Envista Holdings (NVST) Risk Factors

The manufacture of many of our products is a highly exacting and complex process, due in part to strict regulatory requirements. Problems can arise during manufacturing for a variety of reasons, including equipment malfunction, failure to follow specific protocols and procedures, problems with raw materials, natural disasters and environmental factors, and if not discovered before the product is released to market could result in recalls and product liability exposure. Because of the time required to approve and license certain regulated manufacturing facilities and other stringent regulations of the FDA and similar agencies regarding the manufacture of certain of our products, an alternative manufacturer may not be available on a timely basis to replace such production capacity. Any of these manufacturing problems could result in significant costs, liability and lost sales, loss of market share as well as negative publicity and damage to our reputation that could reduce demand for our products.

Our success depends to a significant extent upon the continued service of our executive officers and key management and technical personnel and on our ability to continue to attract, retain, and develop qualified personnel. The competition for these employees is intense. The loss of the services of key personnel could have a material adverse effect on our operating results. In addition, there could be a material adverse effect on us should the turnover rates for key personnel increase significantly or if we are unable to continue to attract qualified personnel. We have experienced several executive officer departures over the past year, including our Chief Financial Officer. While such departures have not had a material effect on our operating results to date, we cannot be certain that these or any subsequent departures would not have a material adverse effect. Our success also depends on our ability to execute leadership succession plans. The inability to successfully transition key management roles could have a material adverse effect on our operating results.

As further discussed in the section entitled "Item 1. Business-Materials," our manufacturing and other operations employ a wide variety of components, raw materials and other commodities, including metallic-based components, electronic components, chemicals, and plastics. Prices for and availability of these components, raw materials and other commodities have fluctuated significantly in the past. Any sustained interruption in the supply of these items, including as a result of shipping risks, such as container shortages, blocked shipping lanes, and port backlogs, could adversely affect our business. In addition, due to, among other items, the highly competitive nature of the industries that we serve, the cost-containment efforts of our customers, and the terms of certain contracts we are party to, there can be no assurance that the marketplace will support higher prices or that price increases and productivity gains, procurement deflation projects or savings will fully offset any raw material cost increases in the future. If we are unable to fully recover higher commodity costs through price increases or offset these increases through cost reductions, or if there is a time delay between the increase in costs and our ability to recover or offset these costs, our margins and profitability could decline and our financial statements could be adversely affected.

In addition to the environmental, health, safety, health care, medical device, anticorruption, data privacy and other regulations noted elsewhere in this Annual Report, our businesses are subject to extensive regulation by U.S. and non-U.S. governmental and self-regulatory entities at the supranational, federal, state, local and other jurisdictional levels, including laws governing payments to government officials, bribery, fraud, kickbacks and false claims, pricing, sales and marketing practices, conflicts of interest, competition, employment practices and workplace behavior, export and import compliance, economic and trade sanctions, money laundering and data privacy. We cannot provide assurance that our internal controls and compliance systems will always protect us from acts committed by our employees, agents or business partners (or of businesses we acquire or partner with) that would violate U.S. and/or non-U.S. laws, In particular, the U.S. Foreign Corrupt Practices Act, the UK Bribery Act and similar anti-bribery laws in other jurisdictions generally prohibit companies and their intermediaries from making improper payments to government officials for the purpose of obtaining or retaining business, and we operate in countries that have experienced corruption. Any such improper actions or allegations of such acts could damage our reputation and subject us to civil or criminal investigations in the U.S. and in other jurisdictions and related stockholder lawsuits, could lead to substantial civil and criminal, monetary and non-monetary penalties and could cause us to incur significant legal and investigatory fees. In addition, the government may seek to hold us liable for violations committed by companies in which we invest or that we acquire. We also rely on our suppliers to adhere to our supplier standards of conduct, and material violations of such standards of conduct could occur that could have a material effect on our business, reputation and financial statements. We are also required to comply with various import laws and export control and economic sanctions laws, which may affect our transactions with certain customers, business partners and other persons and dealings between our employees and between our subsidiaries. In certain circumstances, export control and economic sanctions regulations may prohibit the export of certain products, services and technologies. In other circumstances, we may be required to obtain an export license before exporting the controlled item. Compliance with the various import laws that apply to our businesses can restrict our access to, and increase the cost of obtaining, certain products and at times can interrupt our supply of imported inventory. Our products and operations are also often subject to differing national industrial standards, and failure to comply with these rules could result in withdrawal of certifications needed to sell our products and services and otherwise adversely impact our business and financial statements. Non-compliance with applicable requirements (or any alleged or perceived failure to comply) could result in import detentions, fines, damages, civil and administrative penalties, injunctions, suspensions or losses of regulatory approvals, recall or seizure of products, operating restrictions, refusal of the government to approve product export applications or allow us to enter into supply contracts, disbarment from selling to certain governmental agencies or exclusion from government funded healthcare programs, such as Medicare and Medicaid or similar programs in other countries or jurisdictions, integrity oversight and reporting obligations to resolve allegations of non-compliance, disruption of our business, limitation on our ability to manufacture, import, export and sell products and services, loss of customers, significant legal and investigatory fees, disgorgement, individual imprisonment, reputational harm, contractual damages, diminished profits, curtailment or restricting of business operations, criminal prosecution and other monetary and non-monetary penalties. For additional information regarding these risks, please refer to the section entitled "Business-Regulatory Matters."

Certain of the acquisition agreements by which we have acquired companies require the former owners to indemnify us against certain liabilities related to the operation of the acquired company before we acquired it. In most of these agreements, however, the liability of the former owners is limited and certain former owners may be unable to meet their indemnification responsibilities. We cannot assure you that these indemnification provisions will protect us fully or at all, and as a result we may face unexpected liabilities that adversely affect our financial statements.

As a global healthcare organization, we are subject to relatively stringent data privacy and security laws, regulations, and customer-imposed controls in numerous jurisdictions as a result of having access to and processing confidential, personal and/or sensitive data in the course of our business. For example, in the U.S., the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") privacy, security, and breach notification rules require certain of our operations to maintain controls to protect the confidentiality, availability, and integrity of patient health information. In addition, individual states regulate data breach notification requirements as well as more general privacy and security requirements. Entities within the U.S. that are found to be in violation of HIPAA, for example as the result of a breach of unsecured protected health information, a complaint about privacy practices, or an audit by HHS, may be subject to significant civil, criminal and administrative fines and penalties and/or additional reporting and oversight obligations if required to enter into a resolution agreement and corrective action plan with HHS to settle allegations of HIPAA non-compliance. Based on the annual revisions for 2023, penalties for HIPAA violations can range from $137 to $2.067 million dollars per violation, with a maximum fine of $2.067 million for identical violations during a calendar year. In 2018, a nation-wide health benefit company paid $16 million to HHS following a data breach. Prior to this record payment, the largest HIPAA fine was $5.55 million. Under the law, state attorneys general have authority to bring civil enforcement actions under HIPAA, and attorneys general are actively engaged in enforcement. In addition, any penalties assessed under HIPAA could be in addition to other penalties assessed by a state for a data breach in violation of state laws. The Health Information Technology for Economic and Clinical Health ("HITECH") Act was enacted as an update to HIPAA and makes business associates of covered entities directly liable for compliance with certain HIPAA requirements, strengthens the limitations on the use and disclosure of protected health information without individual authorizations, and contemplates enforcement of noncompliance with HIPAA due to willful neglect. These changes have stimulated increased enforcement activity and enhanced the potential that health care providers will be subject to financial penalties for violations of HIPAA. In addition, the Secretary of HHS is required to perform periodic audits to ensure covered entities (and their business associates, as that term is defined under HIPAA) comply with the applicable HIPAA requirements, increasing the likelihood that a HIPAA violation will result in an enforcement action. In addition to the federal HIPAA regulations, most states also have laws that protect the confidentiality of health information and other personal information, and these laws may be broader in scope with respect to protected health information and other personal information than HIPAA. Certain of these laws grant individuals various rights with respect to personal information, and we may be required to expend significant resources to comply with these laws. Further, all 50 states and the District of Columbia have adopted data breach notification laws that impose, in varying degrees, an obligation to notify affected persons and/or state regulators in the event of a data breach or compromise, including when their personal information has or may have been accessed by an unauthorized person. Some state breach notification laws may also impose physical and electronic security requirements regarding the safeguarding of personal information, such as social security numbers and bank and credit card account numbers. Violation of state privacy, security, and breach notification laws can trigger significant monetary penalties. In addition, certain states' privacy, security, and data breach laws, including, for example, the CCPA include private rights of action that may expose us to private litigation regarding our privacy and security practices and significant damages awards or settlements in civil litigation. Specifically, the CCPA gave California residents certain rights to access and delete their personal information, opt out of certain personal information sharing, and receive detailed information about how their personal information is used. The California Privacy Rights Act, which went into effect on January 1, 2023, significantly amended the CCPA and imposed additional data protection obligations on covered businesses, including additional consumer rights processes, limitations on data uses, new audit requirements for higher risk processing, and opt outs for certain uses of sensitive data. It also created a new California privacy protection agency authorized to issue substantive regulations and enforce the CCPA, which could result in increased privacy and information security enforcement. In addition, as federal, state and local governments consider adopting new privacy and security legislation, our operations may be subject to different standards in different geographical regions. This may require significantly more resources for compliance and increase the risk of regulatory enforcement and private litigation with respect to our privacy and security practices. We are also subject to the General Data Protection Regulation ("GDPR"), the primary data protection law in the European Economic Area, including the European Union (collectively, the "EU"), as well as associated EU member state data protection laws and the UK GDPR in the United Kingdom. These laws impose significant requirements for covered businesses (controllers and processors) of personal data, including, for example, standards for obtaining consent from individuals to process their personal data, disclosures to individuals, an individual data rights regime, specified timelines for data breach notifications, limitations on retention and secondary uses of information, requirements pertaining to health data and pseudonymised (i.e., deidentified) data, restrictions on data transfers outside of the EU, and obligations when we contract third-party processors in connection with the processing of personal data. The GDPR allows EU member states certain flexibility to make additional laws and regulations concerning the same issues, including, for example, further limiting the processing of genetic, biometric or health data. Failure to comply with the requirements of the GDPR may result in fines of up to €20,000,000 or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Other administrative penalties may be imposed under the applicable national data protection laws of the EU member states. We rely on legal mechanisms for transferring certain personal data outside of the EU. These mechanisms include the EU Standard Contractual Clauses, or SCCs. In July 2020, the Court of Justice of the European Union issued the "Schrems II" decision requiring additional due diligence and assessments to be carried out when using Standard Contractual Clauses as transfer mechanisms. This decision may transfer data out of the EU and may result in increased costs and complexity for external transfers of data out of the EU. Other countries (for example Brazil and China) have or are in the process of passing laws that contain similar requirements to the GDPR. Data localization laws have also been passed or are under consideration in several countries (such as China and Russia), which require personal information relating to their citizens to be maintained on local servers and impose additional data transfer restrictions. Compliance with the varying data privacy regulations across the U.S. and around the world have required significant expenditures and may require additional expenditures and changes in our products or business models that increase complexity and competition. We may also experience less demand for our products if we are unable to engineer these to enable our customers to comply with their obligations under data privacy laws. In addition, government enforcement actions can be costly and interrupt the regular operation of our business, and data breaches or violations of data privacy laws can result in fines, reputational damage and civil lawsuits, any of which may adversely affect our business, reputation and financial statements.

Many of the markets we serve are technology-driven, and as a result intellectual property rights play a significant role in product development and differentiation. We own numerous patents, trademarks, copyrights, trade secrets and other intellectual property and licenses to intellectual property owned by others, which in aggregate are important to our business. The intellectual property rights that we obtain, however, may not be sufficiently broad or otherwise may not provide us a significant competitive advantage, and patents may not be issued for pending or future patent applications owned by or licensed to us. In addition, the steps that we and our licensors have taken to maintain and protect our intellectual property may not prevent it from being challenged, invalidated, circumvented, designed-around or becoming subject to compulsory licensing, particularly in countries where intellectual property rights are not highly developed or protected. The laws of foreign countries in which we do business or contemplate doing business in the future may not recognize intellectual property rights or protect them to the same extent as do the laws of the U.S. In some circumstances, enforcement may not be available to us because an infringer has a dominant intellectual property position or for other business reasons, or countries may require compulsory licensing of our intellectual property. We also rely on nondisclosure and noncompetition agreements with employees, consultants and other parties to protect, in part, trade secrets and other proprietary rights. There can be no assurance that these agreements will adequately protect our trade secrets and other proprietary rights and will not be breached, that we will have adequate remedies for any breach, that others will not independently develop substantially equivalent proprietary information or that third parties will not otherwise gain access to our trade secrets or other proprietary rights. Our failure to obtain or maintain intellectual property rights that convey competitive advantage, adequately protect our intellectual property or detect or prevent circumvention or unauthorized use of such property and the cost of enforcing our intellectual property rights could adversely impact our business, including our competitive position, and financial statements.

Our growth depends in part on the growth of the markets which we serve, and visibility into these markets is limited (particularly for markets into which we sell through distribution). Any decline or lower than expected growth in our served markets could diminish demand for our products and services, which would adversely affect our financial statements. Our quarterly sales and profits depend substantially on the volume and timing of orders received during the fiscal quarter, which are difficult to forecast. Certain of our businesses operate in industries that may also experience periodic, cyclical downturns. In addition, in certain of our businesses, demand depends on customers' capital spending budgets, government funding policies, and matters of public policy and government budget dynamics, as well as product and economic cycles, which can affect the spending decisions of these entities. Demand for our products and services is also sensitive to changes in customer order patterns, which may be affected by announced price changes, marketing or promotional programs, new product introductions, the timing of industry trade shows and changes in distributor or customer inventory levels due to distributor or customer management thereof or other factors. Any of these factors could adversely affect our growth and results of operations in any given period.

Trade policies and disputes at times result in increased tariffs, trade barriers, and other protectionist measures, which can increase our manufacturing costs, make our products less competitive, reduce demand for our products, limit our ability to sell to certain customers, limit our ability to procure components or raw materials, or impede or slow the movement of our goods across borders. Increasing protectionism and economic nationalism may lead to further changes in trade policies and regulations, domestic sourcing initiatives, or other formal and informal measures that could make it more difficult to sell our products in, or restrict our access to, some markets. In particular, trade tensions between the U.S. and China have led to increased tariffs and trade restrictions. It is difficult to predict what further trade-related actions governments may take, which may include trade restrictions and additional or increased tariffs and export controls imposed on short notice, and we may be unable to quickly and effectively react to or mitigate such actions. Additionally, in connection with the ongoing conflict between Russia and Ukraine, governments including the U.S., United Kingdom, and those of the European Union have imposed export controls on certain products and financial and economic sanctions on certain industry sectors and parties in Russia which has triggered retaliatory sanctions by the Russian government and its allies. Russia also imposed significant currency control measures aimed at restricting the outflow of foreign currency and capital from Russia. Although these export controls and sanctions did not have a material impact on our financial position or results of operations as of and for the year ended December 31, 2023, the outcome and future impacts of the conflict and governmental responses thereto remain highly uncertain. Existing and future sanctions may have broad and pervasive impacts to the global economy and our operations, which could materially and adversely affect our business and results of operations. We cannot predict whether additional U.S. and foreign customs quotas, duties (including antidumping or countervailing duties), tariffs, taxes or other charges or restrictions, requirements as to where raw materials must be purchased or other restrictions on our imports will be imposed in the future or adversely modified, or what effect such actions would have on our costs of operations. Future quotas, duties or tariffs may adversely affect our business, financial condition, results of operations or cash flows. Future trade agreements could also provide our competitors with an advantage over us, or increase our costs, either of which could adversely affect our business, financial condition, results of operations or cash flows. Furthermore, trade disputes and protectionist measures, or continued uncertainty about such matters, could result in declining consumer confidence and slowing economic growth or recession, and could cause our customers to reduce, cancel, or alter the timing of their purchases with us. Sustained geopolitical tensions could lead to long-term changes in global trade and supply chains, and decoupling of global trade networks, which could have a material adverse effect on our business and growth prospects.