Rackspace Technology (RXT) Risk Factors

We are materially dependent upon our networks, information technology infrastructure and related technology systems to provide services to our customers, manage our internal operations and support our strategic objectives. Many of our customers require access to our services on a continuous basis and may be materially impaired by interruptions in our or our third-party service providers' infrastructure. The services we offer also involve the transmission of large amounts of sensitive and proprietary information over public communications networks, as well as the processing and storage of confidential customer information, which may include information subject to stringent domestic and foreign data protection laws, including those governing personally identifiable information, protected health information or other types of sensitive data. We also process, store and transmit our own data as part of our business and operations, which may include personally identifiable, confidential or proprietary information. Cyber-attacks have become more prevalent in our industry, and the techniques used to sabotage or obtain unauthorized access to systems are constantly expanding and evolving. Malicious actors are increasingly sophisticated in their methods, tactics, techniques and procedures, seeking to steal money, gain unauthorized access to, destroy or manipulate data, and disrupt operations, and some of their attacks may not be recognized or discovered until launched or after initial entry into the environment, such as novel or zero-day attacks that are launched before patches are available and defenses can be readied. Malicious actors are also increasingly developing methods to avoid prevention, detection and alerting capabilities, including employing counter-forensic tactics, making response activities more difficult. Like many companies, we have experienced these attacks, including a ransomware incident that caused service disruptions for our Hosted Exchange customers, as previously disclosed in December 2022. When these cyber-attacks occur, we respond to these incidents pursuant to our cybersecurity policies and procedures and in accordance with the law. Our cybersecurity policies and procedures are designed to protect against and mitigate harm from unauthorized access, infrastructure attacks, malicious file attacks, ransomware, data theft, bugs, worms, malicious software programs, remnant data exposure, computer viruses, denial-of-service attacks, accidents, employee error or malfeasance, intentional misconduct by computer "hackers," state-sponsored cyber-attacks and attempts by outside parties to fraudulently induce our employees or customers to disclose or grant access to our data or our customers' data. Our current cybersecurity framework is governed and overseen by the Chief Security Officer. The audit committee of our board of directors receives regular cybersecurity updates. When necessary, our internal incident response team engages with external advisors, including outside counsel or outside cybersecurity firms to investigate and remediate. Our current security measures are monitored and periodically reviewed. Nevertheless, our security measures have in the past and may continue to be circumvented or fail to defeat or mitigate cybersecurity attacks. Additionally, other disruptions can occur, such as infrastructure gaps, hardware and software vulnerabilities, inadequate or missing security controls, exposed or unprotected customer data and the accidental or intentional disclosure of source code or other confidential information by former or current employees. Any such incidents could (i) interfere with the delivery of services to our customers, (ii) impede our customers' ability to do business, (iii) compromise the security of infrastructure, systems and data, (iv) lead to the dissemination to third parties of proprietary information or sensitive, personal, or confidential data about us, our employees or our customers, including personally identifiable information of individuals involved with our customers and their end users and (v) impact our ability to do business in the ordinary course. Each of these risks could further intensify as we maintain information in digital form stored on servers connected to the Internet, especially in light of the growing frequency, scope and well-documented sophistication of cyber-attacks and intrusions. Some of our systems or vendors' systems have experienced past security breaches, and, although they did not have a material adverse effect on our operating results, there can be no assurance of a similar result in the future. Cyber breaches and other security incidents may expose us to increased risk of claims and liability, including litigation, regulatory enforcement, notification obligations and indemnity obligations, as well as loss of existing or potential customers, harm to our reputation, increases in our security costs (including spending material resources to investigate or correct the breach or incident and to prevent future security breaches and incidents), disruption of normal business operations, the impairment or loss of industry certifications and government sanctions (including debarment), all of which could have a material and adverse effect on our business, financial condition and results of operations. The security of our services is important in our customers' decisions to purchase or use our services. Threats to our infrastructure may not only affect the data that we own but also the data belonging to our customers. When customers use our services, they rely on the security of our infrastructure, including hardware and other elements provided by third parties, to ensure the reliability of our services and the protection of their data. We also offer professional services to our customers where we consult on data center solutions and assist with implementations. We offer managed services domestically and in some jurisdictions outside of the U.S. An actual or perceived breach of, or other security incident relating to, our cloud storage systems and networks could result in significant loss. In the event of a claim, we could be liable for substantial damage awards that may significantly exceed our liability insurance coverage by unknown but significant amounts, which could have a material and adverse effect on our financial condition and results of operations. Additionally, we cannot be certain that our insurance coverage will cover any claims against us relating to any such incident, will continue to be available to us on economically reasonable terms, or at all, or that our insurers will not deny coverage as to any such claim. The successful assertion of one or more large claims against us that exceed available insurance coverage, or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could adversely affect our reputation, business, financial condition and results of operations. The costs could be exacerbated by regulatory fines and penalties, notification costs and the loss of revenue due to brand and reputational harm. Similar security risks exist with respect to our business partners and the third-party vendors that we rely on for aspects of our IT support services and administrative functions, including the systems owned, operated or controlled by other unaffiliated operators to the extent we rely on such other systems to deliver services to our customers. Our cybersecurity policies and procedures are designed to vet third-party providers and provide for adequate oversight and cooperation regarding cybersecurity incidents with respect to our third-party vendors, but our ability to monitor our third-party service providers' data security is limited. As a result, we are subject to the risk that cyber-attacks on, or other security incidents affecting, our business partners and third-party vendors may adversely affect our business even if an attack or breach does not directly impact our systems. It is also possible that security breaches sustained by, or other security incidents affecting, our competitors could result in negative publicity for our entire industry that indirectly harms our reputation and diminishes demand for our services. In addition, our customers require and expect that we maintain industry-related compliance certifications, such as International Organization for Standardization ("ISO") 27001, Service Organization Controls ("SOC 1, 2, 3") and Payment Card Industry ("PCI"), Federal Information Security Management Act ("FISMA"), Federal Risk and Authorization Management Program ("FedRAMP") and Health Information Trust Alliance ("HITRUST") in the U.S., Information Security Registered Assessors Program ("IRAP") in Australia and Public Services Network ("PSN") in the U.K. There are significant costs associated with maintaining existing and implementing any newly-adopted industry-related compliance certifications, including costs associated with retroactively building security controls into services which may involve re-engineering technology, processes and staffing. The inability to maintain applicable compliance certifications could result in monetary fines, disruptive participation in forensic audits due to a breach, security-related control failures, customer contract breaches, customer churn and brand and reputational harm. See Item 1C - "Cybersecurity" for additional information.

We are subject to a variety of taxes and tax collection obligations in the U.S. (federal and state) and numerous foreign jurisdictions. Significant judgment is required in determining our worldwide provision for income taxes. We may recognize additional tax expense and be subject to additional tax liabilities, including other liabilities for tax collection obligations due to changes in laws, regulations, administrative practices, principles and interpretations related to tax, including changes to the global tax framework, competition and other laws and accounting rules in various jurisdictions. Such changes could come about as a result of economic, political and other conditions, or certain jurisdictions aggressively interpreting their laws in an effort to raise additional tax revenue. An increasing number of jurisdictions are considering or have unilaterally adopted laws or country-by-country reporting requirements that could adversely affect our effective tax rates or result in other costs to us which could adversely affect our operating results. We are also currently subject to tax audits in various jurisdictions, and these jurisdictions may assess additional tax liabilities against us. Developments in an audit, investigation or other tax controversy could have a material and adverse effect on our operating results or cash flows in the period or periods for which that development occurs, as well as for prior and subsequent periods. We regularly assess the likelihood of an adverse outcome resulting from these proceedings to determine the adequacy of our tax accruals. Although we believe our tax estimates are reasonable, the final outcome of audits, investigations and any other tax controversies could be materially different from our historical tax accruals.

The effects of human activity on the global climate change have attracted considerable public and scientific attention, as well as the attention of the U.S. government. Efforts are being made to reduce greenhouse emissions, particularly those from coal combustion by power plants, some of which we rely upon for power. The added cost of any environmental taxes, charges, assessments or penalties levied on these power plants could be passed on to us, increasing the cost to run our data centers. Additionally, environmental taxes, charges, assessments or penalties could be levied directly on us in proportion to our carbon footprint. Any enactment of laws or passage of regulations regarding greenhouse gas emissions by the U.S., or any domestic or foreign jurisdiction we perform business in, could adversely affect our business, financial condition and results of operations.

The market for our services is highly competitive, quickly evolving and subject to rapid changes in technology. We expect to continue to face intense competition from our existing competitors as well as additional competition from new market entrants in the future as the market for our services continues to grow. Our current and potential competitors vary by size, service offerings and geographic region. These competitors may elect to partner with each other or with focused companies to grow their businesses. They include: - in-house IT departments of our customers and potential customers;- traditional global IT systems integrators, including large multi-national providers, such as Accenture, Atos, Capgemini, Cognizant, Deloitte, DXC Technology and IBM;- cloud service providers and digital systems integrators;- regional managed services providers; and - colocation solutions providers, such as Equinix, CyrusOne and QTS. The primary competitive factors in our market are: focus on the cloud, technology and service expertise, customer experience, speed of innovation, strength of relationships with technology partners, automation and scalability, standardized operational processes, geographic reach, brand recognition and reputation and price. Many of our current and potential competitors have substantially greater financial, technical and marketing resources; relationships with large vendor partners; larger global presence; larger customer bases; longer operating histories; greater brand recognition; and more established relationships in the industry than we do. As a result, some of these competitors may be able to: - develop superior products or services, gain greater market acceptance and expand their service offerings more efficiently or more rapidly;- adapt to new or emerging technologies and changes in customer requirements more quickly;- bundle their offerings, including hosting services, with other services they provide at reduced prices;- streamline their operational structure, obtain better pricing or secure more favorable contractual terms, allowing them to deliver services and products at a lower cost;- take advantage of acquisition, joint venture and other opportunities more readily;- adopt more aggressive pricing policies and devote greater resources to the promotion, marketing and sales of their services, which could cause us to have to lower prices for certain services to remain competitive in the market; and - devote greater resources to the R&D of their products and services. To the extent we face increased price competition, we may have to lower the prices of certain of our services in the future to stay competitive, while simultaneously seeking to maintain or improve our revenue and gross margin. In addition, consolidation activity through strategic mergers, acquisitions and joint ventures may result in new competitors that can offer a broader range of products and services, may have greater scale or a lower cost structure. To the extent such consolidation results in the ability of vertically-integrated companies to offer more integrated services to customers than we can, customers may prefer the single-source approach and direct more business to such competitors, thereby impairing our competitive position. Furthermore, new entrants not currently considered to be competitors may enter the market through acquisitions, partnerships or strategic relationships. As we look to market and sell our services to potential customers, we must convince their internal stakeholders that our services are superior to their current solutions. If we are unable to anticipate or react to these competitive challenges, our competitive position would weaken, which could adversely affect our business, financial condition and results of operations. We may from time to time enter into strategic relationships with one or more of our competitors. By way of example, we have non-exclusive managed service provider relationships with AWS, Microsoft and Google and have entered into agreements with colocation service providers to provide us with colocation space.

Our government work carries various risks inherent in the government contracting process. These risks include, but are not limited to, the following: - Government entities typically fund projects through appropriated monies and demand is affected by public sector budgetary cycles and funding authorizations. While these projects are often planned and executed as multi-year projects, government entities usually reserve the right to change the scope of or terminate these projects for lack of approved funding and/or at their convenience, which also could limit our recovery of incurred costs, reimbursable expenses and profits on work completed prior to the termination. - Government contracts are subject to heightened reputational and contractual risks compared to contracts with commercial clients. For example, government contracts and the proceedings surrounding them are often subject to more extensive scrutiny and publicity. Negative publicity, including an allegation of improper or illegal activity, regardless of its accuracy, or challenges to government contracts awarded to us, may adversely affect our reputation. - Government contracts can be challenged by other interested parties and such challenges, even if unsuccessful, can increase costs, cause delays and defer project implementation and revenue recognition. - Terms and conditions of government contracts also tend to be more onerous and are often more difficult to negotiate. For example, these contracts often contain high liability for breaches and feature less favorable payment terms and sometimes require us to take on liability for the performance of third parties. - Political and economic factors such as pending elections, the outcome of elections, changes in leadership among key executive or legislative decision makers, revisions to governmental tax or other policies and reduced tax revenues can affect the number and terms of new government contracts signed or the speed at which new contracts are signed, decrease future levels of spending and authorizations for programs that we bid, shift spending priorities to programs in areas for which we do not provide services and/or lead to changes in enforcement or how compliance with relevant rules or laws is assessed. - If a government client discovers improper or illegal activities during audits or investigations, we may become subject to various civil and criminal penalties, including those under the civil U.S. False Claims Act and administrative sanctions, which may include termination of contracts, forfeiture of profits, suspension of payments, fines and suspensions or debarment from doing business with other agencies of that government. The inherent limitations of internal controls may not prevent or detect all improper or illegal activities. - U.S. government contracting regulations impose strict compliance and disclosure obligations. Disclosure is required if certain company personnel have knowledge of "credible evidence" of a violation of federal criminal laws involving fraud, conflict of interest, bribery or improper gratuity, a violation of the civil U.S. False Claims Act or receipt of a significant overpayment from the government. Failure to make required disclosures could be a basis for suspension and/or debarment from federal government contracting in addition to breach of the specific contract and could also impact contracting beyond the U.S. federal level. Reported matters also could lead to audits or investigations and other civil, criminal or administrative sanctions. In addition, contracting with Federal government bodies may subject us to operational requirements or prohibitions which would increase our compliance costs or increase the risk of non-compliance. The occurrences or conditions described above could affect not only our business with the government entities involved, but also our business with other entities of the same or other governmental bodies or with certain commercial clients and could have a material and adverse effect on our results of operations. In addition, the success of our government solutions business is highly dependent on our FISMA and FedRAMP certifications which evidence our ability to meet certain federal government security compliance requirements. Failure to maintain the FedRAMP certification would result in a breach in many of our government contracts, which in turn, could subject us to liability and result in reputational harm and customer and employee attrition. Further, government contracts are increasingly requiring that FedRAMP-authorized service offerings be hosted on public cloud infrastructure. In the event that we are unable to expand the scope of our FedRAMP-authorized service offerings accordingly, it may impair our ability to successfully bid on government contracts.

We believe that maintaining, enhancing and protecting our brand is important to support the marketing and sale of our existing and future services to new customers and expand sales of our services to existing customers. We also believe that the importance of brand recognition will increase as competition in our market increases. Successfully maintaining, enhancing and protecting our brand will depend largely on the effectiveness of our marketing efforts, our ability to provide reliable services that continue to meet the needs of our customers at competitive prices, our ability to maintain our customers' trust, our ability to successfully differentiate our services and platform capabilities from competitive services and our ability to obtain, maintain, protect and enforce trademark and other intellectual property protection for our brand. Our brand promotion activities may not generate customer awareness or yield increased revenue, and even if they do, any increased revenue may not offset the expenses incurred in building and maintaining our brand. If we fail to successfully promote, maintain and protect our brand, our business, financial condition and results of operations may be adversely affected.

Our ability to be successful and to execute on our strategies depends on our ability to identify, hire, train and retain qualified executives, IT professionals, technical engineers, software developers, operations employees and sales and senior management personnel who maintain relationships with our customers and who can provide the technical, strategic and marketing skills required for our company to grow. Our ability to execute on our sales strategy is also dependent on our ability to identify, hire, train and retain a sufficient number of qualified sales personnel. There is a shortage of qualified personnel in these fields, and like many other companies we have recently encountered additional challenges in hiring and retaining qualified personnel. We compete with other companies for this limited pool of potential employees. Furthermore, the implementation of our strategies will result in changes throughout our business, which may create uncertainty for our employees. Such uncertainties may impair our ability to attract, retain and motivate key personnel and could cause customers, suppliers and others who deal with us to seek to change existing business relationships. In addition, the industry in which we operate is generally characterized by significant competition for skilled personnel, and as our industry becomes more competitive, it could become especially difficult to retain personnel with unique in-demand skills and knowledge, whom we would expect to become recruiting targets for our competitors. There is no assurance that we will be able to recruit or retain qualified personnel or successfully transition knowledge from departing employees, and this failure could cause a dilution of our service-oriented culture and our inability to develop and deliver existing or new operations and services, which could cause our business to be negatively impacted.

Our overall performance depends in part on worldwide economic and geopolitical conditions. The U.S., the U.K. and other key international economies have experienced cyclical downturns from time to time in which economic activity was impacted by falling demand for a variety of goods and services, restricted credit, poor liquidity, reduced corporate profitability, volatility in credit and fluctuating interest rates, equity and foreign exchange markets, bankruptcies and overall uncertainty with respect to the economy. These economic conditions can arise suddenly and the full impact of such conditions can remain uncertain. In addition, geopolitical developments, such as existing and potential wars, trade wars or other conflicts, and other events beyond our control. Any form of civil unrest or other conflict can increase levels of political and economic unpredictability regionally or globally and has the potential to increase the volatility of global financial markets. Any of these effects could have a material and adverse impact on our business, financial condition and results of operations.