New Relic (NEWR) Risk Analysis

In the ordinary course of our business, we and the third parties upon which we rely, process, collect, receive, store, process, generate, use, transfer, disclose, make accessible, protect, secure, dispose of, transmit, and share proprietary, confidential, and sensitive data, including personal data, intellectual property, and trade secrets. Cyber-attacks, malicious internet-based activity, online and offline fraud, and other similar activities threaten the confidentiality, integrity, and availability of proprietary, confidential, and sensitive data and information technology systems, and those of the third parties upon which we rely. Such threats are prevalent and continue to rise, are increasingly difficult to detect, and come from a variety of sources, including traditional computer "hackers," threat actors, "hacktivists," organized criminal threat actors, personnel (such as through theft or misuse), sophisticated nation states, and nation-state-supported actors. Some actors now engage and are expected to continue to engage in cyber-attacks, including without limitation nation-state actors for geopolitical reasons and in conjunction with military conflicts and defense activities. During times of war and other major conflicts, we and the third parties upon which we rely may be vulnerable to a heightened risk of these attacks, including cyber-attacks that could materially disrupt our systems and operations, supply chain, and ability to produce, sell and distribute our goods and services. We and the third parties upon which we rely are subject to a variety of evolving threats, including but not limited to social-engineering attacks (including through phishing attacks), malicious code (such as viruses and worms), malware (including as a result of advanced persistent threat intrusions), denial-of-service attacks (such as credential stuffing), credential harvesting, personnel misconduct or error, ransomware attacks, supply-chain attacks, software bugs, server malfunctions, software or hardware failures, loss of data or other information technology assets, adware, telecommunications failures, earthquakes, fires, floods, and other similar threats. In particular, severe ransomware attacks are becoming increasingly prevalent and can lead to significant interruptions in our operations, loss of data and income, reputational harm, and diversions of funds. Extortion payments may alleviate the negative impact of a ransomware attack, but we may be unwilling or unable to make such payments. Remote work has become more common and has increased risks to our information technology systems and data, as more of our employees utilize network connections, computers and devices outside our premises or network, including working at home, while in transit and in public locations. We rely on third-party service providers and technologies to operate critical business systems to process proprietary, confidential, and sensitive information in a variety of contexts, including, without limitation, cloud-based infrastructure, data center facilities, encryption and authentication technology, employee email, content delivery to customers, and other functions. Our ability to monitor these third parties' information security practices is limited, and these third parties may not have adequate information security measures in place. If our third-party service providers experience a security incident or other interruption, we could experience adverse consequences. While we may be entitled to damages if our third-party service providers fail to satisfy their privacy or security-related obligations to us, any award may be insufficient to cover our damages, or we may be unable to recover such award. In addition, supply-chain attacks have increased in frequency and severity, and we cannot guarantee that third parties and infrastructure in our supply chain or our third-party partners' supply chains have not been compromised or that they do not contain exploitable defects or bugs that could result in a breach of or disruption to our information technology systems or the information technology systems of our third-party partners with whom we work. Future or past business transactions (such as acquisitions or integrations) could expose us to additional cybersecurity risks and vulnerabilities, as our systems could be negatively affected by vulnerabilities present in acquired or integrated entities' systems and technologies. Furthermore, we may discover security issues that were not found during due diligence of such acquired or integrated entities, and it may be difficult to integrate companies into our information technology environment and security program. Any of the previously identified or similar threats could cause a security incident or other interruption that could result in unauthorized, unlawful, or accidental acquisition, modification, destruction, loss, alteration, encryption, disclosure of, or access to our proprietary, confidential, and sensitive data or our information technology systems, or those of the third parties upon whom we rely. A security incident or other interruption could disrupt our ability (and that of third parties upon whom we rely) to provide our platform, products, and services. We may expend significant resources or modify our business activities to try to protect against security incidents. Certain data privacy and security obligations may require us to implement and maintain specific, industry-standard, or reasonable security measures to protect our information technology systems and proprietary, confidential, and sensitive data . While we have implemented security measures designed to protect against security incidents, there can be no assurance that these measures will be effective. We take steps to detect and remediate vulnerabilities, but we may not be able to detect and remediate all vulnerabilities because the threats and techniques used to exploit the vulnerability change frequently and are often sophisticated in nature. Therefore, such vulnerabilities could be exploited but may not be detected until after a security incident has occurred. These vulnerabilities pose material risks to our business. Further, we may experience delays in developing and deploying remedial measures designed to address any such identified vulnerabilities. As we increase our customer adoption and our brand becomes more widely known and recognized, we may become more of a target for third parties seeking to compromise our security systems or gain unauthorized access to our customers' data. Additionally, with our transition to the flex-first model, we may face an increased risk of attempted security breaches and incidents. Moreover, if a high-profile security breach occurs with respect to another cloud platform provider, our customers and potential customers may lose trust in the security of cloud platforms generally, which could adversely impact our ability to retain existing customers or attract new ones. Applicable data privacy and security obligations may require us to notify relevant stakeholders of security incidents. Such disclosures are costly, and the disclosure or the failure to comply with such requirements could lead to adverse consequences. If we (or a third party upon whom we rely) experience a security incident or are perceived to have experienced a security incident, we may experience adverse consequences. If we (or a third party upon whom we rely) experience a security incident or are perceived to have experienced a security incident, we may experience adverse consequences, such as government enforcement actions (for example, investigations, fines, penalties, audits, and inspections), additional reporting requirements and/or oversight, restrictions on processing sensitive information (including personal data), litigation (including class claims), indemnification obligations, negative publicity, reputational harm, monetary fund diversions, interruptions in our operations (including availability of data), financial loss, and other similar harms. Security incidents and attendant consequences may cause customers to stop using our platform, deter new customers from using our platform, and negatively impact our ability to grow and operate our business. If we are not able to detect and indicate activity on our platform that might be nefarious in nature or design processes or systems to reduce the impact of similar activity at a third-party service provider, our customers could suffer harm. In such cases, we could face exposure to legal claims, particularly if the customer suffered actual harm. Our contracts may not contain limitations of liability, and even where they do, there can be no assurance that limitations of liability in our contracts are sufficient to protect us from liabilities, damages, or claims related to our data privacy and security obligations. We also cannot be sure that our existing insurance coverage will continue to be available on acceptable terms or will be available in sufficient amounts to cover one or more large claims related to a security incident, or that the insurer will not deny coverage as to any future claim. The successful assertion of one or more large claims against us that exceed available insurance coverage, or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could have a material adverse effect on our business, including our expansion rates, financial condition, operating results, and reputation. In addition to experiencing a security incident, third parties may gather, collect, or infer sensitive information about us from public sources, data brokers, or other means that reveals competitively sensitive details about our organization and could be used to undermine our competitive advantage or market position. The reliability and continuous availability of our platform is critical to our success. However, software such as ours can contain errors, defects, security vulnerabilities or software bugs that are difficult to detect and correct, particularly when such vulnerabilities are first introduced or when new versions or enhancements of our platform, service, and products are released. Additionally, even if we are able to develop a patch or other fix to address such vulnerabilities, such fix may be difficult to push out to our customers or otherwise be delayed. Additionally, our business depends upon the appropriate and successful implementation of our platform by our customers. If our customers fail to use our platform according to our specifications, our customers may suffer a security incident on their own systems or other adverse consequences. Even if such an incident is unrelated to our security practices, it could result in our incurring significant economic and operational costs in investigating, remediating, and implementing additional measures to further protect our customers from their own vulnerabilities and could result in reputational harm.

The markets in which we compete are rapidly evolving, significantly fragmented, and highly competitive. Our observability platform combines functionality from numerous traditional product categories, and hence we compete in each of these categories with home-grown and open-source technologies, as well as a number of different vendors. With respect to our unified Observability platform, we compete with vendors such as Datadog, Inc. and Dynatrace, Inc. Since our platform combines functionality from more than 30 traditional product categories, we compete in each of these categories with home-grown and open source technologies, as well as a number of different commercial vendors. For example, for APM, we compete with providers such as Cisco Systems, Inc. With respect to log management, we compete with Elastic NV and Splunk, Inc. With respect to infrastructure monitoring, we compete with diversified technology vendors such as International Business Machines Corporation, BMC Software, Inc. and CA, Inc. (a subsidiary of Broadcom, Inc.), and with native solutions from cloud providers such as Amazon Web Services, Inc., Microsoft Corporation, and Google LLC. In addition, we may increasingly choose to allow third-party hosting providers to offer our solutions directly through their customer marketplaces. An increasing number of sales through cloud provider marketplaces could reduce both the number of customers with whom we have direct commercial relationships as well as our profit margins on sales made through such marketplaces. Some of our competitors and potential competitors are larger and have greater name recognition, longer operating histories, more established customer relationships, larger budgets, and significantly greater resources than we do, and have the operating flexibility to bundle competing products and services with other software offerings at little or no perceived incremental cost, including offering them at a lower price as part of a larger sale. As a result, our competitors may be able to respond more quickly and effectively than we can to new or changing opportunities, technologies, standards, or customer requirements. In addition, some competitors may offer products or services that address one or a limited number of functions at lower prices or with greater depth than our products. Our current and potential competitors may develop and market new technologies with comparable functionality to our products and platform capabilities, and this could lead to us having to decrease prices in order to remain competitive. With the introduction of new technologies, the evolution of our products and platform capabilities and new market entrants, we expect competition to intensify in the future. Moreover, as we expand the scope of our solutions, we may face additional competition. Additionally, some potential customers, particularly large organizations, may elect to develop their own internal products. If one or more of our competitors were to merge or partner with another of our competitors or another large diversified technology company, the change in the competitive landscape could also adversely affect our ability to compete effectively. For example, in March 2017, Cisco Systems, Inc. completed its purchase of AppDynamics, Inc., in November 2018, Broadcom Inc. completed its acquisition of CA, Inc., in October 2019, Splunk Inc. completed its acquisition of SignalFX, Inc., in September 2021, Dynatrace, Inc. acquired SpectX, and in November 2022, Datadog, Inc. completed its acquisition of Cloudcraft. If we are unable to maintain our current pricing or fail to gain market acceptance of our updated pricing strategy due to the competitive pressures, our margins will be reduced, and our operating results will be negatively affected. In addition, pricing pressures and increased competition generally could result in reduced sales, reduced margins, losses, or the failure of our solutions to achieve or maintain more widespread market acceptance, any of which could harm our business.

We believe that our development of the New Relic brand is critical to achieving widespread awareness of our existing and future solutions, and, as a result, is important to attracting new customers and retaining existing customers. We also believe that the importance of brand recognition will increase as competition in our market increases. Successful promotion of our brand will depend largely on the effectiveness of our marketing efforts, including our ability to do so in a cost-effective manner, and on our ability to provide reliable and useful products at competitive prices. In the past, our efforts to build our brand have involved significant expenses, and we may have to expend significant resources again in the future in connection with brand promotion and marketing activities. Brand promotion and marketing activities may not yield increased revenue, and even if they do, any increased revenue may not offset the expenses we incur in building our brand.

We, as well as members of our board of directors, have been and may be named as defendants in actions related to the Merger. Regardless of the outcome of any future litigation related to the Merger, such litigation may be time-consuming, expensive and may distract our management from day-to-day operations of our business. The cost of litigation and the diversion of management's attention and resources to address the claims and counterclaims in any litigation related to the Merger may materially adversely affect our business, financial condition and results of operations. If the Merger is not consummated for any reason, litigation could be filed in connection with the failure to consummate the Merger. Any litigation related to the Merger may result in negative publicity or an unfavorable impression of us, which could adversely affect the price of our common stock, impair our ability to recruit or retain employees, damage our relationships with our customers, potential customers, service providers and partners, or otherwise materially harm our business, operations and financial condition. We cannot assure you as to the outcome of such litigation, including the amount of costs associated with defending such claims or any other liabilities that may be incurred in connection with the litigation of such claims. Whether or not plaintiffs in potential litigation are successful, the litigation may delay the completion of the Merger in the expected timeframe, or may prevent the Merger from being completed altogether.

Our overall performance depends in part on worldwide economic conditions. Global financial developments and downturns, even those seemingly unrelated to us or the information technology industry, may harm us. The United States and other key international economies are being impacted by supply chain disruption, reduced corporate profitability, volatility in credit, equity and foreign exchange markets, bankruptcies, actual or perceived instability in the banking system, including due to recent bank failures, inflation, rising interest rates, labor shortages and overall uncertainty with respect to the economy. Businesses may look, and in many cases are looking, to rationalize their spending in response to such factors, which could impact our sales and renewal rates and negatively impact our business. Further, global events, such as the conflict in Israel and Russia's invasion of Ukraine, may lead to or continue to result in disruption, instability, deterioration and volatility in global markets and industries that could negatively impact our business, financial condition and results of operations. Furthermore, the revenue growth and potential profitability of our business depends on demand for software applications and products generally, and Application Performance Monitoring ("APM") and our other offerings specifically. In addition, our revenue is dependent on the number of users of our products and the degree of adoption of such users with respect to our products and platform capabilities. Historically, during economic downturns there have been reductions in spending on information technology systems as well as pressure for extended billing terms and other financial concessions, which would limit our ability to grow our business and negatively affect our operating results. These conditions affect the rate of information technology spending and could adversely affect our customers' ability or willingness to purchase our products, delay prospective customers' purchasing decisions, reduce the value or duration of their commitments or amount of their spend, or affect renewal rates, all of which could harm our operating results.

During the six months ended September 30, 2023, we derived approximately 38% of our total revenue from customers outside the United States. A component of our growth strategy involves the further expansion of our operations and customer adoption internationally. Operating in international markets requires significant resources and management attention and subjects us to regulatory, economic, and political risks that are different from those in the United States. We have limited operating experience in international markets, and we cannot assure you that our expansion efforts into international markets will be successful. Our international expansion efforts may not be successful in creating further demand for our products outside of the United States or in effectively selling our products in the international markets we enter. Our current international operations and future initiatives involve a variety of risks, including: - changes in a specific country's or region's political or economic conditions;- unexpected changes in regulatory requirements, taxes, or trade laws;- economic and political uncertainty around the world, including uncertainty regarding U.S foreign and domestic policies;- regional data security and privacy laws and regulations and the unauthorized use of, or access to, commercial and personal information;- differing labor regulations where labor laws are generally more advantageous to employees as compared to the United States, including deemed hourly wage and overtime regulations in these locations;- challenges inherent in efficiently managing an increased number of employees over large geographic distances, including the need to implement appropriate systems, policies, benefits, and compliance programs;- difficulties in managing a business in new markets with diverse cultures, languages, customs, legal systems, alternative dispute systems, and regulatory systems;- significant reliance upon, and potential disputes with, local business partners;- increased travel, real estate, infrastructure, and legal compliance costs associated with international operations;- currency exchange rate fluctuations and the resulting effect on our revenue and expenses, and the cost and risk of entering into hedging transactions if we chose to do so in the future;- limitations on our ability to repatriate earnings;- the impact of public health epidemics on our employees, partners and customers, such as the coronavirus epidemic that has impacted various regions throughout the world in recent years;- laws and business practices favoring local competitors, or general preferences for local vendors;- limited or insufficient intellectual property protection;- exposure to liabilities under anti-corruption, export controls and anti-money laundering laws, including the U.S. Foreign Corrupt Practices Act, and similar laws and regulations in other jurisdictions; and - adverse tax burdens and foreign exchange controls that could make it difficult to repatriate earnings and cash or create other collection difficulties. Our limited experience operating our business internationally increases the risk that recent and any potential future expansion efforts will not be successful. If substantial time and resources invested to expand our international operations do not result in a successful outcome, our operating results and business will suffer. In addition, in February 2022, Russia launched a large-scale military attack on Ukraine. The invasion significantly amplified pre-existing geopolitical tensions. It is not possible to predict the full extent of the broader consequences of Russia's ongoing invasion of Ukraine, or the current conflict in Israel, including sanctions, embargoes, regional instability, geopolitical shifts and adverse effects on macroeconomic conditions, currency exchange rates and financial markets. Our business, financial condition and results of operations may be materially adversely affected by any negative impact on the global economy and capital markets resulting from such conflicts.

While we have historically transacted in U.S. dollars with substantially all of our customers and vendors, we have transacted in foreign currencies and will continue to transact in foreign currencies in the future. In addition, our international subsidiaries may maintain net assets that are denominated in currencies other than the functional operating currencies of these entities. Accordingly, changes in the value of foreign currencies relative to the U.S. dollar can affect our revenue and operating results as we convert these to U.S. dollars. Volatile market conditions arising from the macro environment have and may in the future result in significant changes in exchange rates, and with the recent volatility of multiple major foreign currencies against the U.S. dollar, we have seen more significant impact from exchange rates on our revenue growth and expenses in fiscal 2023 than in the previous fiscal year, and we expect the impact to be significant in fiscal 2024 if we continue to experience similar or greater foreign currencies volatility against the U.S. dollar. As a result of such foreign currency exchange rate fluctuations, it could be more difficult to detect underlying trends in our business and results of operations. In addition, to the extent that fluctuations in currency exchange rates cause our results of operations to differ from our expectations or the expectations of our investors, the trading price of our common stock could be adversely affected. We do not currently maintain a program to hedge transactional exposures in foreign currencies. However, in the future, we may use derivative instruments, such as foreign currency forward and option contracts, to hedge certain exposures to fluctuations in foreign currency exchange rates. The use of such hedging activities may not offset any or more than a portion of the adverse financial effects of unfavorable movements in foreign exchange rates over the limited time the hedges are in place. Moreover, the use of hedging instruments may introduce additional risks if we are unable to structure effective hedges with such instruments.

Our success and future growth depend largely upon the continued services of our executive officers and other key employees in the areas of research and development, marketing, sales, services, and general administrative functions. From time to time, there may be changes in our executive management team or other key employees resulting from the hiring or departure of these personnel. For example, in the first quarter of fiscal 2024, we announced that Lew Cirne would be transitioning from Executive Chairman to non-executive Chair of the Board in August 2023, and that Kristy Friedrichs had resigned as our Chief Operating Officer, effective as of December 31, 2023. While we seek to manage these transitions carefully, including by establishing strong processes and procedures and succession planning, these and any other such changes may result in a loss of institutional knowledge and cause disruptions to our business. Our executive officers and other key employees are employed on an at-will basis, which means that these personnel could terminate their employment with us at any time. Any changes in our senior management team in particular, even in the ordinary course of business, may be disruptive to our business. While we seek to manage these transitions carefully, including by establishing strong processes and procedures and succession planning, such changes may result in a loss of institutional knowledge and cause disruptions to our business. In addition, new executive hires may fail to achieve any anticipated benefits. If our senior management team fails to work together effectively or execute our plans and strategies on a timely basis as a result of management turnover or otherwise, our business could be harmed. In addition, to execute our growth plan, we must attract and retain highly qualified personnel. Competition for these personnel is intense, especially for engineers experienced in designing and developing software and SaaS, applications and experienced sales professionals. If we are unable to attract such personnel in locations where we are located, we may need to hire in other locations as well as consider alternative flexible work options, which may add to the complexity and costs of our business operations. Moreover, to realign resources with our business needs, we have undergone reductions in our workforce, including most recently in the first quarter of fiscal 2024, and may in the future implement other reductions in workforce or restructurings. Any reduction in workforce or restructuring may yield unintended consequences and costs, such as attrition beyond the intended reduction in workforce, delays in the development of critical technology or business optimization programs due to gaps in knowledge transfer and new employee ramp up time, the distraction of employees, and reduced employee morale, and could adversely affect our reputation as an employer, which could make it more difficult for us to hire new employees in the future and increase the risk that we may not achieve the anticipated benefits from the reduction in workforce. We have from time to time experienced, and we expect to continue to experience, difficulty in hiring and retaining employees with appropriate qualifications, especially during the period of heightened employee attrition in the U.S. and other countries in recent years. Many of the companies with which we compete for experienced personnel have greater resources than we have. If we hire employees from competitors or other companies, their former employers may attempt to assert that these employees or we have breached their legal obligations, resulting in a diversion of our time and resources. In addition, prospective and existing employees often consider the value of the equity awards they receive in connection with their employment. If the perceived value of our equity awards declines, or experiences significant volatility, it may adversely affect our ability to recruit and retain key employees. If we fail to attract new personnel or fail to retain and motivate our current personnel, our business and future growth prospects could be adversely affected.