ICLICK INTERACTIVE ASIA GROUP (ICLK) Risk Analysis

Governments around the world, including the PRC, Hong Kong, U.S. and European Union governments, have enacted or are considering legislation related to online businesses. There may be an increase in legislation and regulation related to online marketing, the use of geo-location data to inform marketing, the collection and use of internet user data and unique device identifiers, such as IP address or mobile unique device identifiers, and other data protection and privacy regulation. These laws and regulations could adversely affect the demand for or effectiveness and value of our solutions, force us to incur substantial costs or require us to change our business practices in a manner that could adversely affect our business and results of operations or compromise our ability to effectively pursue our growth strategies. We primarily target Chinese language internet users in China for our marketers from all over the world. Through our enterprise solutions, we also access and gather data of users outside China as clients adopt our enterprise solutions. As a result, we may be directly or indirectly subject to the laws and regulations on online marketing and enterprise solutions, including data and privacy laws, of multiple jurisdictions. In recent years, the PRC government has enacted legislation on internet use to protect personal information from any unauthorized disclosure. For example, on February 1, 2013, China's first set of personal data protection guidelines, the Guidelines for Personal Information Protection in Information Security Technology Public and Commercial Service Systems, came into effect, which set forth detailed personal information protection requirements on data collection, data processing, data transfer and data creation. Although these guidelines are voluntary and non-binding, we believe that growing regulatory oversight of data privacy in China is inevitable. In addition, Amendment 9 to the PRC Criminal Law prohibits institutions, companies and their employees in the telecommunications and other industries from selling or otherwise illegally disclosing a citizen's personal information or obtaining such information through theft or other illegal ways, and further stipulates that persons who sell or otherwise illegally disclose a citizen's personal information obtained during the course of performing duties or providing services shall be subject to a heavier sentence. On November 7, 2016, the Standing Committee of the PRC National People's Congress issued the Cyber Security Law of the PRC, which became effective on June 1, 2017. Pursuant to the Cyber Security Law of the PRC, providers of network products and services shall provide security maintenance for their products and services and shall comply with provisions regarding the protection of personal information as stipulated under the relevant laws and regulations. Moreover, the Provisions on Protection of Personal Information of Telecommunication and Internet Users is the specific regulation governing the collection, use, disclosure and security of personal information. Complying with these PRC laws and regulations may cause us to incur substantial costs or require us to change our business practices. Furthermore, the Personal Information Security Specification, last revised on March 6, 2020, or the China Specification, came into force on October 1, 2020. Although the China Specification is not a mandatory regulation, it nonetheless has a key implementing role in relation to China's Cyber Security Law in respect of protecting personal information in China. It is likely that the China Specification will be relied on by Chinese government agencies as a standard to determine whether businesses have abided by China's data protection rules. The China Specification has broadened the scope of personal sensitive information, or PSI, including but not limited to phone number, transaction record and purchase history, bank account, browse history, and e-ID info such as system account, email address and corresponding password, and thus, the application of explicit consent under the China Specification is more far reaching. Furthermore, under the China Specification, the data controller must provide the purpose of collecting and using subject personal information, as well as business functions of such purpose, and the China Specification requires the data controller to distinguish its core function from additional functions to ensure the data controller will only collect personal information as needed. Our failure to comply with the China Specification could result in governmental enforcement actions, litigation, fines and penalties, which could have a material adverse effect on our business, results of operations, financial condition and prospects. On November 28, 2019, the CAC, or the MIIT, the Ministry of Public Security, and the State Administration for Market Regulation of the PRC jointly formulated the Method for Identifying the Illegal Collection and Use of Personal Information by Applications, which explicitly sets out the specific methods of identifying six types of illegal behaviors of collecting and using personal information through applications. If we are unable to respond to changing laws, regulations, policies and guidelines related to privacy or cyber security, our business, financial condition, results of operations and prospects may be materially and adversely affected. In Hong Kong, the Hong Kong Personal Data Ordinance prohibits an internet company collecting information about its users, analyzing the information for a profile of the user's interests or selling or transmitting the profiles to third parties for direct marketing purposes unless it has obtained the user's consent. In the U.S., all 50 states have now passed laws to regulate the actions that a business must take in the event of a data breach, such as prompt disclosure and notification to affected users and regulatory authorities. In addition to the data breach notification laws, some states have also enacted statutes and rules requiring businesses to reasonably protect certain types of personal information they hold or to otherwise comply with certain specified data security requirements for personal information. Additionally, the U.S. government has announced that it is reviewing the need for greater regulation of the collection of consumer information, including regulation aimed at restricting some targeted advertising practices. In the European Union, or EU, to the extent it is applicable to the processing operations carried out in the course of our activities, the General Data Protection Regulation, or the GDPR, which became applicable on May 25, 2018, has a broad territorial scope affecting the processing of personal data by companies outside of the EU offering goods and services to, or monitoring the behavior of, individuals in the EU. The GDPR introduces new obligations for subject companies in the area of privacy and data protection. The GDPR implements more stringent legal and operational requirements for both processors and controllers of personal data, including, for example, requiring expanded disclosures about how personal information is to be used, limitations on retention of information, new rights for data subjects with respect to their data (including by enabling them to exercise rights to erasure and data portability), mandatory data breach notification requirements, and higher standards for data controllers to demonstrate that they have obtained either valid consent or have another legal basis in place to justify their data processing activities. The GDPR further provides that EU member states may make their own additional laws and regulations in relation to certain data processing activities, which could further limit our ability to use and share personal data and could require localized changes to our operating model. Under the GDPR, fines of up to €20 million or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher, may be imposed in certain cases of non-compliance. To the extent the GDPR is applicable, the implementation of the GDPR may require amendments to our procedures and policies or the agreements we have with our service providers and clients, and these changes could impact our business by increasing its operational and compliance costs. The EU has also released a proposed Regulation on Privacy and Electronic Communications, or the e-Privacy Regulation, to replace the EU's current Privacy and Electronic Communications Directive, or the e-Privacy Directive, to, among other things, achieve a greater harmonization among EU member states and better align the rules governing electronic communications (e.g., in relation to the use of cookies and other tracking technologies and protection against spam) with the requirements of the GDPR. While the ePrivacy Regulation was originally intended to be adopted on May 25, 2018 (alongside the GDPR), it is still going through the European legislative process, and commentators now expect it to be adopted in 2023. The current draft of the ePrivacy Regulation imposes strict opt-in e-marketing rules with limited exceptions to business to business communications and significantly increases fining powers to the same levels as GDPR. Regulations of cookies and web beacons may lead to broader restrictions on our online activities, including efforts to understand followers' internet usage and promote ourselves to them. Since the implementation of the GDPR in 2018, we have made tremendous efforts to comply and constantly adapt to the fast-evolving regulatory framework; for example, we have already revised our Data Processing Addendum (after invalidation of the Privacy Shield by the European Court of Justice, with the adoption of the new Standard contractual clauses by the European Union, and the recent adoption of the new UK standard contractual clauses by the United Kingdom). We are always actively working with our clients and partners towards ensuring up to date compliance. Outside of the U.S. and the EU, many jurisdictions have adopted or are adopting new data privacy and data protection laws that may impose further onerous compliance requirements, such as data localization, which prohibits companies from storing outside the jurisdiction data relating to resident individuals in data centers outside the jurisdiction. The proliferation of such laws within the jurisdictions and countries in which we operate may result in conflicting and contradictory requirements, particularly in relation to evolving technologies such as cloud computing. Any failure to successfully navigate the changing regulatory landscape could result in legal liability or impairment to our reputation in the marketplace, which could have a material adverse effect on our business and operations. While we strive to comply with all applicable laws and regulations relating to privacy and data collection, processing, use, and disclosure applicable to us, it is possible that our practices are and will continue to be, inconsistent with certain regulatory requirements. These laws and regulations are continually evolving, are not always clear, and are not always consistent across the jurisdictions in which we do business, and the measures we take to comply with these laws, regulations and industry standards may not always be effective. We may be subject to litigation or enforcement action or reduced demand for our solutions if we or our marketers fail to abide by applicable data protection and privacy laws or to provide adequate notice and/or obtain consent from end users. In addition, some of our content distribution channels require us to indemnify and hold them harmless from the costs or consequences of litigation resulting from using their networks. Any proceeding, claims or lawsuits initiated by governmental bodies, customers or other third parties, whether meritorious or not, or perception of concerns relating to our collection, use, disclosure, and retention of data, including our security measures applicable to the data we collect, whether or not valid, could harm our reputation, force us to spend significant amounts and time on defense of these proceedings, give rise to significant fines, liabilities and damage awards, distract our management, change our business practices, increase our costs of doing business, inhibit the use of our solutions, harm our ability to keep existing customers or attract new customers, or otherwise materially and adversely affect our business, results of operations and prospects.

Our future success will depend on our ability to continuously innovate, enhance and broaden our solutions to meet evolving needs for online marketing, data and intelligent enterprise solutions, and address technological advancements and new trends in these areas, in particular the growing popularity of online marketing via mobile channel. We may not be able to timely identify and respond to these new trends. The design of mobile devices and operating systems is controlled by third parties with which we do not have any formal relationship. These parties frequently introduce new devices, and from time to time they may introduce new operating systems or modify existing ones. Network carriers may also restrict our ability to access specific content on mobile devices. If we fail to innovate or adapt our technologies and solutions so that they are compatible with these devices or operating systems, which in turn require that we maintain adequate research and development personnel and resources, our solutions may become less competitive or obsolete. In addition, any new solution that we develop may not receive wide acceptance as we anticipated. Any of these events could materially and adversely affect our business, results of operations and prospects.

Cookies that we place are generally regarded as "third party cookies" because we place them through internet browsers on an internet user when an internet user visit our website or a website owned by our marketers or other party that has given us permission to place cookies. Our cookies generally record non-personally identifiable information, including when a user views or clicks on a marketing message, where a user is located, how many marketing messages a user has seen, and browser or device information. We use data from cookies to help build user profiles that assess audience interest and predict audience potential interaction with a given marketing message. Cookies may easily be deleted or blocked by internet users. Commonly used internet browsers (Chrome, Firefox, Internet Explorer, and Safari) allow internet users to modify their browser settings to prevent cookies from being accepted by their browsers. Most browsers also now support temporary privacy modes that allow the user to suspend, with a single click, the placement of new cookies or reading or updates of existing cookies. Internet users can also delete cookies from their computers at any time. Some internet users also download free or paid "ad blocking" software that prevents certain cookies from being stored on a user's computer. Further, certain web browsers, such as Safari, currently block or are planning to block some or all third-party cookies by default, as do Apple's iPad and iPhones devices. Mobile devices based upon the Android operating system use cookies only in their web browser applications, so that cookies do not track Android users while they are using other applications on the device. If web browsers block, or internet users reject or delete, cookies, fewer of our cookies or our marketers' cookies may be set in browsers or accessible in mobile devices, which could adversely affect our data collection and hence the optimal performance of our algorithms and data engines and effectiveness of our solutions. Aside from blocking or deleting of cookies, other modifications to privacy settings on the PCs and mobile devices could limit or restrict our ability to collect and analyze data. For example, certain search engines, such as Google, provide an encrypted search function. Although we may still be able to see the amount of traffic brought to marketers' website through the search engine, we will not be able to see the keywords that generate the traffic as the keywords are encrypted. This makes it more difficult for us to evaluate the effectiveness of keywords, and hence the effectiveness of our solutions may be compromised, which would result in client departure and reputation damages, and materially and adversely affect our business and results of operations.

Foreign ownership in advertising business used to be subject to certain restrictions under the PRC laws and regulations. For example, according to the Administrative Provisions on Foreign-Invested Advertising Enterprises, which were abolished in June 2015, foreign investors were required to meet several conditions in order to invest in PRC advertising business, such as a minimum number of years of advertising-related experience and an approval from the relevant PRC regulatory authority. OptAim, which we acquired in July 2015, is a Cayman Islands company and iClick Data Technology (Beijing) Limited, or iClick Beijing, its PRC subsidiary, is considered a foreign invested enterprise, or FIE. To comply with the then-effective PRC laws and regulations, including the Administrative Provisions on Foreign-Invested Advertising Enterprises, OptAim Beijing, later replaced by iClick Beijing entered into a set of contractual arrangements with OptAim Network and its shareholder. For a detailed description of these contractual arrangements, see "Item 4. Information on the Company-C. Organizational Structure-Contractual Arrangements with OptAim Network." As a result of these contractual arrangements, we exert control over OptAim Network and its subsidiaries, and consolidate their operating results in our financial statements under U.S. GAAP. After the abolishment of the foreign ownership restriction in advertising business, we had been transferring the advertising business previously operated by the VIE, OptAim Network, primarily consisting of our mobile marketing solution business, to our wholly-owned subsidiaries. As of December 31, 2018, our wholly-owned subsidiaries had replaced OptAim Network as contracting party for all our mobile marketing solution business. In November 2018, OptAim Network acquired Myhayo, a content distribution channel and a mobile content aggregator of articles and short videos in the PRC, which presents customized feeds to users via its mobile application. The mobile application operated by Myhayo allows users to earn points from their daily access, which could be used to redeem cash rewards. It is unclear whether Myhayo's business model would render it a commercial operator of value-added telecommunication services under the relevant PRC laws, in which case Myhayo would be required to hold a value-added telecommunication license. In August 2019, Myhayo obtained the value-added telecommunication license that has a validity term of five years. See "-Risk Related to Our Business and Industry-If we fail to maintain or renew the value-added telecommunication license, or fail to obtain other requisite license, or approvals or filings in China, the business carried out by certain consolidated entity may be materially and adversely affected." Current PRC laws and regulations impose certain restriction on foreign investment in value-added telecommunication services. See "-Regulations-Regulations on Foreign Direct Investment in Value-Added Telecommunications Companies." As a result, we acquired Myhayo through OptAim Network, the VIE. In June 2022, Zhiyunzhong (Shanghai) Technology Co., Ltd., one of the VIE entities, was wholly transferred from OptAim Network to another subsidiary of the Company, Anhui Zhiyunzhong Information Technology Co., Ltd.. In 2021, OptAim Network contributed 3.0% to our gross billing and 7.8% of our net revenues. In 2022, OptAim Network contributed 5.3% to our gross billing and 12.7% of our net revenues. We conduct our operations in China through our PRC subsidiaries and the VIE entities, with which we maintained these contractual arrangements. Investors in our ordinary shares or the ADSs are not purchasing equity interest in the VIE in China but instead are purchasing equity interest in a Cayman Islands holding company with no equity ownership of the VIE. Under the Measures on the Administration of Foreign-related Surveys, or the Foreign-related Surveys Measures, promulgated by the National Bureau of Statistics of China on October 13, 2004, no individual or organization may conduct any foreign-related survey without a license for foreign-related survey granted by the National Bureau of Statistics in China or its local counterparts. Under the Catalogue for the Guidance of Foreign Investment Industries, or Foreign Investment Catalog, promulgated by the Ministry of Commerce and National Development and Reform Commission on June 28, 2017, only a domestic enterprise or a sino-foreign enterprise which meets the several requirements stipulated in the Foreign-related Surveys Measures can apply for a license for the foreign-related survey. On September 18, 2021, the Ministry of Commerce ("MOFCOM") and the National Development and Reform Commission, or the NDRC, jointly promulgated the Special Administrative Measures (Negative List 2021) for Foreign Investment Access, or the Special Administrative Measures, which replaced the negative list attached to the Foreign Investment Catalog in 2020. Industries that are not listed in the Special Administrative Measures are permitted areas for foreign investments, and are generally open to foreign investment unless specifically restricted by other PRC regulations. We do not believe our collection and use of multiple kinds of data from multiple sources in China to improve the cost-effectiveness of marketing campaigns for marketers in and outside China fall within the scope of "foreign-related survey" under the Foreign-related Survey Measures listed under the Special Administrative Measures. However, there are uncertainties under the PRC Laws whether such activities may be deemed as "foreign-related survey," which would require a foreign-related survey license from the National Bureau of Statistics in China or its local counterparts. If the PRC regulatory authorities disagree with our interpretation of what would constitute foreign-related survey and enforcement practices on foreign-related survey licensing requirement or if we expand our business scope to engage in activities falling within the scope of foreign-related survey, we will need to continue to rely on iClick Data Technology (Beijing) Limited's contractual arrangements with OptAim Network and its shareholder to conduct certain of our operations in China, including to transfer such operations to the VIE to the extent they are deemed foreign-related survey. In the opinion of our PRC counsel, Jingtian & Gongcheng, our current ownership structure, the ownership structure of our PRC subsidiaries, the VIE entities, and the contractual arrangements among iClick Beijing, OptAim Network and the shareholder of OptAim Network are not in violation of existing PRC laws, rules and regulations; and these contractual arrangements are valid, binding and enforceable in accordance with their terms and applicable PRC laws and regulations currently in effect. However, Jingtian & Gongcheng has also advised us that there are substantial uncertainties regarding the interpretation and application of current or future PRC laws and regulations and there can be no assurance that the PRC government will ultimately take a view that is consistent with the opinion of our PRC counsel. It is uncertain whether any new PRC laws, rules or regulations relating to variable interest entity structures will be adopted or if adopted, what they would provide. Please see "-Substantial uncertainties exist with respect to the newly enacted PRC Foreign Investment Law and how it may impact the viability of our current corporate structure, corporate governance and business operations." for more information. If the ownership structure, contractual arrangements and business of our company, our PRC subsidiaries or our consolidated variable interest entity and its subsidiary are found to be in violation of any existing or future PRC laws or regulations, or we fail to obtain or maintain any of the required permits or approvals, the relevant governmental authorities would have broad discretion in dealing with such violation, including levying fines, confiscating our income or the income of our PRC subsidiaries, consolidated variable interest entity or its subsidiary, revoking the business licenses or operating licenses of our PRC subsidiaries, consolidated variable interest entity or its subsidiary, shutting down our servers or blocking our online platform, discontinuing or placing restrictions or onerous conditions on our operations, requiring us to undergo a costly and disruptive restructuring, restricting or prohibiting our use of proceeds from our offerings and equity issuances to finance our business and operations in China, and taking other regulatory or enforcement actions that could be harmful to our business. Any of these actions could cause significant disruption to our business operations and severely damage our reputation, which would in turn materially and adversely affect our business and results of operations. If any of these occurrences results in our inability to direct the activities of our consolidated variable interest entity and its subsidiary, and/or our failure to receive economic benefits from our consolidated variable interest entity and its subsidiary, we may not be able to consolidate their results into our consolidated financial statements in accordance with U.S. GAAP.

Our business, results of operations, financial condition and prospects have been materially and adversely affected by the COVID-19. The COVID-19 pandemic has resulted in quarantines, travel restrictions, home office policies, and temporary closure of stores and facilities in China and many other jurisdictions. These control measures have slowed down the development of the China's economy and adversely affected the global economic conditions and financial markets. In 2022, in view of various control measures implemented by the government in different regions in China, substantial uncertainties remained around the macro-economic conditions, which led to reduced budget and spending from clients and a broad-based slowdown in the advertising market in China. This has adversely affected our revenue and outlook, resulting in a reduction in our revenue and significant impairment charges. See "-We have experienced fluctuations in growth in recent periods, and our historical growth may not be indicative of our future growth." and "-We have recorded significant impairment charges and may continue to do so in the future." In addition, the travel restrictions and lockdowns materially reduced the efficiency of communication between our employees and clients, which materially and adversely affected our client on-boarding and solution implementation. China began to modify its zero-COVID policy at the end of 2022. There were significant surges of COVID-19 cases in many cities in China subsequently. The rapid spread of COVID-19 virus in a relatively short period of time has compelled people to stay at home and reduced business activities, which adversely affected our client on-boarding and solution delivery. The pandemic situation has been improving in China since early 2023. In early May, the World Health Organization declared that COVID-19 no longer represented a global health emergency, and the risk remains of new variants emerging that cause new surges in cases and deaths. The full and long-term implications from COVID-19 on our business and results of operations remain uncertain. Any significant resurgence of COVID-19 may have an adverse effect on our results of operations, financial condition, business and prospects. Any potential impact on our results will depend on, to a large extent, future developments and new information that may emerge regarding the duration of COVID-19 and the actions taken by governmental authorities and other entities to contain COVID-19 or treat its impact, which are mostly beyond our control. Additionally, to the extent the COVID-19 adversely affects our business, results of operations, cash flows, financial condition and/or prospects, it may also have the effect of heightening many of the other risks described herein. Our business could also be adversely affected by the effects of other epidemics, including monkey pox (mpox), Ebola virus disease, Zika virus disease, H1N1 flu, H7N9 flu, avian flu, Severe Acute Respiratory Syndrome, or SARS. We are also vulnerable to natural disasters and other calamities. Fire, floods, typhoons, earthquakes, power loss, telecommunications failures, break-ins, war, riots, terrorist attacks or similar events may give rise to server interruptions, breakdowns, system failures, technology platform failures or internet failures, which could cause the loss or corruption of data or malfunctions of software or hardware as well as adversely affect our ability to provide solutions and services. Most of our system hardware and back-up systems are hosted in leased facilities in Hong Kong, Shanghai, Beijing and Guangzhou, and most of our directors, senior management and employees are based in Hong Kong, Shanghai and Beijing. Therefore, if any of the above-mentioned natural disasters, health epidemics or other outbreaks were to occur in these regions, our operations may experience material disruptions, such as temporary closure of our offices and suspension of services, which may materially and adversely affect our business and results of operations.