Genius Sports Limited (GENI) Risk Analysis

Doing business on a worldwide basis requires us to comply with anti-corruption laws and regulations imposed by governments around the world with jurisdiction over our operations, which may include the UK Bribery Act 2010 ("UK Bribery Act"), the US Foreign Corrupt Practices Act ("FCPA"), the Prevention of Corruption (Bailiwick of Guernsey) Law, 2003 (as amended) (the "Guernsey Bribery Law"), as well as the laws of the other countries where we do business. These laws and regulations may restrict our operations, trade practices, investment decisions and partnering activities. The FCPA, the Guernsey Bribery Law, the UK Bribery Act and other applicable laws prohibit us and our officers, directors, employees and business partners acting on our behalf, including agents, from corruptly offering, promising, authorizing or providing anything of value to "foreign officials" for the purposes of influencing official decisions or obtaining or retaining business or otherwise obtaining favorable treatment. The UK Bribery Act also prohibits "commercial" bribery or the appearance of such bribery. We are subject to the jurisdiction of various governments and regulatory agencies around the world, which may bring our personnel and representatives into contact with "foreign officials" responsible for issuing or renewing permits, licenses or approvals or for enforcing other governmental regulations. We are further required to implement various processes around conflicts of interest and related party transactions in order to comply with our obligations under the UK Bribery Act and regulations relating to our listing as a public company. These procedures and processes must be maintained and overseen in various jurisdictions, and even still may not be sufficient to prevent a violation. A violation in our procedures and policies could result in regulatory fines, litigation, risks to the rights of shareholders with respect to a violation of listing rules and disclosures, and public relations risks; all of which could affect our reputation and results of operations. Additionally, the costs, resourcing and impact of compliance may continue as additional requirements are imposed by various regulators. These additional measures may affect our operating costs or financial results. In addition, some of the international locations in which we operate lack a developed legal system and have elevated levels of corruption. Our international operations expose us to the risk of violating, or being accused of violating, anti-corruption laws and regulations. Our failure to successfully comply with these laws and regulations may expose us to reputational harm, as well as significant sanctions, including criminal fines, imprisonment, civil penalties, disgorgement of profits, injunctions, and debarment from government contracts, as well as other remedial measures. Investigations of alleged violations can be expensive and disruptive. We are continuously developing and maintaining policies and procedures designed to comply with applicable anti-corruption laws and regulations. However, there can be no guarantee that our policies and procedures will effectively prevent violations by our employees or business partners acting on our behalf, including statisticians who attend events on our behalf, for which we may be held responsible, and any such violation could adversely affect our reputation, business, financial condition, and results of operations.

Our reputation and the strength of our brand are key competitive strengths. To the extent that the sports and sports betting industry as a whole or Genius, relative to its competitors, suffers a loss in credibility, our business will be significantly impacted. Factors that could potentially have an impact in this regard include fraud, corruption or negligence related to sports events, including as a result of match fixing, or by our employees or contracted statisticians collecting data, streaming or other properties on behalf of Genius or third parties. Operational errors, whether by us or our competitors, could also harm the reputation of Genius or the sports data, streaming, sports betting, online gaming and sports marketing industries. Damage to reputation and credibility could have a material adverse impact on our business, financial condition and results of operations.

In the ordinary course of business, we collect, store, use and transmit certain types of information that are subject to different laws and regulations. In particular, data security and data protection laws and regulations relating to personal and consumer information that we are subject to often vary significantly by jurisdiction. Our media business is particularly impacted by such data security and data protection laws and regulations as the business targets end consumers of gambling services. For example, the EU-wide General Data Protection Regulation ("GDPR") became applicable on May 25, 2018, replacing the data protection laws of each EU member state. The GDPR implemented more stringent operational requirements for processors and controllers of personal data, including, for example, expanded disclosures about what and how personal information is to be used, limitations on retention of information, increased requirements to erase an individual's information upon request, mandatory data breach notification requirements and higher standards for data controllers to demonstrate that they have obtained valid consent from individuals to process their personal data (or reliance on another appropriate legal basis) for certain data processing activities. It also significantly increased penalties for noncompliance, including where we act as a data processor. Notwithstanding Brexit, largely identical requirements apply under the equivalent legislation in the UK (the "UK GDPR"). We have executed intracompany Standard Contractual Clauses ("SCCs") and International Data Transfer Agreements ("IDTAs") which are currently in compliance with the GDPR and the UK GDPR to allow for the transfer of personal data from the EU and from the UK to other non-adequate jurisdictions and continue to execute SCCs and IDTAs with respect to newly acquired contracts. Data security and data protection laws and regulations are continuously evolving. There have been a number of legal challenges to the validity of EU, UK and Swiss mechanisms for adequate data transfers such as the SCCs, and our work could be impacted by changes in law as a result of a future review of these transfer mechanisms by European regulators under the GDPR, as well as current challenges to these mechanisms in the European courts. Brexit requires the Company to take additional steps with respect to the selection of a supervisory authority in an EU member state despite our operational head office location in the UK. Additionally, we are also subject to the Data Protection (Bailiwick of Guernsey) Law, 2017 (as amended) (the "Guernsey DP Law"), which largely follows GDPR and requires us to control and process personal data only for proper purposes and in accordance with statutory data protection principles, and the Data Protection Law of Colombia, which requires the consent of the user to their data being transmitted outside of Colombia. In recent years, US federal and state and European lawmakers and regulators have expressed concern over electronic marketing and the use of third-party cookies, web beacons and similar technology for online behavioral advertising. In the EU/UK, marketing is defined broadly to include any promotional material and the rules specifically on e-marketing are currently set out in the ePrivacy Directive which will be replaced by a new ePrivacy Regulation. While no official time frame has been given for the ePrivacy Regulation, there will be a transition period after the ePrivacy Regulation is agreed for compliance. On June 20, 2020, the ICO published a report setting out its views on advertising technology, specifically the use of personal data in "real time bidding" , and the key privacy compliance challenges arising from it. In its report, which is a status update rather than formal guidance, several key deficiencies are noted and marked for formal regulatory action in December 2020. US federal and state and European consumer protection laws, rules and regulations cover nearly all aspects of our electronic marketing efforts, including the use of cookies and similar technologies. The nature of our business requires us to expend significant resources to try to ensure that our electronic marketing activities comply with consumer protection laws, including laws relating to the use of third-party cookies and similar technologies. These efforts may not be successful, and we may have to expend even greater resources in our compliance efforts. Additionally, our ability to deliver digital marketing services as part of our business may be adversely impacted by the deprecation of third party cookies. Modifications to consumer protection and consumer privacy laws, including proposed laws by US federal and state and European lawmakers, regarding privacy and data protection, could have an adverse impact on our ability to attract and retain customers and users of our services. Various comprehensive US state and foreign privacy laws give new data privacy rights to their respective residents (including, in California, a private right of action in the event of a data breach resulting from our failure to implement and maintain reasonable security procedures and practices), and impose significant obligations on controllers and processors of personal data. There can be no assurance that new laws or regulations will not be enacted or adopted, preexisting laws or regulations will not be more strictly enforced or that our operations will comply with all applicable laws, which could have an adverse impact on our operations and financial condition. In January 2021, the ICO confirmed the resumption of its paused investigation into the Advertising Technology industry, and such an investigation may involve the Company. Additionally, other EU regulators are reviewing digital advertising and, in some cases, such as with Belgium, the regulator has ruled that measures such as the Transparency & Consent Framework is insufficient to protect the privacy of end users. Should regulators take a stricter view on the impact of advertising technology on privacy rights, or if we are involved in an investigation, we are likely to be required to expend further capital and other resources to ensure compliance with these changing laws and regulations or to represent our interests in regulatory discussions. While we have numerous mitigation controls in place, there is a risk that cookies and similar technologies may be erroneously deployed on end-users' devices without appropriate consent, or that advertisements produced by us may be erroneously served on websites that are not suitable for the advertising content of gambling (e.g., websites predominantly aimed at children). There is also a risk that gambling advertisements are viewed by people who do not want to view them, or who have taken measures not to receive them (for example, individuals on "self-exclusion" lists). In each case this may have adverse legal and reputational effects on our business. Our media customers may also use our services to target jurisdictions where they are not permitted to advertise, that our risk mitigation controls fail to identify and/or prevent this and our business suffers adverse legal and reputational effects as a result. In November 2023, the European Data Protection Board ("EDPB") released new guidelines (the "EDPB Guidelines") for public consultation on the scope of the ePrivacy Directive. If the EDPB Guidelines are adopted, our ability to deliver contextual advertising, including by utilizing cookies and similar technologies, may become subject to end-user's consent, and this may adversely impact our media business. Because our products and services rely on the movement of data across national boundaries, global privacy and data security concerns could result in additional costs and liabilities to us or inhibit sales of our products globally. European data protection laws, including the GDPR, the UK GDPR and the Guernsey DP Law, generally restrict the transfer of personal information from Europe, including the European Economic Area, UK and Switzerland, to the US and most other countries unless the parties to the transfer have implemented specific safeguards to protect the transferred personal information. Although we rarely rely on individuals' explicit consent to transfer their personal information from Europe to the US and other countries, in most cases we have relied or may rely on the SCCs (although, as noted above, we are following ICO and EU guidance and directions to assess the adequacy of such transfers, including ensuring that the guarantees provided in the SCCs can be complied with in practice). Inability to import personal information from the European Economic Area, UK or Switzerland may also restrict our operations in Europe, limit our ability to collaborate with our customers, sports organizations, service providers, contractors and other companies subject to European data protection laws and require us to increase our data processing capabilities in Europe at significant expense. Additionally, other countries outside of Europe have enacted or are considering enacting similar cross-border data transfer restrictions and laws requiring local data residency, which could increase the cost and complexity of delivering our services and operating our business. In order to diversify our data transfer strategy, we will continue to explore other options managing data from Europe, including without limitation, amending SCCs and IDTAs where required and considering suppliers that limit their data processing activities to ensure processing occurs in Europe at all times, which may involve substantial expense and distraction from other aspects of our business. We may, however, be unsuccessful in establishing an adequate mechanism for data transfer and will be at risk of enforcement actions taken by an EU/UK/Swiss data protection authority until such point in time that we ensure an adequate mechanism for European data transfers, which could damage our reputation, inhibit sales and harm our business. Despite actions we have taken or will be taking to diversify our data transfer strategies, we may be unsuccessful in establishing a conforming means of transferring data due to ongoing legislative activity that could vary the current data transfer landscape. As we expand into new markets and grow our customer base, we will need to comply with any new requirements and continue to progress our compliance to align with changing regulations in our existing operational regions. If we cannot comply with, or if we incur a violation of one or more of these requirements, some customers may be limited in their ability to purchase our products, particularly our cloud products. Growth could be harmed, and we could incur significant liabilities. The ePrivacy Regulation will be directly implemented into the laws of each of the EU Member States, without the need for further enactment. When implemented, the ePrivacy Regulation is expected to alter rules on third-party cookies, web beacons and similar technology for online behavioral advertising and to impose stricter requirements on companies using these tools. Regulation of cookies and web beacons may lead to broader restrictions on our online activities, including efforts to understand followers' Internet usage and promote ourselves, or provide advertising services on behalf of customers, to them. The current draft of the ePrivacy Regulation significantly increases fining powers to the same levels as the GDPR. Given the delay in finalizing the ePrivacy Regulation, certain EU regulators have issued guidance (including UK and French data protection regulators) on the requirement to seek strict opt-in, unbundled consent to use all nonessential cookies. We may need to make changes to our cookies notice or require additional resources to meet these compliance requirements. In addition, California has enacted the California Consumer Privacy Act, or CCPA and the California Privacy Rights Act, or CPRA, which became effective on January 1, 2020. The CCPA and CPRA requires new disclosures to California consumers, imposes new rules for collecting or using information, requires companies to comply with data subject access and deletion requests, and affords California consumers new abilities to opt out of certain disclosures of personal information. The Stop Hacks and Improve Electronic Data Security Act, otherwise known as the SHIELD Act, is a New York State bill, the data protection portions of which became effective on March 23, 2020. The SHIELD Act requires companies to adopt reasonable safeguards to protect the security, confidentiality, and integrity of private information. A company should implement a data security program containing specific measures, including risk assessments, employee training, vendor contracts, and timely data disposal. The effects of the CCPA, the SHIELD Act, and data privacy regulations in other US jurisdictions, including states where regulations are coming into force, are potentially significant and may require us to modify our data collection or processing practices and policies and to incur substantial costs and expenses in an effort to comply. Further examples of the evolving legal landscape in relation to the collection of personal data in the US include changes to state laws governing the processing of biometric information, such as the Illinois Biometric Information Privacy Act and the Texas Capture or Use of Biometric Identifier Act, which impose obligations on businesses that collect or disclose consumer biometric information. Additionally, various federal, state, and foreign laws govern how companies provide age-appropriate experiences to children and minors, including the collection and processing of children and minor's data. These include the Children's Online Privacy Protection Act of 1998, and the United Kingdom Age-Appropriate Design Code, all of which address the use and disclosure of the personal data of children and minors and impose obligations on online services or products directed to or likely to be accessed by children. Although we have appointed a Data Protection Officer as defined in the GDPR, analyzed certain risks associated with our data processing activities, provided employee training, implemented certain policies and procedures, and continue to review and improve such policies and procedures that are designed to ensure compliance with applicable laws, rules and regulations, if our privacy or data security measures fail to comply with applicable current or future laws and regulations, we may be subject to fines, litigation, regulatory investigations, enforcement notices requiring us to change the way we use personal data or our marketing practices or other liabilities such as compensation claims by individuals affected by a personal data breach, as well as negative publicity and a potential loss of business. Fines are significant in some countries (e.g., the GDPR introduced fines of up to €20,000,000 or up to 4% of total worldwide annual turnover of the preceding financial year (whichever is higher)) as well as litigation, compensation claims by affected individuals (including class action type litigation where individuals suffer harm), regulatory investigations and enforcement notices requiring us to change the way we use personal data. In 2021, a group of UK football players issued a data subject access request under the GDPR (dubbed "Project Red Card") to various participants in the sports data and sports betting industries, including the Company, but thus far it has not developed further into litigation. Should any player or participant claims develop into litigation it could significantly alter the way we collect and use sports data relating to players, sports staff and referees and could materially affect the sports data industry as whole.

Our agreements with customers and other third parties may include indemnification or other provisions under which we agree to indemnify or otherwise be liable to them for losses suffered or incurred as a result of claims of intellectual property infringement, damages caused by us to property or persons, or other liabilities relating to or arising from our products and services or other acts or omissions. The term of these contractual provisions may survive termination or expiration of the applicable agreement. Large indemnity payments of damage claims from contractual breach could harm our business, results of operations and financial condition. Although we generally contractually limit our liability with respect to such obligations, we may still incur substantial liability related to them. Any dispute with a customer with respect to such obligations could have adverse effects on our relationship with that customer and other current and prospective customers, reduce demand for our products and services, damage our reputation and harm our business, results of operations and financial condition.

Our technology infrastructure, including Amazon Web Services and certain other third-party platforms, is critical to the performance of our services and product offerings and to user satisfaction. Consequently, we may be subject to service disruptions as well as failures to provide adequate support for reasons that are outside of our direct control. The performance and availability of Amazon Web Services with the necessary speed, data capacity and security for providing reliable access and services can affect the delivery, availability, and performance of our services. Decisions by the owners and operators of the data centers where our cloud infrastructure, Amazon Web Services, is deployed to terminate our contracts, discontinue services to us, shut down operations or facilities, increase prices, change service levels, limit bandwidth, or prioritize the traffic of other parties could also affect the delivery, availability and performance of our services. Third parties may also conduct attacks designed to temporarily deny customers access to our cloud services. Some of our services and offerings require the installation of infrastructure and equipment into customer sites which are not under our control. Consequently, we cannot guarantee the protection of such assets from compromise due to a lack of physical security controls. As such, we may be subject to service disruptions, or compromise of data processed by such infrastructure and equipment. We devote significant resources to network and data security to protect our systems and data. However, our systems may not be adequately designed with the necessary reliability and redundancy to avoid performance delays or outages that could be harmful to our business. We cannot provide assurance that absolute security will be provided by the measures we take to: prevent or hinder cyber-attacks and protect our systems, data, and user information; to prevent outages, data or information loss and fraud; and to prevent or detect security breaches. We have experienced, and we may in the future experience, website disruptions, outages, and other performance problems due to a variety of factors, including infrastructure changes, human or software errors and capacity constraints. To date, such disruptions have not had a material impact on us, individually or in the aggregate; however, future disruptions from unauthorized access to, fraudulent manipulation of, or tampering with our computer systems and technological infrastructure, or those of third parties, could result in a wide range of negative outcomes, each of which could materially adversely affect our business, financial condition, results of operations and prospects. Additionally, our services and product offerings, including our user interface, may contain errors, bugs, flaws, or corrupted data that we have not detected, and these defects may become apparent only after their launch and could result in a vulnerability that could compromise the security of our systems. Additionally, we have detected certain errors, bugs and flaws in our service and product offerings which may have the potential to be exploited, resulting in harm to our business. If a particular product offering is slower than they expect, customers may be unable to use our services and product offerings as desired and may be less likely to continue to use our services and product offerings, if at all. Furthermore, programming errors, defects and data corruption could disrupt our operations, adversely affect the experience of our customers, harm our reputation, cause our customers to stop utilizing our services and product offerings, divert our resources or delay market acceptance of our services and product offerings, any of which could result in legal liability to us or harm our business, financial condition, results of operations and prospects. Insufficient business continuity management could diminish our brand and reputation, subject us to liability, disrupt our business and adversely affect our operating results and growth prospects, and failure of planned availability and continuity solutions and disaster recovery when activated in response to an incident could result in system interruptions and degradation of service. If our customer base and engagement continue to grow, and the amount and types of services and product offerings continue to grow and evolve, we will need an increasing amount of technical infrastructure, including network capacity and computing power, to continue to satisfy our users' needs. Such infrastructure expansion may be complex, and unanticipated delays in completing these projects or availability of components may lead to increased project costs, operational inefficiencies, or interruptions in the delivery or degradation of the quality of our services or product offerings. In addition, there may be issues related to this infrastructure that are not identified during the testing phases of design and implementation, which may become evident only after we have started to fully use the underlying equipment or software, that could further degrade the user experience or increase our costs. As such, we could fail to continue to effectively scale and grow our technical infrastructure to accommodate increased demands. In addition, a lack of resources (e.g., hardware, software, personnel, and service providers) could result in an inability to scale our services to meet business needs, system interruptions, degradation of service, or operational mistakes. Our business also may be subject to interruptions, delays or failures resulting from adverse weather conditions, other natural disasters, power loss, terrorism, cyber-attacks, public health emergencies (such as COVID-19) or other catastrophic events. We believe that if our customers have a negative experience with our services and product offerings, or if our brand or reputation is negatively affected, customers may be less inclined to continue or resume utilizing our services and product offerings or to recommend our services and product offerings to other potential customers. As such, a failure or significant interruption in our service could harm our reputation, our business, financial condition, results of operations and prospects.

A material portion of our revenues is concentrated in some of our largest customers. Our revenue growth depends on our ability to obtain new clients and achieve and sustain a high level of renewal rates with respect to our existing customers. Failure to achieve one or more of these objectives could have a material adverse effect on our business, financial condition and operating results. If we lose one or more of our large customers or have significant reduction in business from such customers, our business, financial condition or results of operations could be materially adversely affected. In addition, our customers' losses in the betting market may adversely affect our revenue, particularly if we are participating in a revenue sharing arrangement with that customer. Further, even under a fixed fee arrangement with a customer, in the event that a customer's revenues are materially adversely affected in a particular year, it is likely this would have a knock-on effect to such customer's ability to pay increased fees in any renewal agreement with us.

Our business and the businesses of our customers and sports organizations are particularly sensitive to reductions in discretionary consumer spending. Demand for entertainment and leisure activities, including sporting events, sports betting and online gaming, can be affected by economic headwinds and changes in consumer tastes, both of which are difficult to predict and beyond our control. Unfavorable changes in general economic conditions, including recessions, economic slowdowns, sustained high levels of unemployment, high inflation, or the perception by consumers of weak or weakening economic conditions, may reduce consumers' disposable income or result in fewer individuals engaging in entertainment and leisure activities, such as sporting events, sports betting and online gaming.

The long-term effects of climate change on the global economy are unclear, though we recognize that there are inherent climate-related risks wherever business is conducted. Increased frequency and severity of climate-related events, including, but not limited to, the increasing frequency of extreme weather events and their impacts on critical infrastructure globally, have the potential to disrupt our business, our third-party suppliers, partners, and/or the business of our customers. Furthermore, the effects of climate change may negatively impact regional and local activity, which could lead to an adverse effect on our customers and partners, such as the cancellation or postponement of sporting events, resulting in an adverse impact on our financial condition and operations.