Vivid Seats (SEAT) Risk Analysis

In the ordinary course of business, we collect, receive, store, protect, use, transmit, share, and dispose of (collectively, "process") personal data and other sensitive information. These activities subject us to numerous federal, state, and international laws and regulations, industry standards, external and internal privacy and security policies, and contractual requirements addressing privacy, data protection, and the processing of such data and information. Many U.S. states, and the federal and local governments, have adopted data protection and security legislation, including laws relating to personal data privacy and data breach notification. Many U.S. states have also enacted comprehensive privacy laws that impose certain obligations on covered businesses, such as requiring certain privacy disclosures and giving residents certain rights with respect to their personal data (e.g., the right to access, correct, or delete such data and to opt-out of certain data processing activities). Certain U.S. states also impose strict requirements on the processing of personal data, such as conducting data privacy impact assessments, and provide statutory fines for non-compliance. For example, the CCPA applies to personal data of consumers, business representatives, and employees who are California residents, and requires businesses to provide specific disclosures in privacy notices and honor requests of such individuals to exercise certain privacy rights. The CCPA provides for statutory penalties and a private right of action for data breaches resulting from a failure to implement reasonable security procedures and practices. U.S. state and federal legislators continue to consider and enact similar laws, reflecting a trend toward more stringent privacy legislation in the United States. These and any future similar laws are likely to increase our compliance costs and overall risk, particularly when they have conflicting requirements, and may require us to further modify our data processing practices and policies. In addition to new regulations, courts around the country continue to evolve their interpretation of data privacy and protection laws, including the CCPA. There has also been a noticeable uptick in class action litigation in the United States in which plaintiffs have utilized a variety of laws, including the Video Privacy Protection Act of 1988, state wiretapping laws, and other privacy laws and regulations, in relation to the use of tracking technologies such as cookies and pixels. This trend may lead legislatures to consider responsive regulation. These practices are also subject to increased challenges by class action plaintiffs. Our inability or failure to obtain consent for these practices could result in adverse consequences, including class action litigation and mass arbitration demands. Personal and other user data is also increasingly subject to legislation and regulations in foreign jurisdictions in which we operate. For example, PIPEDA is a comprehensive Canadian privacy and security law for organizations collecting, using, or disclosing information about identified individuals for commercial purposes, and may impose obligations on covered organizations that are greater than what is common in the United States. Certain Canadian provinces also have their own data protection regulations. Similarly, the United Kingdom, the European Union, and countries in the European Economic Area (the "EEA") traditionally have taken broader views on, and imposed different legal obligations on companies as to, the types of data that are subject to privacy and data protection laws and regulations. For example, the E.U. General Data Protection Regulation (the "GDPR"), which took effect in May 2018, applies to any company established in the EEA and to companies outside the EEA if they collect and use personal data in connection with the offering of goods or services to individuals in the EEA or the monitoring of their behavior. The United Kingdom has its own General Data Protection Regulation, which took effect in January 2021. Under the GDPR, companies may face temporary or definitive bans on data processing and other corrective actions, significant monetary fines, and/or private litigation related to the processing of personal data. The APPI, a Japanese law governing the handling of personal information, may also impose obligations on covered entities that are in addition to, or differ from, those in other jurisdictions (for example, it differs from the GDPR with respect to its approach to notifications and the cross-border transfer of personal data). Compliance with these and any other foreign data privacy laws and regulations may significantly increase our operational costs and our overall risk exposure. In the ordinary course of business, we transfer personal data from one jurisdiction to another. Certain European jurisdictions, including the United Kingdom, have enacted laws requiring that personal data be localized or limiting the transfer thereof to other jurisdictions, including the United States. Other jurisdictions have adopted or may adopt similar data localization and/or cross-border data transfer restrictions. Although there are various mechanisms that may be used to transfer personal data from the United Kingdom and the EEA to the United States in compliance with these restrictions, they are subject to legal challenges and there can be no assurance that we can satisfy or rely on them. If there were no lawful manner for us to transfer personal data from the United Kingdom or the EEA to the United States, or if the requirements for doing so were too onerous, we could face adverse consequences, including the interruption of our operations, the need to relocate our data processing activities, and penalties such as fines and injunctions. In addition, companies that transfer personal data out of the United Kingdom and the EEA have faced increased scrutiny from regulators and litigants, and certain of such companies have been ordered by European regulators to suspend or cease certain such data transfers for allegedly violating the GDPR's cross-border data transfer restrictions. We must also comply with certain industry standards and contractual obligations related to data privacy and security. For example, certain privacy laws, including the CCPA and the GDPR, require the imposition of specific contractual restrictions on service providers. We also publish privacy policies, marketing materials, and other statements related to compliance with certain certifications or self-regulatory principles concerning data privacy and security. U.S. regulators are increasingly scrutinizing these materials, and if they are found to be deficient, unfair, misleading, or misrepresentative of our practices, we could be subject to governmental enforcement actions or other adverse consequences. From time to time, our personnel use generative artificial intelligence ("AI") technologies in the course of their work. We use also use generative AI and machine learning technologies ("AI/ML") in certain of our products. The disclosure and use of personal data in generative AI technologies, and the development and use of AI/ML, present various privacy and data security risks and are subject to an increasing number of laws and regulations. Several jurisdictions, including in the United States and Europe, have enacted laws governing the development and use of AI/ML, such as the EU's AI Act, and we expect other jurisdictions will adopt similar laws. Certain consumer rights extended by privacy laws (e.g., the right to delete certain personal data and regulate automated decision making) may also be incompatible with the use of AI/ML. As a result, our use of these technologies could result in additional compliance costs, lawsuits, and regulatory actions. However, our inability to use these technologies, or limitations on such use, could result in a competitive disadvantage. The interpretation and application of many privacy and data protection laws are, and will likely remain, uncertain, and it is possible that these laws may be interpreted and applied in a manner that is inconsistent with each other and with our existing data management practices, policies, or product features. If so, in addition to the possibility of fines, lawsuits (including class action claims), additional reporting requirements and/or oversight, bans or restrictions on processing personal data, orders to destroy or not use personal data, and other claims and penalties, we could be required to change our business activities and practices or to modify our practices, policies, or products, which could adversely affect our business. In addition to government regulation, privacy advocacy and industry groups may propose new and different self-regulatory standards that legally or contractually apply to us. Any inability by us, or our service providers and partners, to adequately address privacy, data protection, and data security concerns or comply with applicable privacy, data protection, or data security laws, regulations, policies, and other obligations, could result in additional costs and liability to us and adversely affect our reputation, sales, and business. In addition, any compromise of information security that results in the unauthorized access, acquisition, or release of personal or other user data, or the perception that such a compromise has occurred, could harm our brand and reputation, discourage existing and potential ticket sellers, buyers, and partners from using our platform, and result in fines and proceedings by governmental agencies and users, any of which could adversely affect our business, financial condition, and results of operations. In addition, laws in certain of the jurisdictions in which we operate require, and laws in other jurisdictions in which we may operate in the future may require, businesses in certain instances to notify affected individuals, governmental entities, and/or credit reporting agencies of cybersecurity incidents affecting personal information. Certain of our contractual obligations contain similar requirements. Such requirements are inconsistent, and compliance in the event of a widespread cybersecurity incident may be complex, costly, and difficult to implement. These risks may increase not only as we expand our operations in new jurisdictions, but also as our business continues to involve greater numbers of ticket buyers, sellers, and partners. While we maintain general and cyber liability insurance policies, they may not cover, or may cover only a portion of, any response and remediation costs and potential claims related to cybersecurity incidents to which we are exposed, or they may be inadequate to indemnify us for all or any portion of liabilities that may be imposed. There can be no assurance that our existing insurance coverage will continue to be available on acceptable terms or in amounts sufficient to cover the potentially significant losses that may result from a cybersecurity incident or that the insurer will not deny coverage of any future claim.

Our ability to attract and retain ticket buyers, sellers, and partners depends in large part on our ability to provide a user-friendly and effective platform, develop and improve our platform, and introduce compelling new solutions and enhancements. Our industry is characterized by rapidly changing technology, service, and product introductions, and changing demands of ticket buyers, sellers, and partners. We spend substantial time and resources understanding and responding to such parties' needs. Developing new and improved solutions and enhancements is costly and complex, and the timetable for commercial release is difficult to predict and may vary from our historical experience. In addition, after development, ticket buyers, sellers, and partners may not be satisfied with, or may perceive that their needs are not adequately addressed by, our solutions and enhancements. The success of a new solution or enhancement to our platform can depend on several factors, including timely completion and delivery, competitive pricing, adequate quality testing, platform integration, user awareness, and overall market acceptance and adoption. If we do not continue to maintain and improve our platform, or to successfully develop new and improved solutions and enhancements, our business, financial condition, and results of operations could be adversely affected.

Due to the nature of our business, we process certain personal data and other sensitive information about ticket buyers and sellers and our employees. Penetration of our information technology systems, or the misappropriation or misuse of such data or information (including credit card information and other personally identifiable information), could interrupt our operations and subject us to adverse consequences, including increased costs, litigation, and governmental enforcement actions. Cyberattacks, malicious internet-based activity, fraud, and similar evolving threats (including phishing attacks, malicious code, software bugs, malware attacks, ransomware attacks, denial-of-service attacks, credential stuffing attacks, and credential harvesting) threaten the confidentiality, integrity, and availability of our information technology systems. Such threats come from a variety of sources and are increasingly prevalent and difficult to detect. In addition, we rely on third parties to process certain information in a variety of contexts (e.g., cloud-based infrastructure, encryption technology, and employee email) and to provide certain hardware, software, and applications. These third parties' information technology systems are subject to similar threats, and our ability to monitor their security practices is limited. If any of these third parties were to suffer a security incident or other interruption, we could experience adverse consequences. While we may be entitled to damages if a third party fails to satisfy its privacy- or security-related obligations to us, any award, assuming we are able to recover it, may be insufficient to cover our damages. Our past and future business acquisitions could also increase our exposure to these threats if our systems were negatively affected by vulnerabilities in an acquired entity's systems. We have devoted significant resources to the development of systems, practices, and policies designed to detect, mitigate, and remediate vulnerabilities in our information technology systems, protect against potential cybersecurity threats and their consequences, and protect sensitive information. However, such measures cannot provide absolute security or certainty. Advances in threat actor capabilities, methods, and tools, inadvertent violations of our practices or policies, or other developments could result in a compromise or breach of our systems and processes that are used to protect sensitive information. We may also experience delays in developing and deploying remedial measures designed to address identified vulnerabilities. Any of these or similar threats could lead to a security incident or other interruption that results in the unauthorized, unlawful, or accidental acquisition, modification, destruction, loss, or disclosure of, or access to, our information technology systems, or those of the third parties with whom we conduct business. If we or such a third party experience (or are perceived to have experienced) a significant incident or interruption, it may have adverse consequences on us, including: governmental enforcement actions; lawsuits (including class action claims); additional reporting requirements and/or oversight; bans or restrictions on processing sensitive information; indemnification obligations; negative publicity; reputational harm among ticket sellers, buyers, and partners; the diversion of management resources; the interruption of our operations (including data availability); financial losses; and incidents of ticketing fraud or counterfeit tickets. In the event of such an incident, we may also be required or voluntarily choose to notify relevant stakeholders (including affected individuals, regulators, and investors) or to take other actions (such as providing credit monitoring and identity theft protection services). Such disclosures and actions can be costly, and the failure to comply with applicable requirements could lead to adverse consequences. Any of the foregoing could adversely affect our business, financial condition, and results of operations.

We operate in a highly competitive industry and face significant and continuous competition from other national, regional, local, and international primary and secondary ticketing service providers to secure new and retain existing ticket buyers, sellers, and partners. We also face competition in the resale of tickets from other professional ticket resellers. This competition could cause the volume of our ticketing business to decline, which would adversely affect our business, financial condition, and results of operations. Competitive variables that could lead to a decrease in ticket orders, prices, fees, and/or profit margins, certain of which have adversely affected our past financial performance, include: offerings from our competitors that include more favorable terms or pricing; increased marketing spending by our competitors; consolidation among competitors resulting in their increased market share; technological changes and innovations that we are unable to adopt or are late in adopting; other entertainment options or ticket inventory selections and varieties that we do not offer; increased pricing in the primary ticket marketplace, which could result in reduced profits for secondary ticket sellers; primary ticket marketplaces successfully restricting secondary ticket sales; and increased search engine marketing costs as competitors increase bid prices. Competition within the daily fantasy sports and gaming industry is also significant, and existing and potential Vivid Picks users may choose to use competing daily fantasy sports products for many of the same reasons discussed above.

The supply of live concert, sporting, and theater events depends on several factors, many of which are outside of our control. We rely on artists and sports teams to perform and play at live events, and scenarios such as artists deciding to perform less frequently or at smaller venues, sports league lockouts, promoters or event venues failing to correctly anticipate demand for particular events, or negative trends in the entertainment and/or sporting industries that cause a reduction in the number or availability of live events adversely affect our business, financial condition, and results of operations. Our business also depends on demand for and attendance at live concert, sporting, and theater events, which is affected by, among other things, discretionary consumer and corporate spending. Many factors impact such spending, including economic conditions (e.g., unemployment levels, interest rates, inflation, and fuel prices), changes in tax rates/laws, public safety concerns, and other extraordinary events. Reduced discretionary spending, as well as other negative business or industry conditions or trends, can decrease demand for and attendance at live events, as well as reduce ticket sales, which adversely affect our revenue and operating results. All of these risks may become more acute during periods of economic slowdown, recession, and uncertainty. For example, the COVID-19 pandemic and related economic slowdown materially and adversely impacted our business, including due to event restrictions and cancellations. While live events are now generally held at pre-pandemic scope and scale, there can be no assurance that the supply of and/or demand for such events will not be negatively impacted by any future economic slowdown, recession, or uncertainty, which would adversely affect our business, financial condition, and results of operations.

Maintaining and enhancing our reputation and brand as a differentiated ticketing marketplace is critical in our ability to retain existing, and attract new, ticket buyers, sellers, and partners. The successful promotion of our brand requires significant investments of time, money, and effort, which may increase as our marketplace continues to expand and become more competitive. To the extent these investments yield increased revenue, it may not offset the increased expenses we incur. If we do not successfully maintain and enhance our brand and differentiate our marketplace from competitive products and services, our business may not grow, we may be unable to compete effectively, and we could lose existing, or fail to attract new, ticket buyers, sellers, or partners, any of which could adversely affect our business, financial condition, and results of operations. There are also many factors outside of our control that could undermine and/or harm our reputation and brand. A negative perception of our marketplace could adversely affect our business, including as a result of: complaints or negative publicity and our responsiveness thereto; our inability to timely comply with applicable laws, regulations, and/or consumer protection-related guidance; the use of our platform to sell fraudulent or counterfeit tickets; the timing of refunds and/or payment reversals through our platform; actual or perceived disruptions or defects in our platform; cybersecurity incidents; a lack of awareness of our policies; or changes to our policies that third parties perceive as overly restrictive, unclear or inconsistent with our values. If we are unable to maintain a reputable, user-friendly, and effective platform that provides tickets to desirable events, our ability to attract and retain ticket buyers, sellers, and partners could be impaired and our reputation, brand, and business could be adversely affected.

Inflation can negatively impact our business by increasing our overall costs, particularly if we are unable to achieve commensurate increases to revenues. Inflation has resulted, and may continue to result, in elevated interest rates and capital costs, increased costs of labor, weakened exchange rates, reduced discretionary spending, and other similar effects. As a result of inflation, we have experienced, and may continue to experience, increased costs. Although we may take measures to mitigate the effects of inflation, such measures may not be effective and, even if such measures are effective, there could be a difference in timing between the effects of inflation and of such measures. As a result, our business, financial condition (including liquidity), and results of operations may be adversely affected.

We have operations in Canada and Japan, and we continue to expand our international operations. Accordingly, we are subject to risks associated with doing business internationally, including, but not limited to: complying with a variety of newly applicable, and often changing and/or conflicting, laws and regulations, including those relating to anti-bribery, anti-corruption, anti-money laundering, data protection, and privacy; obtaining required governmental approvals, permits, and licenses; obtaining and enforcing our intellectual property rights; staffing and managing our foreign operations; financial risks such as longer payment cycles, difficulty collecting accounts receivable, the impact of local and regional financial crises, and exposure to foreign currency exchange rate fluctuations; preferences by local consumers for local competitors; and political and economic instability. We may also have difficulty expanding our business internationally because of the difficulties associated with obtaining local ticket supply and/or limited brand recognition, which could delay or limit the acceptance of our services by ticket buyers, sellers, and partners in new markets and increased marketing and other costs associated with establishing our brand. If we are unable to successfully expand internationally or manage the risks associated therewith, our business, financial condition, and results of operations could be adversely affected.

The occurrence and threat of extraordinary events, including public safety concerns or disruptions, intentional or unintentional mass-casualty incidents, acts of civil unrest, terrorist attacks, military actions, disease epidemics or other public health concerns (and governmental responses thereto), natural disasters, and severe weather events, may deter or prevent artists, sports teams, promoters, or event venues from performing, playing, or operating and substantially decrease the demand for live events. Because Vegas.com is concentrated in Southern Nevada, which has recently experienced water and electricity shortages, it is particularly exposed to certain of these risks. The occurrence of extraordinary events has in the past adversely affected, and may in the future adversely affect, our business, financial condition, and results of operations. Event cancellations related to such events could also adversely affect our financial performance because we may be obligated to issue refunds or credits for previously purchased tickets. The global COVID-19 pandemic and related economic shutdown resulted in significant disruption to our business, the entertainment and sporting industries, and the global economy in 2020 and 2021. The pandemic led governments and other authorities around the world to impose measures intended to control its spread, including travel bans, border closings and restrictions, business closures, quarantines, and vaccine requirements. During the height of the pandemic, many artists, sports teams, promoters, and event venues around the world ceased performances, games, and operations. Because we depend on live events in order to generate revenue from ticket sales, the decreased supply of and demand for such events during the pandemic negatively impacted our business and financial condition. While live events are now generally held at pre-pandemic scope and scale, it is difficult to predict any future outbreaks of disease epidemics (including any resurgence of the COVID-19 pandemic) and whether restrictions could again be imposed. Any of these circumstances could again adversely affect the live events industry and our business and financial condition.

Our success depends upon the continued service of our senior management team and key technical employees, as well as our ability to continue to identify, attract, hire, integrate, develop, motivate, and retain highly skilled personnel for all areas of our organization. Each of our executive officers, key technical employees, and other personnel could terminate their relationship with us at any time. The loss of any member of our senior management team or key personnel could significantly delay or prevent the achievement of our business objectives and/or negatively impact our business and relationships. As such, effective succession planning and the execution of smooth personnel transitions is important to our long-term success. If we fail to effectively manage our hiring needs and execute smooth personnel transitions, our business may be adversely affected. Competition in our industry for qualified employees is intense. To attract top talent, we must offer competitive compensation arrangements and benefits packages, as well as periodically increase compensation levels in response to competition and inflation. If we fail to successfully attract, hire, and integrate new personnel, our efficiency and ability to meet forecasts, as well as employee morale, productivity, and retention, could suffer, which may adversely affect our business.