrastructure that facilitates the verification of activity with counterparties, the facilitation of the payment and, in some cases, the detection or prevention of fraudulent payments. If any of our financial, accounting, or other data processing systems or applications or other IT Systems fail or experience other significant shortcomings, our ability to serve our clients and accordingly our results of operations could be materially adversely affected. Such failures or shortcomings could be the result of events that are beyond our control, which may include, for example, computer viruses, fires, electrical or telecommunications outages, natural disasters, future disease pandemics or other public health crisis, terrorist acts, political instability, or other unanticipated damage to property or physical assets. Certain of these events may become more frequent or intense as a result of climate change or other environmental or social pressures. For more information, see our risk factor titled "Our operations, business, customers and partners could be adversely affected by climate change or other environmental or social pressures". Any such shortcoming could also damage our reputation, require us to expend significant resources to correct the defect, and may result in liability to third parties, especially since some of our contractual agreements with financial institutions require the crediting of certain fees if our systems do not meet certain specified service levels. There is also a risk that we may lose critical data or experience IT System failures. We perform the vast majority of disaster recovery operations ourselves, though we utilize select third parties for some aspects of recovery. To the extent we outsource our disaster recovery, we are at risk of the vendor's unresponsiveness in the event of breakdowns in our IT Systems. Our property, business interruption, and cybersecurity insurance may not be adequate to compensate us for all losses or failures that may occur. We are similarly dependent on our employees to maintain our IT Systems. Our operations could be materially adversely affected if one or more employees cause a significant operational breakdown or failure, either intentionally or as a result of human error. Suppliers and third parties with which we do business could also be sources of operational risk to us, including relating to breakdowns or failures of such parties' own systems or employees. Any of these occurrences could diminish our ability to operate one or more of our businesses, or result in potential liability to clients, reputational damage and regulatory intervention or fines, any of which could materially adversely affect our financial condition or results of operations.

Our business is subject to the laws, rules, regulations, and policies in the jurisdictions in which we operate, as well as the legal interpretation of such regulations by administrative bodies and the judiciary of those jurisdictions. The expansion of our business may also result in increased regulatory oversight and enforcement, as well as any claims by regulatory agencies and courts that we are required to obtain licenses to engage in certain business activity. Enforcement of, failure, or perceived failure to comply with laws, rules, regulations, policies, or licensing requirements could result in criminal or civil lawsuits, penalties, fines, regulatory investigations, forfeiture of significant assets, an outright or partial restriction on our operations, enforcement in one or more jurisdictions, additional compliance and licensure requirements, reputational damage and force us to change the way we or our users do business. Any changes in our or our users' business methods could increase cost or reduce revenue. The laws, rules, regulations, and policies in the markets in which we operate include, but are not limited to, privacy and user data protection, banking, money transmission, antitrust, anti-money laundering and the export, re-export, and re-transfer abroad of covered items. In addition, our operations in most of the countries where we operate are subject to risks related to compliance with the U.S. Foreign Corrupt Practices Act and other applicable U.S. and other local laws prohibiting corrupt payments to government officials and other third parties. Privacy and Data Protection Our business relies on the processing of data in multiple jurisdictions and the movement of data across national borders. Legal requirements relating to the collection, storage, handling, use, disclosure, transfer, and security of personal data continues to evolve, and regulatory scrutiny in this area is increasing around the world. Significant uncertainty exists as privacy and data protection laws may differ from country to country and may create inconsistent or conflicting requirements. Our ongoing efforts to comply with privacy, cybersecurity, and data protection laws may entail expenses, may divert resources from other initiatives and projects, and could limit the service we are able to offer. Enforcement actions and investigations by regulatory authorities related to data security incidents and privacy actions or investigations could damage our reputation and impact us through increased costs or restrictions on our business, and noncompliance could result in regulatory penalties and significant legal liability. Although we make reasonable efforts to comply with all applicable data protection laws and regulations, our interpretations and efforts may have been or may prove to be insufficient or incorrect. We also make public statements about our use and disclosure of personal information through our privacy policy, information provided on our website and other public statements. Although we endeavor to ensure that our public statements are complete, accurate and fully implemented, we may at times fail to do so or be alleged to have failed to do so. We may be subject to potential regulatory or other legal action if such policies or statements are found to be deceptive, unfair or misrepresentative of our actual practices. In addition, from time to time, concerns may be expressed about whether our products and services compromise the privacy of our customers and others. Any concerns about our data privacy and security practices (even if unfounded), or any failure, real or perceived, by us to comply with our posted privacy policies or with any legal or regulatory requirements, standards, certifications or orders or other privacy or consumer protection-related laws and regulations applicable to us, could cause our customers, riders and users to reduce their use of our products and services. Banking In general, financial institution regulators require their supervised institutions to cause their service providers to agree to certain terms and to agree to supervision and oversight by applicable financial regulators, primarily to protect the safety and soundness of the financial institution. We have agreed to such terms and provisions in many of our service agreements with financial institutions. We and our customers are also generally subject to U.S. federal, Puerto Rico and other countries' laws, rules and regulations that affect the electronic payments industry, including with respect to activities in the countries where we operate and due to our relationship with customers that are subject to banking and financial regulation, including Popular. Regulation of the electronic payment card industry has increased significantly in recent years. There is also continued scrutiny by the U.S. Congress of the manner in which payment card networks and card issuers set various fees. Banking regulators have been strengthening their examination guidelines with respect to relationships between banks and their third-party service providers, such as us. Any such heightened supervision of our relationship with our banking and financial services customers, including Popular, could have an effect on our contractual relationship with our customers as well as on the standards applied in the evaluation of our services. See "Part I, Item 1. Business- Government Regulation and Payment Network Rules- Regulatory Reform and Other Legislative Initiatives." Export We are also subject to the Export Administration Regulations ("EAR"), which regulates the export, re-export and re-transfer abroad of covered items made or originating in the United States as well as the transfer of covered U.S.-origin technology abroad. There can be no assurance that we have not violated the EAR in past transactions or that our new policies and procedures will prevent us from violating the EAR in every transaction in which we engage. Any such violations of the EAR could result in fines, penalties or other sanctions being imposed on us, which could negatively affect our business, results of operations and financial condition. Some financial institutions refuse, even in the absence of a regulatory requirement, to provide services to companies operating in certain countries or engaging in certain practices because of concerns that the compliance efforts perceived to be necessary may outweigh the usefulness of the service relationship. Our operations outside the United States make it more likely that financial institutions may refuse to conduct business with us for this type of reason. Any such refusal could negatively affect our business, results of operations and financial condition. We and our subsidiaries conduct business with financial institutions and/or card payment networks operating in countries whose nationals, including some of our customers, engage in transactions in countries that are the target of U.S. economic sanctions and embargoes, including Cuba. As a U.S.-based entity, we and our subsidiaries are obligated to comply with the economic sanctions regulations administered by OFAC. These regulations prohibit U.S.-based entities from entering into or facilitating unlicensed transactions with, for the benefit of, or in some cases involving the property and property interests of, persons, governments, or countries designated by the U.S. government under one or more sanctions regimes. Various state and municipal governments, universities and other investors maintain prohibitions or restrictions on investments in companies that do business involving sanctioned countries or entities. Because we process transactions on behalf of financial institutions through the payment networks, we have processed a limited number of transactions potentially involving sanctioned countries and there can be no assurances that, in the future, we will not inadvertently process such transactions. Due to a variety of factors, including technical failures and limitations of our transaction screening process, conflicts between U.S. and local laws, political or other concerns in certain countries in which we and our subsidiaries operate, and/or failures in our ability to effectively control employees operating in certain non-U.S. subsidiaries, we have not rejected every transaction originating from or otherwise involving sanctioned countries, or persons and there can be no assurances that, in the future, we will not inadvertently fail to reject such transactions. Antitrust Due to our ownership of the ATH network and our merchant acquiring and payment services business in Puerto Rico, we are involved in a significant percentage of the debit and credit card transactions conducted in Puerto Rico each day. We have in the past been subject to regulatory investigations and any future regulatory scrutiny of, or regulatory enforcement action in connection with, compliance with U.S. state and federal antitrust requirements could potentially have a material adverse effect on our reputation and business. In addition, we are subject to applicable antitrust requirements in each of the countries in which we operate. All of these laws and requirements may affect potential acquisitions in the relevant jurisdictions. ESG Regulatory Developments The recent emphasis on environmental, social and other sustainability matters has resulted and may continue to result in the adoption of new laws and regulations, including new reporting requirements. For example, various policymakers have adopted (or are considering adopting) requirements for the disclosure of certain climate-related information or other environmental, social and governance ("ESG") disclosures. Compliance with environmental, social and other sustainability laws, regulations, expectations or reporting requirements may result in increased compliance costs, as well as additional scrutiny. It is possible that other types of environmental and social regulations, for example regulations regarding the use of energy or water or regulations regarding human capital management matters, may also result in increased costs. Moreover, such requirements are not uniform across jurisdictions, and may be inconsistently applied or enforced in any given jurisdiction, which can increase the complexity and cost of compliance, and increase the risk of enforcement or litigation relating to our ESG disclosures and initiatives. If we fail to comply with new laws, regulations, expectations or reporting requirements, or if we are perceived as failing, our reputation and business could be adversely impacted. Any reputational damage associated with ESG factors may also adversely impact our ability to recruit and retain employees and customers.

EVERTEC Group has a tax exemption grant under the Tax Incentive Act No. 73 of 2008 from the Government of Puerto Rico. Under this grant, EVERTEC Group will benefit from a preferential income tax rate of 4% on industrial development income, as well as from tax exemptions with respect to its municipal and property tax obligations for certain activities derived from its data processing operations in Puerto Rico. The grant has a term of 15 years effective as of January 1, 2012 with respect to income tax obligations and July 1, 2013 and January 1, 2013 with respect to municipal and property tax obligations, respectively. The grant contains customary commitments, conditions, and representations that EVERTEC Group is required to comply with in order to maintain the grant. The more significant commitments include: (i) maintaining at least 750 employees in EVERTEC Group's Puerto Rico data processing operations during 2012 and at least 700 employees for the remaining years of the grant, (ii) investing at least $200.0 million in building, machinery, equipment or computer programs to be used in Puerto Rico during the effective term of the grant (to be made over four year capital investment cycles in $50.0 million increments), (iii) an additional best efforts capital investments requirement of $75.0 million by December 31, 2026 (to be made over four year capital investment cycles in $20.0 million the first three increments and $15.0 million the last increment); and (iv) 80% of EVERTEC Group employees must be residents of Puerto Rico. Failure to meet the requirements could result, among other things, in reductions in the benefits of the grant, tax penalties, other payment obligations or revocation of the grant in its entirety, which could have a material adverse effect on our financial condition and results of operations.

While we are not a direct-to-consumer business, we do collect, process, store, use and share personal data of our employees and business partners, which is governed by a variety of U.S. federal and state and foreign laws and regulations. Laws and regulations relating to data privacy and security are complex and rapidly evolving and subject to potentially differing interpretations. These requirements may be interpreted and applied in a manner that is inconsistent from one jurisdiction to another or may conflict with other rules or our practices. As we seek to expand our business, we are, and may increasingly become, subject to various laws, regulations, standards, and contractual obligations relating to data privacy and security in the jurisdictions in which we operate. Certain states in the United States and most countries where we conduct our business have adopted privacy and security laws that may apply to our business. These laws generally require companies to implement specific privacy and information security controls and legal protections to protect certain types of personal information and to collect or use it subject to disclosures. Additional compliance investment and potential business process changes may continue to be required as these laws and others go into effect. Further, in order to comply with the varying state laws around data breaches, we must maintain adequate security measures, which require significant investments in resources and ongoing attention. Additionally, our customers and business partners are imposing more stringent obligations on us in the form of contracts regarding privacy and information security. Laws, rules and regulations relating to privacy and data security are, in some cases, relatively new and the interpretation and application of these laws are uncertain. Despite our efforts, our practices may not comply, now or in the future, with all such laws, regulations, requirements, and obligations. Any failure, or perceived failure, by us to comply with our posted privacy and security-related policies or with any current or future federal or state data privacy or security-related laws, regulations, regulatory guidance, orders, or other legal obligations relating to privacy or security could adversely affect our reputation, brand and business, and may result in claims, proceedings, or actions against us by governmental entities, expose us to liabilities, or require us to change our operations and/or cease using certain data sets, and may otherwise adversely affect our financial condition and operating results. We have historically been and may continue in the future to be contractually required to indemnify and hold harmless third parties from the costs or consequences of non-compliance with any laws, regulations, or other legal obligations relating to privacy or security or any inadvertent or unauthorized use or disclosure of data that we store or handle as part of operating our business, which could result in a material adverse effect on our business.

For the year ended December 31, 2024, approximately 31% of our revenue was attributable to Banco Popular, a wholly-owned subsidiary of Popular. The A&R MSA by and among Popular, Banco Popular de Puerto Rico and EVERTEC Group, is our most significant client contract, and was amended and restated to include a term ending in 2028. If Popular were to terminate or fail to make required payments under the A&R MSA, or our other material agreements with Popular, our revenues could be materially reduced and our profitability and cash flows could also be materially reduced, all of which would have a material adverse impact on our financial condition and results of operations.

For the years ended December 31, 2024 and 2023, approximately 64% and 73%, respectively, of our total revenues were generated from our operations in Puerto Rico. Some revenues that are generated from our operations outside Puerto Rico are dependent upon our operations in Puerto Rico. As a result, our financial condition and results of operations are highly dependent on the economic and political conditions in Puerto Rico, and could be significantly impacted by adverse economic or political developments in Puerto Rico, including adverse effects on the trading price of our common stock, our customer base, general consumer spending and the timeliness of the government's payments, thus increasing our government accounts receivable, and potentially impairing the collectability of those accounts receivable. As of December 31, 2024, we had net receivables of $10.7 million from the Government and certain public corporations.