NeoGames (NGMS) Risk Analysis

In the United States and other jurisdictions in which we operate, we are subject to various consumer protection laws and related regulations. If we are found to have breached any consumer protection laws or regulations in any such jurisdiction, we may be subject to enforcement actions that require us to change our business practices in a manner which may negatively impact our revenues, as well as expose us to litigation, fines, civil and/or criminal penalties and adverse publicity that could cause our customers to lose trust in us, negatively impacting our reputation and business in a manner that harms our financial position. As part of our business and on behalf of our customers, we collect information about individuals, also referred to as personal data, and other potentially sensitive and/or regulated data. Laws and regulations in the United States and around the world restrict how personal data is collected, processed, stored, used and disclosed, as well as set standards for its security, implement notice requirements regarding privacy practices, and provide individuals with certain rights regarding the use, disclosure and sale of their protected personal data. In the United States, both the federal and various state governments have adopted or are considering, laws, guidelines or rules for the collection, distribution, use and storage of information collected from or about consumers or their devices. For example, California enacted the California Consumer Privacy Act (the "CCPA"), which came into force in 2020. The CCPA creates individual privacy rights for California residents and increases the privacy and security obligations of businesses handling personal data. The CCPA is enforceable by the California Attorney General and there is also a private right of action relating to certain data security incidents. Additionally, the California Privacy Rights Act (the "CPRA") which was approved on November 3, 2020 imposes additional data protection obligations on companies doing business in California, including additional consumer rights processes and opt outs for certain uses of sensitive data. Further, on March 2, 2021, Virginia enacted the Virginia Consumer Data Protection Act ("CDPA"), a comprehensive privacy statute that shares similarities with the CCPA, CPRA, and legislation proposed in other states. Similar laws have been proposed in other states and at the federal level, reflecting a trend toward more stringent privacy legislation in the United States. If we become subject to laws, guidelines or rules such as the CCPA, CRPA or CDPA, we may be required to modify our data collection or processing practices and policies and to incur substantial costs and expenses in an effort to comply and increase our potential exposure to regulatory enforcement and/or litigation. Several foreign jurisdictions, including the EU and the European Economic Area ("EEA"), have laws and regulations which are more restrictive in certain respects than those in the United States. For example, in the EU we are subject to the General Data Protection Regulation 2016/679 (the "GDPR") in relation to our collection, control, processing, sharing, disclosure and other use of data relating to an identifiable living individual (personal data). The GDPR, and national implementing legislation in EEA Member States, impose a strict data protection compliance regime including: providing detailed disclosures about how personal data is collected and processed (in a concise, intelligible and easily accessible form); granting new rights for data subjects in regard to their personal data (including the right to be "forgotten" and the right to data portability), as well as enhancing current rights (e.g., data subject access requests); requirements to have data processing agreements in place to govern the processing of personal data on behalf of other organizations; introducing the obligation to notify data protection regulators or supervisory authorities (and in certain cases, affected individuals) of significant data breaches; maintaining a record of data processing; and complying with the principal of accountability and the obligation to demonstrate compliance through policies, procedures, training and audit. We are also subject to EU rules with respect to cross-border transfers of personal data out of the EEA. Recent legal developments in Europe have created complexity and uncertainty regarding transfers of personal data from the EEA to the United States. Most recently, on July 16, 2020, the Court of Justice of the EU (the "CJEU") invalidated the EU-US Privacy Shield Framework (the "Privacy Shield") under which personal data could be transferred from the EEA to U.S. entities who had self-certified under the Privacy Shield scheme. While the CJEU upheld the adequacy of the standard contractual clauses (a standard form of contract approved by the European Commission as an adequate personal data transfer mechanism, and potential alternative to the Privacy Shield), it made clear that reliance on these clauses alone may not necessarily be sufficient in all circumstances. Use of the standard contractual clauses must now be assessed on a case-by-case basis, taking into account the legal regime applicable in the destination country, in particular applicable surveillance laws and rights of individuals and additional measures and/or contractual provisions may need to be put in place, however, the nature of these additional measures is currently uncertain. The CJEU went on to state that if a competent supervisory authority believes that the standard contractual clauses cannot be complied with in the destination country and the required level of protection cannot be secured by other means, such supervisory authority is under an obligation to suspend or prohibit that transfer. We have relied and currently rely on standard contractual clauses to transfer personal data outside the EU, including to the U.S. among other data transfer mechanisms pursuant to the GDPR, such as transfer to jurisdictions recognized by the European Commission as providing sufficient safeguards for the processing of personal data (adequacy decision). We have previously relied on our relevant providers for the purposes of transferring personal data from the EU to the U.S. in compliance with the GDPR's data export conditions. These recent developments may require us to review and amend the legal mechanisms by which we make and/or receive personal data transfers to/in the U.S. As supervisory authorities issue further guidance on personal data export mechanisms, including circumstances where the standard contractual clauses cannot be used, and/or start taking enforcement action, we could suffer additional costs, complaints and/or regulatory investigations or fines, and/or if we are otherwise unable to transfer personal data between and among countries and regions in which we operate, it could affect the manner in which we provide our services, the geographical location or segregation of our relevant systems and operations, and could adversely affect our financial results. We depend on a number of third parties in relation to the operation of our business, a number of which process personal data on our behalf. With each such provider we attempt to mitigate the associated risks of using third parties by performing security assessments and detailed due diligence, entering into contractual arrangements to ensure that providers only process personal data according to our instructions, and that they have sufficient technical and organizational security measures in place. Where we transfer personal data outside the EU or the United Kingdom to such third parties, we do so in compliance with the relevant data export requirements, as described above. There is no assurance that these contractual measures and our own privacy and security-related safeguards will protect us from the risks associated with the third-party processing, storage and transmission of such information. Any violation of data or security laws by our third-party processors could have a material adverse effect on our business and result in the fines and penalties outlined below. We also act as a data processor on behalf of our customers and have data protection obligations to our customers, including in relation to notifying customers if we suffer a personal data breach, assisting customers with data subject rights requests in relation to the personal data we process, requirements for the use of sub-processors and restrictions on transferring personal data outside of the EU. We are subject to the supervision of local data protection authorities in those EU jurisdictions where we are established or otherwise subject to the GDPR. Fines for certain breaches of the GDPR are significant, such as an amount equal to the greater of €20 million or 4% of total global annual turnover. In addition to the foregoing, a breach of the GDPR could result in regulatory investigations, reputational damage, orders to cease/ change our processing of our data, enforcement notices, and/or assessment notices (for a compulsory audit). We may also face civil claims including representative actions and other class action type litigation (where individuals have suffered harm), potentially amounting to significant compensation or damages liabilities, as well as associated costs, diversion of internal resources, and reputational harm. We are also subject to evolving EU privacy laws on cookies and e-marketing. In the EU, regulators are increasingly focusing on compliance with requirements in the online behavioral advertising ecosystem, and current national laws that implement the ePrivacy Directive will be replaced by an EU regulation known as the ePrivacy Regulation which will significantly increase fines for non-compliance. In the EU, informed consent is required for the placement of a cookie or similar technologies on a user's device and for direct electronic marketing. The GDPR also imposes conditions on obtaining valid consent, such as a prohibition on pre-checked consents and a requirement to ensure separate consents are sought for each type of cookie or similar technology. While the text of the ePrivacy Regulation is still under development, a recent European court decision and regulators' recent guidance are driving increased attention to cookies and tracking technologies. If regulators start to enforce the strict approach in recent guidance, this could lead to substantial costs, require significant systems changes, limit the effectiveness of our marketing activities, divert the attention of our technology personnel, adversely affect our margins, increase costs and subject us to additional liabilities. Regulation of cookies and similar technologies, and any decline of cookies or similar online tracking technologies as a means to identify and potentially target individuals, may lead to broader restrictions and impairments on our marketing and personalization activities and may negatively impact our efforts to understand users. Restrictions on the collection, use, sharing or disclosure of personal data or additional requirements and liability for security and data integrity could require us to modify our solutions and features, possibly in a material manner, could limit our ability to develop new products and features and could subject us to increased compliance obligations and regulatory scrutiny. These laws and regulations constantly evolve and remain subject to significant change. In addition, the application and interpretation of these laws and regulations are often uncertain. New privacy laws add additional complexity, requirements, restrictions and potential legal risk, require additional investment in resources to compliance programs, and could impact trading strategies and availability of previously useful data. Such new laws may add additional complexity, variation in requirements, restrictions and potential legal risk, require additional investment in resources to compliance programs, and could impact strategies and availability of previously useful data and could result in increased compliance costs and/or changes in business practices and policies. We are also subject to payment card association operating rules, certification requirements and rules governing electronic funds transfers, including the Payment Card Industry Data Security Standard (the "PCI DSS"), a security standard applicable to companies that collect, store or transmit certain data regarding credit and debit cards, holders and transactions. Any failure to comply with the PCI DSS may violate payment card association operating rules, federal and state laws and regulations, and the terms of our contracts with payment processors and merchant banks. Such failure to comply may result in the loss of our ability to accept credit and debit card payments, subject us to fines, penalties and damages. In addition, there is no guarantee that PCI DSS compliance will prevent illegal or improper use of our payment systems or the theft, loss or misuse of data pertaining to credit and debit cards, credit and debit card holders, and credit and debit card transactions.

Lottery and gaming represent discretionary expenditures, which are subject to volatility during times of economic, social and political change. Changes in discretionary spending or player preferences are driven by changes outside of our control, such as, but not limited to, the following economic or socio-political factors: - recessions or other economic slowdowns;- perceptions by potential players of weak or weakening economic conditions;- tax increases, including on lottery winnings;- significant declines in stock markets;- decreased liquidity in certain financial markets;- general tightening of credit;- civil unrest, terrorist activities or other forms of socio-political turbulence; and - pandemics, epidemics and the spread of contagious diseases. We generate the majority of our revenues from customer contracts based on a revenue sharing model, with our portion calculated as a percentage of GGR or NGR. Widespread reductions in disposable income could lead to a reduction in the number of lottery players and the amounts such players are willing and able to wager. Given the nature of our revenue sharing arrangements, fewer players and lower spending per player could have a significant adverse effect on our business. Because our customers' offerings are typically available only to players within their geographic borders, our revenue is highly concentrated in a limited number of locations. A significant portion of our revenue is generated from the Michigan iLottery, and any adverse impact resulting from any of the foregoing economic factors would be magnified to the extent that it disproportionately impacts players in Michigan or other jurisdictions from which we derive revenues. As our revenue sharing arrangements result in an intertwined relationship between our and our customers' financial condition, we also face significant risks during times of uncertain and unfavorable economic and socio-political conditions affecting our customers. Unfavorable economic and socio-political factors and conditions could result in budgetary and liquidity concerns for our customers, which may reduce the likelihood that we will be able to renew our existing contracts on substantially similar commercial terms or win new contracts with terms as favorable to us as the terms of our existing contracts.

Many factors affect our reputation and the value of our brand, including the perception held by our customers, business partners, investors, other key stakeholders and the communities in which we operate, such as our social responsibility, corporate governance and responsible lottery practices. We have faced, and will likely continue to face, increased scrutiny related to social, governance and responsible lottery and gaming activities, and our reputation and the value of our brands can be materially adversely harmed if we fail to act responsibly in a number of areas, such as diversity and inclusion, workplace conduct, responsible gaming, human rights, philanthropy and support for local communities. Any harm to our reputation could impact employee engagement and retention and the willingness of customers and partners to do business with us, which could have a materially adverse effect on our business, results of operations and cash flows. We believe that our reputation is critical to our role as a leader in the iLottery and gaming industries and as a publicly traded company. Our management is heavily focused on the integrity of our directors, officers, senior management, employees, other personnel and third-party suppliers and partners. Illegal, unethical or fraudulent activities perpetrated by any of such individuals, suppliers or partners for personal gain could expose us to potential reputational damage and financial loss.

The secure maintenance and transmission of player information is a critical element of our operations. Our information technology and other systems that maintain and transmit player information, or those of service providers, business partners or employee information may be compromised by a malicious third-party penetration of our network security, or that of a third-party service provider or business partner, or impacted by intentional or unintentional actions or inactions by our employees, or those of a third-party service provider or business partner. As a result, our players' information may be lost, disclosed, accessed or taken without their consent. We have experienced in the past, and expect to continue to experience in the future, attempts to breach our systems and other similar incidents. To date these attempts have not had a material impact on our operations or financial results, but we cannot provide assurance that they will not have a material impact in the future. We rely on encryption and authentication technology licensed from third parties in an effort to securely transmit confidential and sensitive information, including credit card numbers. Advances in computer capabilities, new technological discoveries or other developments may result in the whole or partial failure of this technology to protect transaction data or other confidential and sensitive information from being breached or compromised. In addition, websites are often attacked through compromised credentials, including those obtained through phishing and credential stuffing. Our security measures, and those of our third-party service providers, may not detect or prevent all attempts to breach our systems, denial-of-service attacks, viruses, malicious software, break-ins, phishing attacks, social engineering, security breaches or other attacks and similar disruptions that may jeopardize the security of information stored in or transmitted by our websites, networks and systems or that we or such third parties otherwise maintain, including payment card systems, which may subject us to fines or higher transaction fees or limit or terminate our access to certain payment methods. Threats to information security are constantly evolving, including in diversity and sophistication. We and such third parties may not anticipate or prevent all types of attacks until after they have already been launched. Further, techniques used to obtain unauthorized access to or sabotage systems change frequently and may not be known until launched against us or our third-party service providers. In addition, security breaches can also occur as a result of non-technical issues, including intentional or inadvertent breaches by our employees or by third parties. These risks may increase over time as the number of our employees and the complexity and number of technical systems and applications we use also increase. Breaches of our security measures or those of our third-party service providers or cybersecurity incidents could result in unauthorized access to our sites, networks and systems; unauthorized access to and misappropriation of player information, including players' personally identifiable information, or other confidential or proprietary information of ourselves or third parties; viruses, worms, spyware or other malware being served from our sites, networks or systems; deletion or modification of content or the display of unauthorized content on our sites; interruption, disruption or malfunction of operations; costs relating to breach remediation, deployment of additional personnel and protection technologies, response to governmental investigations and media inquiries and coverage; engagement of third-party experts and consultants; litigation, regulatory action and other potential liabilities. In the past, we have experienced social engineering, phishing, malware and similar attacks and threats of denial-of-service attacks, none of which to date has been material to our business; however, such attacks could in the future have a material adverse effect on our operations. Pursuant to a software license agreement with Pollard in respect of the offering to the MSL (the "Pollard Software License Agreement"), our iLottery software is installed on Pollard's servers, through which it is made available to the MSL. Pollard is responsible for the security measures on its servers, and the Pollard Software License Agreement contains no representations or undertakings with regard to such security measures. A breach of Pollard's server security could expose our software to the risks noted above. If any of these breaches of security should occur, our reputation and brand could be damaged, customers may terminate their contracts with us, our business may suffer, we could be required to expend significant capital and other resources to alleviate problems caused by such breaches, and we could be exposed to a risk of loss, litigation or regulatory action and possible liability. We cannot guarantee that recovery protocols and backup systems will be sufficient to prevent data loss. Actual or anticipated attacks may cause us to incur increasing costs, including costs to deploy additional personnel and protection technologies, train employees and engage third-party experts and consultants. In addition, any party who is able to illicitly obtain a player's password may be able access such player's transaction data or personal data (including payment information), resulting in the perception that our systems are insecure. Any compromise or breach of our security measures, or those of our third-party service providers, could violate applicable privacy, data protection, data security, network and information systems security and other laws, potentially trigger private rights of action under certain laws and cause significant legal and financial exposure, negative publicity and a loss of confidence in our security measures, which could have a material adverse effect on our business, reputation, financial condition, results of operations and prospects. We continue to devote significant resources to protect against security breaches and we may in the future need to address problems caused by breaches, including notifying affected players and responding to any resulting litigation, which in turn, would divert resources from the growth and expansion of our business. We maintain liability insurance policies covering certain security and privacy damages. However, we cannot be certain that our coverage will be adequate for liabilities actually incurred or that insurance will continue to be available to us on economically reasonable terms, or at all.

We rely on the expertise, industry experience, customer relationships and leadership of our senior management, and the departure, death or disability of any one of our executive officers or other extended or permanent loss of any of their services, or any negative market or industry perception with respect to any of them or their loss, could have a material adverse effect on our business. We depend on our technical and operational employees for the design and development of our innovative products and services. The competition for these types of personnel is intense and we compete with other potential employers, including certain of our strategic partners, for the services of our employees. As a result, we may not succeed in retaining the key employees that we need in order to maintain and grow our business. If we do not succeed in attracting, hiring, and integrating qualified personnel, or retaining and motivating existing personnel, we may be unable to grow effectively and our business could be adversely affected. We deploy our employees to certain of our customers' worksites to assist in the development of their IT systems and platforms. The loss of employees who have been involved in the development of intellectual property and know-how and the development and maintenance of key strategic relationships with customers may result in the subsequent loss of key customers. If key employees were to leave, we may be unable to deliver our existing services or develop new products until such employees have been replaced. As our employees have very specific skillsets and are highly qualified, we may face difficulties in replacing them with new employees, and even if we succeed in recruiting new employees, we may incur substantial costs in the recruiting, training and integration of such new employees.

We rely upon various third-party service providers to maintain continuous operation of our platform, servers, hosting services, payment processing and various other key functions of our business. Know-your-customer and geolocation programs and technologies supplied by third parties are an important aspect of certain of our products and services. These services are costly and their failure or inadequacy could materially affect our operations. Additionally, we rely on third-party service providers for payment processing services, including the processing of credit and debit cards. Our business could be materially disrupted if these third-party service providers become unwilling or unable to provide these services to us. Certain of these services discussed above are only provided by a limited number of third-party providers and in the event that any of these providers cease to provide us with their services (due to the termination of their agreement, a dispute between us and any such providers or for any other reason), we may struggle to locate a suitable replacement on commercially reasonable terms, if at all, which could lead to harmful disruptions to our operations.

We maintain insurance that we believe is customary for businesses of our size and type. However, there are types of losses we may incur that cannot be insured against or that we believe are not economically reasonable to insure. Moreover, any loss incurred could exceed policy limits and policy payments made to us may not be made on a timely basis. Such losses could adversely affect our business prospects, results of operations, cash flows and financial condition.

In December 2019, a novel strain of coronavirus ("COVID-19") was identified, and on March 11, 2020, the World Health Organization declared COVID-19 as a global pandemic. Numerous state and local jurisdictions have imposed, and others in the future may impose, "shelter-in-place" orders, quarantines, executive orders and similar government orders and restrictions for their residents to control the spread of COVID-19. In particular, the governments in jurisdictions where our employees are located have imposed limitations on gatherings, social distancing measures and restrictions on movement, only allowing essential businesses to remain open. Such restrictions have resulted in temporary store closures, work stoppages, slowdowns and delays, travel restrictions and cancellation of events, among other restrictions, any of which may negatively impact workforces, customers, consumer sentiment and economies in many markets and, along with decreased consumer spending, have led to an economic downturn throughout much of the world. Our business is largely tied to the disposable income of lottery players. While we have not experienced a material impact to date, the global economic and financial uncertainty may result in significant declines to the number of players using our customers' offerings and the amount of money that players are able and willing to wager. See "- A reduction in discretionary consumer spending could have an adverse impact on our business." In response to the COVID-19 pandemic, we have transitioned many of our employees to remote working arrangements and temporarily closed our offices in Israel, Ukraine and Michigan. While we have not experienced a material impact to date, it is possible that this could have a negative impact on the execution of our business plans and operations. If a natural disaster, power outage, connectivity issue, or other event occurred that impacted our employees' ability to work remotely, it may be difficult or, in certain cases, impossible, for us to continue our business for a substantial period of time. The increase in remote working may also result in player privacy, IT security and fraud concerns as well as increase our exposure to potential wage and hour issues. The degree to which the COVID-19 pandemic affects our financial results and operations will depend on future developments, which are highly uncertain and cannot be predicted, including, but not limited to, the duration and spread of the outbreak, its severity, the governmental actions and regulations imposed to contain the virus or treat its impact, how quickly and to what extent pre-pandemic economic and operating conditions can resume and overall changes in players' behavior.

The Company's consolidated financial results are affected by foreign currency exchange rate fluctuations. Foreign currency exchange rate exposures arise from current transactions and anticipated transactions denominated in currencies other than U.S. dollars and from the translation of foreign currency denominated balance sheet accounts into U.S. dollar-denominated balance sheet accounts. The Company is exposed to currency exchange rate fluctuations because portions of its expenses are denominated in currencies other than the U.S. dollar. Approximately 84.9% of the Company's revenues in the year ended December 31, 2020 were denominated in U.S. dollars, 4.7% in euros and 10.4% in other currencies. However, 12.8% of the Company's liabilities were denominated in New Israeli Shekels. For example, almost all of the Company's current employees are domiciled in Israel and paid in New Israeli Shekels. In 2020, the U.S. dollar / New Israeli Shekel exchange rate decreased from NIS 3.456 per $1 on December 31, 2019, to NIS 3.215 per $1 on December 31, 2020. This decrease adversely affected our costs and liabilities that are denominated in Shekels compared to our dollar-denominated income. Any further devaluation of the U.S. dollar compared to the New Israeli Shekel may result in further increases in employee liabilities and other expenses, which may adversely affect the Company's profit and financial performance. Exchange rate fluctuations have in the past adversely affected the Company's operating results and cash flows and may adversely affect the Company's results of operations and cash flows and the value of its assets outside the United States in the future. A devaluation of local currency in a jurisdiction in which the Company is paid in such currency may require the Company's customers located in such jurisdiction to adjust the amounts paid in local currency for the Company's products and services, which they may be unable or unwilling to make. We do not currently employ any foreign exchange hedging, although we may do so in the future.