Snail, Inc. Class A (SNAL) Risk Analysis

In the course of our day-to-day business, we and third parties operating on our behalf and from which we license certain intellectual property create, store, and/or use commercially sensitive information, such as the source code and game assets for our interactive entertainment software products and sensitive and confidential information with respect to our customers, consumers, and employees. Our ability to effectively manage our business and coordinate the manufacturing, sourcing, distribution and sale of our interactive entertainment software products depends significantly on the reliability and capacity of these systems. We are critically dependent on the integrity, security and consistent operations of these systems. A malicious cybersecurity-related attack, intrusion or disruption by hackers (including through spyware, ransomware, viruses, phishing, denial of service and similar attacks) or other breach of the systems on which such source code and assets, account information (including personal information) and other sensitive data is stored could lead to piracy of our software, fraudulent activity, disclosure or misappropriation of, or access to, our customers', consumers' or employees' personal information, or our own business data. Such incidents could also lead to product code-base and game distribution platform exploitation, should undetected viruses, spyware, or other malware be inserted into our products, services, or networks, or systems used by our consumers. We have implemented cybersecurity programs and the tools, technologies, processes, and procedures intended to secure our data and systems, and prevent and detect unauthorized access to, or loss of, our data, or the data of our customers, consumers or employees. However, because these cyberattacks may remain undetected for prolonged periods of time and the techniques used by criminal hackers and other third parties to breach systems are constantly evolving, change frequently and we may be unable to anticipate these techniques or implement adequate preventative measures. A data intrusion into a server for a game with online features or for our proprietary online gaming service could also disrupt the operation of such game or platform. If we are subject to cybersecurity breaches, or a security-related incident that materially disrupts the availability of our products and services, we may have a loss in sales or subscriptions or be forced to pay damages or incur other costs, including from the implementation of additional cyber and physical security measures, or suffer reputational damage. If there were a public perception that our data protection measures are inadequate, whether or not the case, it could result in reputational damage and potential harm to our business relationships or the public perception of our business model. In addition, such cybersecurity breaches may subject us to legal claims or proceedings, like individual claims and regulatory investigations and actions, including fines, especially if there is loss, disclosure, or misappropriation of, or access to, our customers' personal information or other sensitive information, or there is otherwise an intrusion into our customers' privacy.

From time to time, we have been, and in the future may be, involved in claims, suits, investigations, audits and proceedings arising in the ordinary course of our business, including with respect to labor and employment, intellectual property, competition and antitrust, regulatory, tax, privacy and/or commercial matters. In addition, negative consumer sentiment about our business practices may result in inquiries or investigations from regulatory agencies and consumer groups, as well as litigation. Claims, suits, investigations, audits and proceedings are inherently difficult to predict, and their results are subject to significant uncertainties, many of which are outside of our control. Regardless of the outcome, such legal proceedings can have a negative impact on us due to reputational harm, legal costs, diversion of management resources and other factors. It is also possible that a resolution of one or more such proceedings could result in substantial settlements, judgments, fines or penalties, injunctions, criminal sanctions, consent decrees or orders preventing us from offering certain features, functionalities, products or services, requiring us to change our development process or other business practices. There is also inherent uncertainty in determining reserves for these matters. Significant judgment is required in the analysis of these matters, including assessing the probability of potential outcomes and determining whether a potential exposure can be reasonably estimated. In making these determinations, we, in consultation with outside counsel, examine the relevant facts and circumstances on a quarterly basis assuming, as applicable, a combination of settlement and litigated outcomes and strategies. Further, it may take time to develop factors on which reasonable judgments and estimates can be based. We regard our software as proprietary and rely on a variety of methods, including a combination of copyright, patent, trademark and trade secret laws, and employee and third-party non-disclosure and invention assignment agreements, to protect our proprietary rights. We own or license various copyrights, patents, trademarks and trade secrets. The process of registering and protecting these rights in various jurisdictions is expensive and time-consuming. Further, we are aware that some unauthorized copying and piracy occurs, and if a significantly greater amount of unauthorized copying or piracy of our software products were to occur, it could negatively impact our business. We also cannot be certain that existing intellectual property laws will provide adequate protection for our products in connection with emerging technologies or that we will be able to effectively protect our intellectual property through litigation and other means.

We collect, process, store, use and share data in our operations. While our business receives limited, if any, personal information of our end users from our platform providers, we may elect to collect such information in the future. Our business and the business of our platform providers are therefore subject to a number of federal, state, local and foreign laws, regulations, regulatory codes and guidelines governing data privacy, data protection and security, including with respect to the collection, storage, use, processing, transmission, sharing and protection of personal information. Such laws, regulations, regulatory codes and guidelines may be inconsistent across jurisdictions or conflict with other rules. The legislative and regulatory landscapes for data privacy and security continue to evolve in jurisdictions worldwide, with an increasing focus on privacy and data protection issues with the potential to affect our business. In the United States, such privacy and data security laws and regulations include federal laws and regulations like the federal Controlling the Assault of Non-Solicited Pornography and Marketing Act, the Telephone Consumer Protection Act, the Do-Not-Call Implementation Act, and rules and regulations promulgated under the authority of the Federal Trade Commission and state laws like the California Consumer Privacy Act ("CCPA") and the varying data breach notification laws that have been enacted in all 50 U.S. states and the District of Columbia. The CCPA, which became effective on January 1, 2020 and became enforceable by the California Attorney General on July 1, 2020, along with related regulations that came into force on August 14, 2020, provides additional individual privacy rights for California residents and places increased data privacy and security obligations on entities handling certain personal information of California residents and households. Among other things, the CCPA expands rights related to such individual's personal information, including the right to access and require deletion of their personal information, opt out of certain personal information sharing, and receive detailed information about how their personal information is collected, used, and shared by covered business. Many of the CCPA's requirements as applied to personal information obtained in a business to business context, as well as personal information of a business's personnel and related individuals, were subject to a moratorium that expired on January 1, 2023. The CCPA provides for civil penalties for violations, as well as a private right of action and statutory damages for security breaches that may increase security breach litigation. The effects of the CCPA are significant and have required, and could continue to require, us to modify our data collection or processing practices and policies and to incur substantial costs and expenses in an effort to comply. Some observers have noted that the CCPA could mark the beginning of a trend toward more stringent state privacy legislation in the U.S., which could increase our potential liability and adversely affect our business. Further, in November 2020, California voters passed the California Privacy Rights Act ("CPRA"). The CPRA, which came into effect in most material respects on January 1, 2023 with a one-year look back period, significantly amended and expanded existing CCPA requirements, including, among other things, by introducing additional obligations such as data minimization and storage limitations on the sharing of personal information for cross on text behavioral advertising and on the use of "sensitive" personal information, granting additional rights to consumers, such as correction of personal information and additional opt-out rights, and creating a new entity, the California Privacy Protection Agency, to implement and enforce the law and impose administrative fines. There currently are a number of additional proposals related to data privacy or security pending before federal, state, and foreign legislative and regulatory bodies, including in a number of U.S. states considering comprehensive consumer protection laws. States such as Virginia, Colorado, Utah and Connecticut have passed comprehensive data privacy laws that have become effective, or will become effective in the near future. Such legislation may add complexity, variation in requirements, restrictions and potential legal risk, require additional investment in resources to compliance programs, and could impact strategies and availability of previously useful data and could result in increased compliance costs and/or changes in business practices and policies. Many of the other jurisdictions where we or our customers do business, including the EU, also have restrictive laws and regulations dealing with the processing of personal information. In addition to regulating the processing of personal information within the relevant jurisdictions, these legal requirements often also apply to the processing of personal information outside these jurisdictions, where there is some specified link to the relevant jurisdiction. For example, the European Union's Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the "General Data Protection Regulation" or "GDPR") became effective in May 2018, imposes strict requirements on controllers and processors of personal data in the European Economic Area ("EEA"), including, for example, higher standards for obtaining consent from individuals to process their personal data, more robust disclosures to individuals and a strengthened individual data rights regime, greater control for data subjects (including the "right to be forgotten" and data portability) and shortened timelines for data breach notifications. The GDPR created new compliance obligations applicable to our business and our platform and service providers, which could require us to self-determine how to interpret and implement these obligations, change our business practices and expose us to lawsuits (including class action or similar representative lawsuits) by consumers or consumer organizations for alleged breach of data protection laws. Failure to comply with the requirements of GDPR may result in significant fines of up to €20,000,000 or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher, and other administrative penalties. The United Kingdom operates a separate but similar regime to the European Union with which we will have to comply and that allows for fines of up to the greater of £17.5 million or 4% of the total worldwide annual turn over of the preceding financial year. Further, beginning January 1, 2021, we have been required to comply with the GDPR and also the United Kingdom GDPR ("UK GDPR"), which, together with the amended United Kingdom Data Protection Act 2018, retains the GDPR in United Kingdom national law. The relationship between the United Kingdom and the European Union in relation to certain aspects of data protection law remains unclear, and it is unclear how the United Kingdom's data protection laws and regulations will develop in the medium to longer term, and how data transfers to and from the United Kingdom will be regulated in the long term. For example, while the EU Commission has adopted an adequacy decision in favor of the United Kingdom, enabling data transfers from European Union member states to the United Kingdom without additional safeguards, the decision will automatically expire in June 2025 unless the EU Commission re-assesses and renews/extends it. These changes may lead to additional costs and increase our overall risk exposure. Recent legal developments also have created compliance uncertainty regarding the transfer of personal information from the U.K. and EEA to certain locations outside of the U.K. and EEA where we or our clients operate or conduct business. In July 2020, the Court of Justice of the European Union ("CJEU") ruled the EU-US Privacy Shield Framework, one of the primary safeguards that allowed U.S. companies to import personal data from the EU to the U.S., was invalid. The CJEU's decision also raised questions about whether the most commonly used mechanism for cross-border transfers of personal data out of the EEA, namely, the European Commission's Standard Contractual Clauses, can lawfully be used for personal data transfers from the EU to the U.S. or other third countries the European Commission has determined do not provide adequate data protections under their laws. On June 4, 2021, the European Commission published new Standard Contractual Clauses (which became effective on June 27, 2021), which impose on companies additional obligations relating to data transfers, including in the transfer, to implement additional security measures and update internal privacy practices. If we elect to rely on the new Standard Contractual Clauses for applicable data transfers, we may be required to incur significant time and resources to update our contractual arrangements and to comply with new obligations. If we are unable to implement a valid mechanism for personal data transfers from the EEA, we could face increased exposure to regulatory actions, substantial fines and injunctions against processing personal data from the EEA. As discussed above, these same considerations must currently be taken into account with regard to the UK GDPR as well. Additionally, other countries outside of the EU have enacted or are considering enacting similar cross order data transfer restrictions and laws requiring local data residency, which could increase the cost and complexity of delivering our services and operating our business. The type of challenges we face in the EU and U.K. will likely also arise in other jurisdictions that adopt regulatory frameworks of equivalent complexity. Accordingly, any actual or perceived failure to comply with these laws and regulations could harm our business, financial condition and results of operations.

Our products and services contain or rely upon extremely complex software programs and are difficult to develop and distribute. We have quality controls in place to detect defects, bugs or other errors in our products and services before they are released. Nonetheless, these quality controls are subject to human error, overriding and resource or technical constraints. In addition, the effectiveness of our quality controls and preventative measures may be negatively affected by the distribution of our workforce resulting from, among other things, the COVID-19 pandemic. As such, these quality controls and preventative measures may not be effective in detecting all defects, bugs or errors in our products and services before they have been released into the marketplace. In such an event, the technological reliability and stability of our products and services could be below our standards and the standards of our players, and our reputation, brand and sales could be adversely affected. In addition, we could be required to, or may find it necessary to, offer a refund for the product or service, suspend the availability or sale of the product or service or expend significant resources to cure the defect, bug or error each of which could significantly harm our business and operating results.

Our continued success will depend to a significant extent on our senior management team and maintaining positive relationships with our games' developers, including Studio Wildcard, and the product development personnel responsible for content creation and development of our ARK franchise. On April 15, 2024, Jim S. Tsai notified the Company of his decision to resign from his position as the Chief Executive Officer of the Company and all of the Company's subsidiaries, including, Snail Games USA, Inc., with such resignation effective April 15, 2024; however, Mr. Tsai remained with the Company for a 30-day transition period. In conjunction with Mr. Tsai's resignation as the Company's Chief Executive Officer, the Company appointed Hai Shi and Xuedong (Tony) Tian to serve as the Company's new Co-Chief Executive Officers, effective April 15, 2024. We are highly dependent on the expertise, skill and knowledge of Mr. Shi, our Founder, Co-Chief Executive Officer, Chief Strategy Officer and Chairman, Mr. Tian, our other Co-Chief Executive Officer, and Mr. Peter Kang, our Vice President and Director of Business Development and Operations. The loss of the services of any or all of these executive officers, or certain key product development personnel, including those employed by studio partners, such as Studio Wildcard, could significantly harm our business. In addition, if one or more key employees were to join a competitor or form a competing company, we may lose additional personnel, experience material interruptions in product development, delays in bringing products to market and difficulties in our relationships with licensors, suppliers and customers, which would significantly harm our business. Failure to continue to attract and retain qualified management and creative personnel could adversely affect our business and prospects.

Our games are primarily purchased, accessed and operated through Xbox Live and Game Pass, PlayStation Network, Steam, Epic Games Store, My Nintendo Store, and in the case of our mobile games, the Apple App Store, the Google Play Store and the Amazon Appstore. Substantially all of the games, DLC and in-game virtual items that we sell are purchased using the payment processing systems of these platforms and, for the nine months ended September 30, 2024, 94.0% of our revenues were generated through Xbox Live and Game Pass, PlayStation Network, Steam, Epic Games Store, My Nintendo Store, the Apple App Store, the Google Play Store, and the Amazon Appstore. Consequently, our expansion and prospects depend on our continued relationships with these providers, and any other emerging platform providers that are widely adopted by our target players. In addition, having such a large portion of our total net revenues concentrated in a few counterparties reduces our negotiating leverage. We are subject to the standard terms and conditions that these platform providers have for game developers, which govern the content, promotion, distribution, operation of games and other applications on their platforms, as well as the terms of the payment processing services provided by the platforms, and which the platform providers can change unilaterally on short notice or without notice. As such, our business would be harmed if: - the platform providers discontinue or limit our access to their platforms;         - governments or private parties, such as internet providers, impose bandwidth restrictions, increase charges or restrict or prohibit access to those platforms;         - the platforms increase the fees they charge us;         - the platforms modify their algorithms, communication channels available to developers, respective terms of service or other policies;         - the platforms decline in popularity;         - the platforms adopt changes or updates to their technology that impede integration with other software systems or otherwise require us to modify our technology or update our games in order to ensure players can continue to access our games and content with ease;         - the platforms elect or are required to change how they label free-to-play games or take payment for in-game purchases;         - the platforms block or limit access to the genres of games that we provide in any jurisdiction;         - the platform experiences a bankruptcy or other form of insolvency event; or         - we are unable to comply with the platform providers' terms of service. Moreover, if our platform providers do not perform their obligations in accordance with our platform agreements or otherwise meet our business requirements, we could be adversely impacted. For example, in the past, some of these platform providers have experienced outages for short periods of time, unexpectedly changed their terms or conditions, or experienced issues with their features that permit our players to purchase games or in-game virtual items. In addition, if we do not adhere to the terms and conditions of our platform providers, the platform providers may take actions to limit the operations of, suspend or remove our games from the platform, and/or we may be exposed to liability or litigation. For example, in August 2020, Epic Games, Inc. ("Epic Games"), attempted to bypass Apple and Google's payment systems for in-game purchases with an update that allowed users to make purchases directly through Epic Games in its game, Fortnite. Apple and Google promptly removed Fortnite from their respective app stores, and Apple filed a lawsuit seeking injunctive relief to block the use of Epic Games' payment system and sought monetary damages to recover funds made while the updated version of Fortnite was active. If any such events described above occur on a short-term or long-term basis, or if these third-party platforms and online payment service providers otherwise experience issues that impact the ability of players to download or access our games, access social features, or make in-game purchases, it would have a material adverse effect on our brands and reputation, as well as our business, financial condition and results of operations.

We compete for the sale of interactive entertainment software with Sony and Microsoft, each of which is a large developer and marketer of software for its own platforms. We also compete with game publishers, such as Activision Blizzard, Inc., Electronic Arts Inc., Take-Two Interactive, Ubisoft, Epic Games, Tencent, Zynga, Netmarble, Sony, Microsoft and Nintendo primarily for game development on consoles, PCs and mobile devices. Across the sandbox survival game genre, we primarily compete with Embracer Group, Saber Group, Enand Global 7, FunCom, Axolot Games and Facepunch Studios. As our business is dependent upon our ability to develop hit titles, which require increasing budgets for development and marketing, the availability of significant financial resources has become a major competitive factor in developing and marketing software games. Some of our competitors have greater financial, technical, personnel and other resources than we do and are able to finance larger budgets for development and marketing and make higher offers to licensors and developers for commercially desirable properties. Our titles also compete with other forms of entertainment, such as social media and casual games, in addition to film, television and audio and video products featuring similar themes, online computer programs and other entertainment, which may be less expensive or provide other advantages to consumers. A number of software publishers who compete with us have developed and commercialized or are currently developing online games. As technological advances significantly increase the availability of online games and as consumer acceptance of online gaming grows substantially, it could result in a decline in our platform-based software sales and negatively affect sales of such products. Additionally, we compete with other forms of entertainment and leisure activities. While we monitor general market conditions, significant shifts in consumer demand that could materially alter public preferences for different forms of entertainment and leisure activities are difficult to predict. Failure to adequately identify and adapt to these competitive pressures could have a negative impact on our business.

In-game purchases involve discretionary spending on the part of consumers. Consumers are generally more willing to make discretionary purchases, including purchases of games and services like ours, during periods in which favorable economic conditions prevail. As a result, our games may be sensitive to general economic conditions and economic cycles. A reduction or shift in domestic or international consumer spending could result in an increase in our marketing and promotional expenses, in an effort to offset that reduction, and could negatively impact our business. Discretionary spending on entertainment activities could further decline for reasons beyond our control, such as natural disasters, acts of war, pandemics, terrorism, transportation disruptions or the results of adverse weather conditions. Additionally, disposable income available for discretionary spending may be reduced by unemployment, higher housing, energy, interest or other costs, or where the actual or perceived wealth of customers has decreased because of circumstances such as lower residential real estate values, increased foreclosure rates, inflation, increased tax rates or other economic disruptions. Any prolonged or significant decrease in consumer spending on entertainment activities could result in reduced play levels and decreased spending on our games, and could adversely impact our results of operations, cash flows and financial condition.

Our corporate headquarters is located in Culver City, California. Additionally, we rely on third-party infrastructure, enterprise applications and internal technology systems for our development, marketing, operational support and sales activities. The West Coast of the United States, where our corporate headquarters are located, contains active earthquake zones and has been subject to numerous devastating wildfires and associated electrical blackouts. In the event of a catastrophic event, including a natural disaster such as an earthquake, hurricane, fire, flood, tsunami or tornado, or other catastrophic event such as power loss, telecommunications failure, software or hardware malfunction, cyber-attack, war, terrorist attack or incident of mass violence in the Los Angeles area or elsewhere where our operations are located or where certain other systems and applications that we rely on are hosted, we may be unable to continue our operations and may endure significant system interruptions, reputational harm, delays in our application development, lengthy interruptions in our platform, breaches of data security and loss of critical data, all of which could have an adverse effect on our future operating results. In addition, natural disasters, cyber-attacks, escalation of geopolitical tensions, including as a result of escalations in the ongoing conflict between Russia and Ukraine or Israel and Hamas, acts of terrorism, public health crises, such as pandemics and epidemics, or other catastrophic events could cause disruptions in our or our customers' businesses, national economies or the world economy as a whole.