Gafisa SA (GFASY) Risk Analysis

In December 2019, a novel strain of coronavirus, COVID-19, was reported to have surfaced in Wuhan, China. In January 2020, COVID-19 spread to other countries, including Brazil, and on March 11, 2020, the World Health Organization declared that the spread of COVID-19 had become a global pandemic. The spread of COVID-19 has resulted in a global and regional economic slowdown, and efforts to contain the spread of COVID-19 have intensified, including shutdowns mandated by governmental authorities. The outbreak and the preventative and protective actions that governments took in respect of COVID-19 during 2020 and 2021 has resulted in a period of business disruption and reduced operations, including in the real estate sector. In addition, the pandemic has caused levels of equity and other financial markets to decline sharply and to become volatile, including the price of our common shares. In response to the pandemic, we created a crisis management committee which meets daily to discuss developments and disease prevention measures. In addition, we have preventatively determined that back-office personnel work remotely, providing all employees with the required tools and infrastructure to enable them to work from home. We have also implemented a series of educative and preventative measures targeted at our construction site employees, and have reduced staff considered to be in the risk group. Moreover, our sales teams have focused on online interactions with prospective customers. The COVID-19 pandemic may continue to affect our industry and cause temporary suspension of projects and shortage of labor and raw materials, which would severely disrupt our operations and have a material adverse effect on our business, financial condition and results of operations. Our operations could also be disrupted if any of our employees or the employees of our subcontractors contracted or are thought to have contracted COVID-19 or another disease that could cause an epidemic, since this could require us and our subcontractors to quarantine some or all of these employees and temporarily close our work sites and other facilities used for our operations. In addition, our revenue and profitability could also be reduced to the extent COVID-19 or any other epidemic harms the overall economy in Brazil. These adverse impacts, particularly if they materialize and persist for a substantial period, may significantly and adversely affect our business operation and financial performance. Additionally, the city of São Paulo where we develop our main projects is highly affected by COVID-19. A recurrence of this epidemic or any epidemic in the city of São Paulo could result in material disruptions to our property developments, which in turn could materially and adversely affect our financial condition and results of operations. The impact from the outbreak of COVID-19 on our operations might result in the postponement of our launches, a reduction in sales volume and an increase in customer payment defaults. Additional impacts will depend on future developments, which are highly uncertain and cannot be predicted, including new information which may emerge concerning the severity of COVID-19 and the actions to contain COVID-19 or treat its impact, such as vaccination programs, among others. While there have been no significant impacts on our business or our financial targets as a result of the COVID-19 pandemic, we could be materially adversely affected by a protracted downturn in local, regional or global economic conditions. During 2021, we were better equipped to manage the challenges of COVID-19 compared to 2020. A combination of our strategy and the relaxation of restrictions in some regions of Brazil resulted in a gradual increase in lauches and sales volumes. However, there is some uncertainty regarding the duration and likelihood of further government interventions or increases in restrictions, as well as the economic effects on financial markets, which may materially adversely affect our business, liquidity, financial condition, and the outcome of operations. Our management has evaluated the impacts of the COVID-19 pandemic on our financial statements, including projections of profit or loss and cash generation, based on its best estimates, and management has concluded that there is no need to recognize any additional loss allowances. We will continue to monitor and analyze the impacts of the COVID-19 pandemic on our results of operations and financial condition.

We must constantly locate and acquire new tracts of land for development and development home sites to support our homebuilding operations. There is a lag between the time we acquire land for development or development home sites and the time that we can bring the properties to market and sell homes. As a result, we face the risk that demand for housing may decline, costs of labor or materials may increase, interest rates may increase, currencies may fluctuate and political uncertainties may occur during this period and that we will not be able to dispose of developed properties at expected prices or profit margins or within anticipated time frames or at all. Significant expenditures associated with investments in real estate, such as maintenance costs, construction costs and debt payments, cannot generally be reduced if changes in the economy cause a decrease in revenues from our properties. The market value of property inventories, undeveloped tracts of land and desirable locations can fluctuate significantly because of changing market conditions. In addition, inventory carrying costs (including interest on funds unused to acquire land or build homes) can be significant and can adversely affect our performance. Because of these factors, we may be forced to sell homes and other real properties at a loss or for prices that generate lower profit margins than we anticipate. We may also be required to make material write-downs of the book value of our real estate assets in accordance with Brazilian and U.S. GAAP if values decline. The occurrence of any of these factors may adversely affect our business and results of operations.

The quality of work in the construction of our real estate projects and the timely completion of these projects are major factors that affect our reputation, and therefore our sales and growth. We may experience delays in the construction of our projects or there may be defects in materials and/or workmanship. Any defects could delay the completion of our real estate projects, or, if such defects are discovered after completion, expose us to civil lawsuits by purchasers or tenants. These factors may also adversely affect our reputation as a contractor for third party projects, since we are responsible for our construction services and the building itself for five years. Construction projects often involve delays in obtaining, or the inability to obtain, permits or approvals from the relevant authorities. In addition, construction projects may also encounter delays due to adverse weather conditions, natural disasters, fires, delays in the provision of materials or labor, accidents, labor disputes, unforeseen engineering, environmental or geological problems, disputes with contractors and subcontractors, unforeseen conditions at construction sites, disputes with surrounding landowners, or other events. In addition, we may encounter previously unknown conditions at or near our construction sites that may delay or prevent construction of a particular project. If we encounter a previously unknown condition at or near a site, we may be required to correct the condition prior to continuing construction and there may be a delay in the construction of a particular project. The occurrence of any one or more of these problems in our real estate projects could adversely affect our reputation and our future sales. We may incur construction and other development costs for a project that exceeds our original estimates due to increases over time in interest rates, real estate taxes or costs associated with materials and labor, among others. We may not be able to pass these increased costs on to purchasers. Construction delays, scarcity of skilled workers, default and or bankruptcy of third party contractors, cost overruns and adverse conditions may also increase project development costs. In addition, delays in the completion of a project may result in a delay in the commencement of cash flow, which would increase our capital needs.

We engage third party contractors to provide services for our projects. Therefore, the quality of work in the construction of our real estate projects and the timely completion of these projects may depend on factors that are beyond our control, including the quality and timely delivery of building materials and the technical skills of the outsourced professionals. Such outsourcing may delay the identification of construction problems and, as a result, the correction of such problems. Any failures, delays or defects in the services provided by our third party contractors may adversely affect our reputation and relationship with our clients, which would adversely affect our business and results of operations.

We currently are, and may be in the future, defendants in several judicial, administrative proceedings related to civil, labor and tax matters. We cannot assure you that we will obtain favorable decisions in such proceedings, that such proceedings will be dismissed, or that our provisions for such proceedings are sufficient in the event of an unfavorable decision. Unfavorable decisions that impede our operations, as initially planned, or that result in a claim amount that is not adequately covered by provisions in our balance sheet, may adversely affect our business and financial condition.

In the year 2018, Law No. 13.709/2018, the Lei Geral de Proteção de Dados Pessoais (Brazilian General Data Protection Law) or LGPD, was enacted and came into effect as of September 18, 2020. Inspired by the General Data Protection Regulation of the European Union, the LGPD sets forth a comprehensive set of rules that promise to reshape how companies, organizations and public authorities collect, use, process and store personal data when carrying out their activities. The LGPD sets out a legal framework for the processing of personal data and provides, among others, for the rights of data subjects, the legal bases that legitimize processing operations, requirements for obtaining consent, obligations and requirements related to data breaches, requirements for international data transfers, among others. The LGPD also created the Autoridade Nacional de Proteção de Dados (National Data Protection Authority), or ANPD, with powers to enforce the law. Most provisions of the LGPD entered into effect on September 18, 2020, while the provisions relating to administrative sanctions came into effect on August 1, 2021. On October 29, 2021, the Regulation on Supervision and Sanctioning Procedures approved by the ANPD was published, which governs, among other things, how the administrative sanctions provided for in the LGPD should be applied. In addition to the administrative sanctions provided for in the LGPD, failure to comply with any provisions set forth in the LGPD regarding the personal data collected by us has the following risks: (i) the filing of lawsuits, individual or collective, claiming damages resulting from violations, based not only on the LGPD, but also on the sparse legislation that address data protection matters; (ii) the application of specific penalties foreseen in the sparse legislation, such as Marco Civil da Internet (Brazilian Internet Act), in case of violation of its provisions, by some consumer protection bodies and public prosecution offices. The LGPD, as well as any other changes to existing personal data protection laws and the introduction of such laws in other jurisdictions in which we operate, may subject us to, among other things, additional costs and expenses and may require costly changes to our business practices and security systems, policies, procedures and practices. In relation to the LGPD's administrative sanctions, if we are not in compliance with the LGPD, we may be subject to the sanctions, individually or cumulatively, of: (a) a warning; (b) a one-time fine of up to two percent of the private legal entity or group's pre-tax revenue in its preceding fiscal year in Brazil, limited to a total of R$50 million per infraction; (c) a daily fine, which is also subject to the abovementioned limit; (d) mandatory public disclosure of the infraction after its occurrence is confirmed; (e) the suspension of the processing of the corresponding personal data until the infraction is remedied and the obligation to delete personal data corresponding to the infraction; (f) partial suspension of the database to which the infraction relates for six months, extendable by an additional six months; (g) suspension of the data processing activity to which the infraction relates for six months, extendable by an additional six months; and (h) partial or complete prohibition of any data processing activities, each of which could harm our reputation and negatively affect our business and operating results. Moreover, we may be liable for property, moral, individual or collective damages caused by us, including by third party providers that process personal data for us, and jointly liable for property, moral, individual or collective damages caused by our subsidiaries, due to non-compliance with the obligations established by the LGPD. As a result of our business activities, we hold large volumes of personal data, including that of employees, suppliers and customers. Therefore, we have designed and implemented a privacy governance framework in order to comply with the LGPD and improve some of the existing guidelines. We have also implemented security measures to protect our databases and prevent cyberattacks, thereby reducing risks of exposure to data breaches and information security incidents. Additionally, as a result of the remote work measures adopted in response to the COVID-19 pandemic, there is a risk of an increase in cyberattacks through our employees' personal computers, since the cyber security of the networks used by them in their homes may not maintain the same level of security as that of our corporate work environment, which may impair our ability to manage our business. Despite the security measures that we have in place, our facilities and systems may be vulnerable to security breaches, cyber-attacks, acts of vandalism, computer viruses, misplaced or lost data, programming or human errors, or other similar events, and individuals may attempt to gain unauthorized access to our database in order to misappropriate such information for potentially fraudulent purposes. Our security measures may fail to prevent such incidents and breaches of our systems could result in adverse impact to our reputation, financial condition, and market value. In addition, if we are unable to prove that our systems are properly designed to detect and to try and detain a cyberattack, or even if we fail to respond to a cyberattack properly, we could be subject to severe penalties, aside from damages awarded to our customers, suppliers and employees whose personal data might have been mishandled or breached. Finally, if we fail to ensure the security of personal data, we may be subject to the obligation to notify the ANPD and the data subjects involved in the security incident or data breach.

The Brazilian real estate industry is highly competitive and fragmented. We compete with several developers on the basis of land availability and location, price, funding, design, quality, and reputation as well as for partnerships with other developers. Because our industry does not have high barriers to entry, new competitors, including international companies working in partnership with Brazilian developers, may enter into the industry, further intensifying this competition. Some of our current potential competitors may have greater financial and other resources than we do. Furthermore, a significant portion of our real estate development and construction activity is conducted in the state of São Paulo, an area where the real estate market is highly competitive due to a scarcity of properties in desirable locations and the relatively large number of local competitors. If we are not able to compete effectively, our business, our financial condition and the results of our operations could be adversely affected.

We rely on information technology systems to process, transmit and store large amounts of electronic data, including personal information. A significant portion of the communication between our personnel, customers and suppliers depends on information technology. As with all large systems, our information systems may be vulnerable to a variety of interruptions due to events beyond our control, including, but not limited to, natural disasters, terrorist attacks, telecommunications failures, computer viruses, hackers' attacks or other security issues. We take various actions with the aim of minimizing potential technology disruptions – such as investing in intrusion detection solutions, proceeding with internal and external security assessments, building and implementing business continuity plans and reviewing risk management processes – but all of these protections may be compromised as a result of third-party security breaches, burglaries, cyberattack, errors by employees or employees of third-party vendors, of contractors, misappropriation of data by employees, or unaffiliated third parties, or other irregularities that may result in persons obtaining unauthorized access to company data or otherwise disrupting our business. Unauthorized or accidental access to, or destruction, loss, alteration, disclosure, misuse, falsification or unavailability of information could result in violations of data privacy laws and regulations, damage to our reputation or our competitive advantage, loss of opportunities to acquire or divest of businesses or brands and loss of ability to commercialize products developed through research and development efforts and, therefore, could have a negative impact on net operating revenues. More generally, these or other similar technology disruptions can have a material adverse effect on our business, results of operations, cash flows or financial condition. We, as with all business organizations, are routinely subject to cyber-threats, however, while we continue to invest in new technology-monitoring and cyberattack prevention systems, no commercial or government entity can be entirely free of vulnerability to attack or compromise given how rapidly and unpredictably techniques evolve to obtain unauthorized access or disable or degrade service. On February 16, 2022, we informed the market that we had identified a criminal ransomware attack in our information technology environment, and immediately activated our internal information security protocols in order to identify the causes of the incident and mitigate its impacts. Our operations were not interrupted, since we were able to rebuild a separate information technology environment and our IT team proceeded to investigate the nature of the cyberattack and its effects and we did not identify any unauthorized access to our ERP data server. Concurrently, a forensic investigation was conducted by an independent firm and no evidence of personal data breach which may cause a risk or relevant damage to its owners was identified, as per article 48 of Law 13,709/2018. Moreover, as ratified by the forensic report, despite the increase of data transfer volume in the related period, there is no evidence on which we can infer the types of eventual data breach. As corroborated by the forensic investigation and our IT team analysis, there was no evidence of any damage and data breach in our ERP software, therefore there was no effect on the results of operations and financial statements. Furthermore, as a result of the investigation, we identified that this ransomware attack was aimed to a specific subsystem with no direct relation to our ERP server, diminishing its impacts to our operations. However, additional security measures were suggested, which will be remediated by implementing a Security Operation Center (SOC) with a Security Information and Event Management (SIEM) monitoring. This forensic investigation was concluded in May 2022. Additionally, we maintain frequent updates of our network, and continually invests in our technology processes to preserve the security of our systems and prevent any attempts of intrusion, and make use of technologies with strict security standards, compatible with our activities.