Malibu Boats (MBUU) Risk Factors

We provide limited warranties for our boats. Although we employ quality control procedures, sometimes a product is distributed that needs repair or replacement. Our standard warranties require us, through our dealer network, to repair or replace defective products during such warranty periods. In addition, if any of our products are, or are alleged to be, defective, we may be required to participate in a recall of that product if the defect or alleged defect relates to safety. For example, in fiscal year 2019 we announced a recall on fuel pumps supplied to us by a third-party vendor and used in certain Malibu and Axis boats. While this recall did not have a material impact on our business, the repair and replacement costs we could incur in connection with a recall could materially and adversely affect our business and could cause consumers to question the safety or reliability of our products.

Our success depends in significant part upon the continued service of our senior management and our continuing ability to attract, assimilate, and retain highly qualified and skilled managerial, product development, manufacturing, marketing and other personnel. The loss of services of any members of our senior management or key personnel or the inability to hire or retain qualified personnel in the future could adversely affect our business, financial condition, and results of operations. Management transition may also create uncertainty among employees, suppliers and customers or impact public or market perception, any of which could negatively impact our ability to operate effectively or execute on our strategies and result in an adverse impact on our business. In particular, our future success will depend, in part, on the effectiveness of the transition to our new Chief Executive Officer, Mr. Menneto, who will be critical in executing on and achieving our vision, strategic direction, culture and products.

Substantially all of our sales are derived from our network of independent dealers. Maintaining a reliable network of dealers is essential to our success. Our agreements with dealers in our network typically provide for one-year terms, although some agreements have longer terms. Our top ten dealers represented 40.4%, 41.1% and 39.9% of our net sales for fiscal year 2024, 2023 and 2022, respectively. Sales to our dealers under common control of OneWater Marine, Inc. represented approximately 23.7%, 17.2% and 16.8% of consolidated net sales in fiscal years 2024, 2023 and 2022, respectively. Sales to our former dealers under common control of Tommy's Boats represented approximately 2.4%, 10.7% and 9.4% of our consolidated net sales in the fiscal years ended June 30, 2024, 2023 and 2022 respectively, including 6.7%, 0.0% and 0.5% of our consolidated sales in fiscal year 2024 for Malibu, Saltwater Fishing and Cobalt, respectively. During fiscal year 2024, we informed Tommy's Boats that we would not be renewing any of their agreements that had expired as of June 30, 2023 and we terminated the two agreements in Texas that had not expired. Tommy's subsequently filed for bankruptcy protection and is in the process of liquidating its inventory. We have since entered into dealer agreements with other dealers in 14 of the 15 markets previously served by Tommy's Boats. The loss of additional significant dealers or a significant number of other dealers could have a material adverse effect on our financial condition and results of operations. The number of dealers supporting our products and the quality of their marketing and servicing efforts are essential to our ability to generate sales. Competition for dealers among recreational powerboat manufacturers continues to increase based on the quality, price, value and availability of the manufacturers' products, the manufacturers' attention to customer service and the marketing support that the manufacturer provides to the dealers. We face competition from other manufacturers in attracting and retaining independent boat dealers. In addition, independent dealers in the recreational powerboat industry have experienced significant consolidation in recent years, which could result in the loss of one or more of our dealers in the future if the surviving entity in any such consolidation purchases similar products from a competitor. A significant deterioration in the number or effectiveness of our dealers could have a material adverse effect on our business, financial condition and results of operations.

The fixed cost levels of operating a recreational powerboat manufacturer can put pressure on profit margins when sales and production decline. Our profitability depends, in part, on our ability to spread fixed costs over a sufficiently large number of products sold and shipped, and if we make a decision to reduce our rate of production or otherwise experience lower revenues, gross margins will be negatively affected. For instance, our consolidated net sales decreased by 40.3% for fiscal year 2024 compared to fiscal year 2023 while our expenses only decreased by 34.2% during the same period. As a result, our gross margin decreased from 25.3% for fiscal year 2023 to 17.7% for fiscal year 2024 and our net income decreased from $107.9 million for fiscal year 2023 to a $56.4 million net loss for fiscal year 2024. Consequently, decreased demand or the need to reduce production can lower our ability to absorb fixed costs and materially impact our financial condition or results of operations.

In the ordinary course of business, we collect, receive, store, process, generate, use, transfer, disclose, make accessible, protect, secure, dispose of, transmit, and share (collectively, process) personal data and other sensitive information, including proprietary and confidential business data, trade secrets, intellectual property, and sensitive third-party data (collectively, sensitive information). Our data processing activities subject us to numerous data privacy and security obligations, such as laws, regulations, guidance, industry standards, external and internal privacy and security policies, contractual requirements, and other obligations relating to data privacy and security. In the United States, federal, state, and local governments have enacted numerous data privacy and security laws, including data breach notification laws, personal data privacy laws, consumer protection laws (e.g., Section 5 of the Federal Trade Commission Act), and other similar laws (e.g., wiretapping laws). In the past few years, numerous U.S. states-including California, Virginia, Colorado, Connecticut, and Utah-have enacted comprehensive privacy laws that impose certain obligations on covered businesses, including providing specific disclosures in privacy notices and affording residents with certain rights concerning their personal data. As applicable, such rights may include the right to access, correct, or delete certain personal data, and to opt-out of certain data processing activities, such as targeted advertising, profiling, and automated decision-making. Certain states also impose stricter requirements for processing certain personal data, including sensitive information, such as conducting data privacy impact assessments. These state laws allow for statutory fines for noncompliance. For example, the California Consumer Privacy Act of 2018, ( "CCPA") applies to personal data of consumers, business representatives, and employees who are California residents, and requires businesses to provide specific disclosures in privacy notices and honor requests of such individuals to exercise certain privacy rights. The CCPA provides for fines of up to $7,500 per intentional violation and allows private litigants affected by certain data breaches to recover significant statutory damages. Similar laws are being considered in several other states, as well as at the federal and local levels, and we expect more states to pass similar laws in the future. Outside the United States, an increasing number of laws, regulations, and industry standards govern data privacy and security. For example, the European Union's General Data Protection Regulation ("EU GDPR"), the United Kingdom's GDPR ("UK GDPR") (collectively, "GDPR"), and Australia's Privacy Act impose strict requirements for processing personal data. For example, under the GDPR, companies may face temporary or definitive bans on data processing and other corrective actions; fines of up to 20 million Euros under the EU GDPR, 17.5 million pounds sterling under the UK GDPR or, in each case, 4% of annual global revenue, whichever is greater. In the ordinary course of business, we may transfer personal data from Europe and other jurisdictions to the United States or other countries. Europe and other jurisdictions have enacted laws requiring data to be localized or limiting the transfer of personal data to other countries. In particular, the European Economic Area (EEA) and the United Kingdom (UK) have significantly restricted the transfer of personal data to the United States and other countries whose privacy laws it generally believes are inadequate. Other jurisdictions may adopt similarly stringent interpretations of their data localization and cross-border data transfer laws. Although there are currently various mechanisms that may be used to transfer personal data from the EEA and UK to the United States in compliance with law, such as the EEA standard contractual clauses, the UK's International Data Transfer Agreement / Addendum, and the EU-U.S. Data Privacy Framework and the UK extension thereto (which allows for transfers to relevant U.S.-based organizations who self-certify compliance and participate in the Framework), these mechanisms are subject to legal challenges, and there is no assurance that we can satisfy or rely on these measures to lawfully transfer personal data to the United States. If there is no lawful manner for us to transfer personal data from the EEA, the UK or other jurisdictions to the United States, or if the requirements for a legally-compliant transfer are too onerous, we could face significant adverse consequences, including the interruption or degradation of our operations, the need to relocate part of or all of our business or data processing activities to other jurisdictions (such as Europe) at significant expense, increased exposure to regulatory actions, substantial fines and penalties, the inability to transfer data and work with partners, vendors and other third parties, and injunctions against our processing or transferring of personal data necessary to operate our business. Additionally, companies that transfer personal data out of the EEA and UK to other jurisdictions, particularly to the United States, are subject to increased scrutiny from regulators, individual litigants, and activist groups. Some European regulators have ordered certain companies to suspend or permanently cease certain transfers out of Europe for allegedly violating the GDPR's cross-border data transfer limitations. Additionally, under various privacy laws and other obligations, we may be required to obtain certain consents to process personal data. For example, some of our data processing practices may be challenged under wiretapping laws, if we obtain consumer information from third parties through various methods, including chatbot and session replay providers, or via third-party marketing pixels. These practices may be subject to increased challenges by class action plaintiffs. Our inability or failure to obtain consent for these practices could result in adverse consequences, including class action litigation and mass arbitration demands. In addition to data privacy and security laws, we are contractually subject to industry standards adopted by industry groups and, we are, or may become subject to such obligations in the future. For example, we are/may be subject to the Payment Card Industry Data Security Standard ("PCI DSS"). The PCI DSS requires companies to adopt certain measures to ensure the security of cardholder information, including using and maintaining firewalls, adopting proper password protections for certain devices and software, and restricting data access. Noncompliance with PCI-DSS can result in penalties ranging from $5,000 to $100,000 per month by credit card companies, litigation, damage to our reputation, and revenue losses. We are also bound by contractual obligations related to data privacy and security, and our efforts to comply with such obligations may not be successful. We publish privacy policies, marketing materials and other statements, regarding data privacy and security. If these policies, materials or statements are found to be deficient, lacking in transparency, deceptive, unfair, or misrepresentative of our practices, we may be subject to investigation, enforcement actions by regulators or other adverse consequences. Obligations related to data privacy and security (and consumers' data privacy expectations) are quickly changing, becoming increasingly stringent, and creating uncertainty. Additionally, these obligations may be subject to differing applications and interpretations, which may be inconsistent or conflict among jurisdictions. We may at times fail (or be perceived to have failed) in our efforts to comply with our data privacy and security obligations. Moreover, despite our efforts, our personnel or third parties with whom we work may fail to comply with such obligations, which could negatively impact our business operations. If we or the third parties with whom we work fail, or are perceived to have failed, to address or comply with applicable data privacy and security obligations, we could face significant consequences, including but not limited to: government enforcement actions (e.g., investigations, fines, penalties, audits, inspections, and similar); litigation (including class-action claims) and mass arbitration demands; additional reporting requirements and/or oversight; bans or restrictions on processing personal data; and orders to destroy or not use personal data. In particular, plaintiffs have become increasingly more active in bringing privacy-related claims against companies, including class claims and mass arbitration demands. Some of these claims allow for the recovery of statutory damages on a per violation basis, and, if viable, carry the potential for monumental statutory damages, depending on the volume of data and the number of violations. Any of these events could have a material adverse effect on our reputation, business, or financial condition, including but not limited to: loss of customers; interruptions or stoppages in our business operations; inability to process personal data or to operate in certain jurisdictions; limited ability to develop or commercialize our products; expenditure of time and resources to defend any claim or inquiry; adverse publicity; or changes to our business model or operations.

The tax receivable agreement provides that, in the event that we exercise our right to early termination of the tax receivable agreement, or in the event of a change in control or a material breach by us of our obligations under the tax receivable agreement, the tax receivable agreement will terminate, and Malibu Boats, Inc. will be required to make a lump-sum payment equal to the present value of all forecasted future payments that would have otherwise been made under the tax receivable agreement, which lump-sum payment would be based on certain assumptions, including those relating to our future taxable income. The change in control payment and termination payments to the pre-IPO owners (or any permitted assignees) could be substantial and could exceed the actual tax benefits that Malibu Boats, Inc. receives as a result of acquiring the LLC Units because the amounts of such payments would be calculated assuming that we would have been able to use the potential tax benefits each year for the remainder of the amortization periods applicable to the basis increases, and that tax rates applicable to us would be the same as they were in the year of the termination. In these situations, our obligations under the tax receivable agreement could have a substantial negative impact on our liquidity. There can be no assurance that we will be able to finance our obligations under the tax receivable agreement. Payments under the tax receivable agreement will be based on the tax reporting positions that we determine. Although we are not aware of any issue that would cause the Internal Revenue Service, or the IRS, to challenge a tax basis increase, Malibu Boats, Inc. will not be reimbursed for any payments previously made under the tax receivable agreement. As a result, in certain circumstances, payments could be made under the tax receivable agreement in excess of the benefits that Malibu Boats, Inc. actually realizes in respect of (1) the increases in tax basis resulting from our purchases or exchanges of LLC Units and (2) certain other tax benefits related to our entering into the tax receivable agreement, including tax benefits attributable to payments under the tax receivable agreement.

We are subject to federal, state, local, and foreign laws and regulations, including product safety, workforce, and other regulations. For instance, we are subject to laws governing our relationships with employees, including, but not limited to, employment obligations such as employee wage, hour, and benefits issues. The Occupational Safety and Health Administration (OSHA) also imposes standards of conduct for and regulates workplace safety, including physical safety and limits on the amount of emissions to which an employee may be exposed without the need for respiratory protection or upgraded plant ventilation. Our facilities are also regularly inspected by OSHA and by state and local inspection agencies and departments. Further, in October 2023, California passed climate disclosure laws that, among other requirements, will require public and private companies that do business in California with total annual revenues exceeding certain thresholds to make disclosures including GHG emission data and climate-related financial risks. The implementing regulations for the law have not yet been drafted and the requirements are currently set to begin taking effect in 2026, with additional requirements phasing in through 2030. While we are still assessing the impact of these requirements, additional reporting obligations could cause us to incur increased costs. Any of these laws, rules, or regulations may cause us to incur significant expenses to achieve or maintain compliance, require us to modify our products, or modify our approach to our workforce, adversely affecting the price of or demand for some of our products, and ultimately affect the way we conduct our operations. Failure to comply with any of these laws, rules, or regulations could result in harm to our reputation and/or could lead to fines and other penalties, including restrictions on the importation of our products into, and the sale of our products in, one or more jurisdictions until compliance is achieved. In addition, legal requirements are constantly evolving, and changes in laws, regulations or policies, or changes in interpretations of the foregoing, could result in compliance shortfalls, require additional product development investment, increase consumer pricing, and increase our costs or create liabilities where none exists today.

Our boats are used for recreational and sport purposes, and demand for our boats may be adversely affected by competition from other activities that occupy consumers' leisure time and by changes in consumer life style, usage pattern or taste. Similarly, an overall decrease in consumer leisure time may reduce consumers' willingness to purchase and enjoy our products.

Adverse weather conditions in any year in any particular geographic region may adversely affect sales in that region, especially during the peak boating season. Sales of our products are generally stronger just before and during spring and summer, which represent the peak boating months in most of our markets, and favorable weather during these months generally has a positive effect on consumer demand. Conversely, unseasonably cool weather, excessive rainfall, reduced rainfall levels, or drought conditions during these periods may close area boating locations or render boating dangerous or inconvenient, thereby generally reducing consumer demand for our products. Our annual results would be materially and adversely affected if our net sales were to fall below expected seasonal levels during these periods. We may also experience more pronounced seasonal fluctuation in net sales in the future as we continue to expand our businesses. Additionally, to the extent that unfavorable weather conditions are exacerbated by global climate change or otherwise, our sales may be affected to a greater degree than we have previously experienced. There can be no assurance that weather conditions will not have a material effect on the sales of any of our products.

A portion of our sales are denominated in a currency other than the U.S. dollar. Consequently, a strong U.S. dollar may adversely affect reported revenues and, with the recent strengthening of the U.S. dollar, we have experienced a corresponding negative impact on our financial results with respect to our foreign operations. We also maintain a portion of our manufacturing operations in Australia which partially mitigates the impact of a strengthening U.S. dollar in that country. A portion of our selling, general and administrative costs are transacted in Australian dollars as a result. We also sell U.S. manufactured products into certain international markets in U.S. dollars, including the sale of products into Canada, Europe and Latin America. Demand for our products in these markets may also be adversely affected by a strengthening U.S. dollar. We do not currently use hedging or other derivative instruments to mitigate our foreign currency risks.

In the ordinary course of our business, we and the third parties with whom we work, process sensitive information. Cyber-attacks, malicious internet-based activity, online and offline fraud, and other similar activities threaten the confidentiality, integrity, and availability of our sensitive information and information technology systems, and those of the third parties with whom we work. Such threats are prevalent and continue to rise, are increasingly difficult to detect, and come from a variety of sources, including traditional computer "hackers," threat actors, "hacktivists," organized criminal threat actors, personnel (such as through theft or misuse), sophisticated nation states, and nation-state-supported actors. Some actors now engage and are expected to continue to engage in cyber-attacks, including without limitation nation-state actors for geopolitical reasons and in conjunction with military conflicts and defense activities. During times of war and other major conflicts, we, the third parties with whom we work, and our customers, may be vulnerable to a heightened risk of these attacks, including retaliatory cyber-attacks, that could materially disrupt our systems and operations, supply chain, and ability to produce, sell and distribute our products. We and the third parties with whom we work are subject to a variety of evolving threats, including but not limited to social-engineering attacks (including through deep fakes, which may be increasingly more difficult to identify as fake, and phishing attacks), malicious code (such as viruses and worms), malware (including as a result of advanced persistent threat intrusions), denial-of-service attacks, credential stuffing attacks, credential harvesting, personnel misconduct or error, ransomware attacks, supply-chain attacks, software bugs, server malfunctions, software or hardware failures, loss of data or other information technology assets, adware, telecommunications failures, attacks enhanced or facilitated by AI, and other similar threats. In particular, severe ransomware attacks are becoming increasingly prevalent – particularly for companies like ours that are engaged in critical infrastructure or manufacturing – and can lead to significant interruptions in our operations, ability to provide our products, loss of sensitive information and income, reputational harm, and diversion of funds. Extortion payments may alleviate the negative impact of a ransomware attack, but we may be unwilling or unable to make such payments due to, for example, applicable laws or regulations prohibiting such payments. It may be difficult and/or costly to detect, investigate, mitigate, contain, and remediate a security incident. Our efforts to do so may not be successful. Actions taken by us or the third parties with whom we work to detect, investigate, mitigate, contain, and remediate a security incident could result in outages, data losses, and disruptions of our business. Threat actors may also gain access to other networks and systems after a compromise of our networks and systems. Future or past business transactions (such as acquisitions or integrations) could expose us to additional cybersecurity risks and vulnerabilities, as our systems could be negatively affected by vulnerabilities present in acquired or integrated entities' systems and technologies. Furthermore, we may discover security issues that were not found during due diligence of such acquired or integrated entities, and it may be difficult to integrate companies into our information technology environment and security program. We rely on third parties to operate critical business systems to process sensitive information in a variety of contexts, including, without limitation, commercial transactions, customer interactions, manufacturing, branding, employee tracking, and other functions. We also rely on third parties to provide other products, services, parts, or otherwise to operate our business. Our ability to monitor these third parties' information security practices is limited, and these third parties may not have adequate information security measures in place. If the third parties with whom we work experience a security incident or other interruption, we could experience adverse consequences. While we may be entitled to damages if the third parties with whom we work fail to satisfy their privacy or security-related obligations to us, any award may be insufficient to cover our damages, or we may be unable to recover such award. In addition, supply-chain attacks have increased in frequency and severity, and we cannot guarantee that third parties' infrastructure in our supply chain or that of the third parties with whom we work have not been compromised. While we have implemented security measures designed to protect against security incidents, there can be no assurance that these measures will be effective. We take steps designed to detect, mitigate, and remediate vulnerabilities in our information systems (such as our hardware and/or software, including that of third parties with whom we work). We may not, however, detect and remediate all such vulnerabilities including on a timely basis. Further, we may experience delays in deploying remedial measures and patches designed to address identified vulnerabilities. Vulnerabilities could be exploited and result in a security incident. Any of the previously identified or similar threats could cause a security incident or other interruption that could result in unauthorized, unlawful, or accidental acquisition, modification, destruction, loss, alteration, encryption, disclosure of, or access to our sensitive information or our information technology systems, or those of the third parties with whom we work. A security incident or other interruption could disrupt our ability (and that of third parties with whom we work) to provide our products. Additionally, if we experience a security incident impacting the electronic components embedded into our products, such as the navigation or operating systems, this could prevent or cause customers to stop using our products, deter new customers from using our products, adversely affect the reputation of our business, or cause us to experience other similar harms. We may expend significant resources or modify our business activities to try to protect against security incidents. Certain data privacy and security obligations may require us to implement and maintain specific security measures or industry-standard or reasonable security measures to protect our information technology systems and sensitive information. Applicable data privacy and security obligations may require us, or we may voluntarily choose, to notify relevant stakeholders, including affected individuals, customers, regulators, and investors, of security incidents, or to take other actions, such as providing credit monitoring and identity theft protection services. Such disclosures and related actions can be costly, and the disclosure or the failure to comply with such applicable requirements could lead to adverse consequences. If we (or a third party with whom we work) experience a security incident or are perceived to have experienced a security incident, we may experience adverse consequences, such as government enforcement actions (for example, investigations, fines, penalties, audits, and inspections); additional reporting requirements and/or oversight; litigation (including class claims); indemnification obligations; negative publicity; reputational harm; monetary fund diversions; diversion of management attention; interruptions in our operations (including availability of data); financial loss; and other similar harms. Security incidents and attendant consequences may prevent or cause customers to stop using our products, deter new customers from using our products, and negatively impact our ability to grow and operate our business. Our contracts may not contain limitations of liability, and even where they do, there can be no assurance that limitations of liability in our contracts are sufficient to protect us from liabilities, damages, or claims related to our data privacy and security obligations. We cannot be sure that our insurance coverage will be adequate or sufficient to protect us from or to mitigate liabilities arising out of our privacy and security practices, that such coverage will continue to be available on commercially reasonable terms or at all, or that such coverage will pay future claims.