SolarWinds (SWI) Risk Analysis

Our product portfolio has grown from self-hosted network management products to broad-based self-hosted systems monitoring and management products, products for the growing multi-cloud markets and cloud-native SaaS offerings. We offer a broad portfolio of observability, IT management and service management products designed to solve the strategic and day-to-day problems encountered by technology professionals and leaders managing complex IT infrastructure, spanning self-hosted, multi-cloud, and hybrid IT environments. We utilize AI and machine learning in some of our products, and we believe this may be a significant enabler for driving value for customers within our product portfolio. Our long-term growth depends on our ability to continually enhance and improve our existing products and develop or acquire new products that address the common problems encountered by technology professionals and leaders on a day-to-day basis in evolving observability, IT management and service management markets. The success of any enhancement or new product depends on a number of factors, including its relevance to our existing and potential customers, timely completion and introduction and market acceptance. As with many developing technologies, AI presents risks and challenges that could affect further development, adoption and use, including flawed algorithms, poor quality, incomplete datasets or biased data practices. If the recommendations, forecasts, or analyses that AI applications assist in producing are deficient or inaccurate, we could be subjected to competitive harm, potential legal liability, and brand or reputational harm. In addition, new products and enhancements, including any AI-based applications, that we develop or acquire may not sufficiently address the evolving needs of our existing and potential customers, may not be introduced in a timely or cost-effective manner, and may not achieve the broad market acceptance necessary to generate the amount of revenue necessary to realize returns on our investments in developing or acquiring such products or enhancements. In addition, if our expanded product portfolio, in particular our cloud-native SaaS offerings, do not garner widespread market adoption, or there is a reduction in demand due to a lack of customer acceptance, technological challenges, weakening economic conditions, security or privacy concerns, competing technologies or decreases in corporate spending, our financial results could suffer. If our new products and enhancements are not successful for any reason, certain products in our portfolio may become obsolete, less marketable and less competitive, and our business will be harmed.

The software and technology industries are characterized by the existence of a large number of patents, copyrights, trademarks and trade secrets and by frequent litigation based on allegations of infringement or other violations of intellectual property rights. We have received, and from time to time may receive, letters claiming that our products infringe or may infringe the patents or other intellectual property rights of others. As we face increasing competition and as our brand awareness increases, the possibility of additional intellectual property rights claims against us grows. Our technologies may not be able to withstand any third-party claims or rights against their use. Additionally, we have licensed from other parties proprietary technology covered by patents and other intellectual property rights, and these patents or other intellectual property rights may be challenged, invalidated or circumvented. These types of claims could harm our relationships with our customers, might deter future customers from acquiring our products or could expose us to litigation with respect to these claims. Even if we are not a party to any litigation between a customer and a third party, an adverse outcome in that litigation could make it more difficult for us to defend our intellectual property in any subsequent litigation in which we are named as a party. Any of these results would have a negative effect on our business and operating results. Any intellectual property rights claim against us or our customers, with or without merit, could be time-consuming and expensive to litigate or settle and could divert management resources and attention. As a result of any successful intellectual property rights claim against us or our customers, we might have to pay damages or stop using technology found to be in violation of a third party's rights, which could prevent us from offering our products to our customers. We could also have to seek a license for the technology, which might not be available on reasonable terms, and this might significantly increase our cost of revenue or might require us to restrict our business activities in one or more respects. The technology also might not be available for license to us at all. As a result, we could also be required to develop alternative non-infringing technology or cease to offer a particular product, which could require significant effort and expense and/or hurt our revenue and financial results of operations. Our exposure to risks associated with the use of intellectual property may be increased as a result of our past and any future acquisitions as we have a lower level of visibility into the development process with respect to acquired technology or the care taken to safeguard against infringement risks. Third parties may make infringement and similar or related claims after we have acquired technology that had not been asserted prior to our acquisition.

We are heavily dependent on our technology infrastructure to operate our business, and our customers rely on our products to help manage and secure their own IT infrastructure and environments, including their and their customers' confidential information. Despite our implementation of security measures and controls, our systems and those of third parties upon whom we rely are vulnerable to attack from numerous threat actors, including sophisticated nation-state and nation-state-supported actors (including advanced persistent threat intrusions), as well as events that may arise from human error, fraud or malice on the part of employees, contractors or other third parties as well as other insider threats. In addition, as AI capabilities improve and are increasingly adopted, we may see cyberattacks created through AI or leveraging AI technology. These attacks could be crafted with an AI tool to directly attack information systems with increased speed and/or efficiency than a human threat actor or create more effective phishing emails. Threat actors have been, and may in the future be, able to compromise our security measures or otherwise exploit vulnerabilities in our IT systems or products, including vulnerabilities that may arise from, or have been introduced through, the actions, inactions or errors of our employees or contractors or defects in the design or manufacture of our products and systems or the products and systems that we procure from third parties. In addition, our legacy products have been and may in the future be more vulnerable to compromise. Vulnerabilities may also arise from, or be introduced through our or our customers and partners incorporating the output of an AI tool that includes a threat, such as introducing malicious code by incorporating AI-generated source code. As a result, threat actors have been, and may in the future be, able to breach or compromise our IT systems, including those which we use to design, develop, deploy and support our products, and access and misappropriate our, our current or former employees' and our customers' proprietary and confidential information, including our software source code, introduce malware, ransomware or vulnerabilities into our products and systems and create system disruptions or shutdowns. In addition, our customers have in the past and may in the future incorrectly configure our software, which has resulted in and may in the future result in loss or a breach of business data or other security incidents. We also work with third-party researchers in an attempt to limit our customers' exposure to security incidents they may experience as a result of using our products. Such security researchers and other individuals have and will likely continue to actively search for, publish and/or exploit actual and potential vulnerabilities in our products which have and may in the future compromise our systems and put our customers at risk. We also rely on third-party and open-source software that has in the past and may in the future contain bugs, vulnerabilities, or errors that have been or in the future could be exploited or disclosed before a patch or fix is available. By virtue of the role our products play in helping to manage and secure the environments and systems of our customers, attacks on our systems and products can result in similar impacts on our customers' systems and data. Moreover, the number and scale of cyberattacks have continued to increase and the methods and techniques used by threat actors, including sophisticated "supply-chain" attacks such as the Cyber Incident, malware, ransomware, viruses, denial of service attacks, insider threats and phishing, deepfake and social engineering attacks, continue to evolve at a rapid pace. In particular, supply chain attacks have increased in frequency and severity, and we cannot guarantee that third parties and infrastructure in our supply chain have not been compromised or that they do not contain exploitable defects or bugs that could result in a breach of or disruption to our solutions and networks or the systems and networks of third parties that support us and our solutions. As a result, we may be unable to identify current attacks, anticipate these attacks or implement adequate security measures. We have experienced, and may in the future experience, security breaches that may remain undetected for an extended period and, therefore, have a greater impact on our systems, our products, the proprietary data contained therein, our customers and ultimately, our business. In addition, our ability to defend against and mitigate cyberattacks depends in part on prioritization decisions that we and third parties upon whom we rely make to address vulnerabilities and security defects. While we endeavor to address identified vulnerabilities in our products, we and such third parties must make determinations as to how we prioritize developing and deploying the respective fixes, which can delay, limit or prevent development or deployment of a mitigation and harm our reputation. We have and continue to expend significant financial and development resources to address and eliminate vulnerabilities. Likewise, even once a vulnerability has been addressed, for certain of our products, the fix will only be effective once a customer has updated the impacted product with the latest release, and customers that do not install and run the latest supported versions of our products may remain vulnerable to attack. Additionally, we use third-party service providers to provide some services to us that involve the cloud hosting, storage or transmission of data, such as SaaS, cloud computing, and internet infrastructure and bandwidth, and they could experience operational outages, or various cybersecurity threats, suffer cybersecurity incidents, or other security breaches, which would adversely impact our business. Cyberattacks and other security incidents such as phishing schemes, have resulted, and in the future may result, in numerous risks and adverse consequences to our business, including that: - our prevention, mitigation and remediation efforts may not be successful or sufficient;- our confidential and proprietary information, including our source code, as well as information that related to current or former employees and customers may be accessed, exfiltrated, misappropriated, compromised or corrupted;- we incur significant financial, legal, reputational and other harms to our business, including loss of business, decreased sales, severe reputational damage adversely affecting current and prospective customer, employee or vendor relations and investor confidence, U.S. or foreign regulatory investigations and enforcement actions, litigation, indemnity obligations, damages for contractual breach, penalties for violation of applicable laws or regulations, including laws and regulations in the United States and other jurisdictions relating to the collection, use and security of user and other personally identifiable information and data, significant costs for remediation, impairment of our ability to protect our intellectual property, stock price volatility and other significant liabilities;- our insurance coverage, including coverage relating to certain security and privacy damages and claim expenses, may not be available or sufficient to compensate for all liabilities we incur related to these matters or that we may face increased costs to obtain and maintain insurance in the future; and - our steps to secure our internal environment, adapt and enhance our software development and build environments and ensure the security and integrity of the products that we deliver to customers may not be successful or sufficient to protect against future threat actors or cyberattacks. We have incurred and expect to continue to incur significant expenses related to our cybersecurity initiatives.

Our products must integrate with a variety of network, cloud, hardware and software platforms, and we need to continuously modify and enhance our products to adapt to changes in hardware, software, cloud, networking, browser and database technologies. We believe a significant component of our value proposition to customers is the ability to optimize and configure our products to integrate with our systems and those of third parties. If we are not able to integrate our products in a meaningful and efficient manner, demand for our products could decrease and our business and results of operations would be harmed. In addition, we have a large number of products, and maintaining and integrating them effectively requires extensive resources. Our continuing efforts to make our products more interoperative may not be successful. Failure of our products to operate effectively with future infrastructure platforms and technologies could reduce the demand for our products, resulting in customer dissatisfaction and harm to our business. If we are unable to respond to changes in a cost-effective manner, our products may become less marketable, less competitive or obsolete and our business and results of operations may be harmed.

As internet commerce continues to evolve, increasing regulation by federal, state or foreign agencies becomes more likely. In addition to data privacy and security laws and regulations, taxation of products and services provided over the internet or other charges imposed by government agencies or by private organizations for accessing the internet may also be imposed. Any regulation imposing greater fees for internet use or restricting information exchange over the internet could result in a decline in the use of the internet and the viability of internet-based services and product offerings, which could harm our business and operating results. The technology industry is also subject to intense media, political, and regulatory scrutiny, which exposes us to government investigations, legal actions, and penalties. Legislators and regulators also have proposed new laws and regulations intended to restrain the activities of technology companies including laws relating to AI and machine learning. Laws, regulations and governmental policies in this area are rapidly changing. For example, the prior U.S. presidential administration signed an Executive Order on AI in October 2023 establishing guidelines for AI development and use, which was rescinded in January 2025. In December 2023, the European Union passed the AI Act. Although part of the AI Act came into effect in August 2024, it will not be fully enforceable until August 2026. Like GDPR, the AI Act is extra territorial in scope so may apply outside of Europe and its immediate impact is likely to be significant. The AI Act categorizes AI systems based upon risk, with some uses of AI prohibited entirely under the AI act. If we are using AI in a way that is prohibited under the AI Act, we may be exposed to complaints, litigation, negative publicity, or regulatory action including monetary penalties. Additionally, we may be directed by regulators to withdraw any non-compliant AI systems we provide from use. Therefore, the costs of compliance with the AI Act are likely to be significant. The AI Act may be seen as a benchmark for regulation and may accelerate and/or inform the drafting by other countries enacting similar laws or regulations. These new laws or regulations could have impacts on us, even if they are not intended to affect our company. The AI Act and any other new laws or regulations could require us to change our products and services or alter our business operations, which could harm our business or open us up to additional scrutiny by new AI regulators.

Businesses that we acquire may have liabilities or adverse operating issues, or both, that we fail to discover through due diligence or the extent of which we underestimate prior to the acquisition. For example, to the extent that any business that we acquire or any prior owners, employees or agents of any acquired businesses or properties (i) failed to comply with or otherwise violated applicable laws, rules or regulations; (ii) failed to fulfill or disclose their obligations, contractual or otherwise, to applicable government authorities, their customers, suppliers or others; or (iii) incurred tax or other liabilities, we, as the successor owner, may be financially responsible for these violations and failures and may suffer harm to our reputation and otherwise be adversely affected. An acquired business may have problems with internal control over financial reporting, which could be difficult for us to discover during our due diligence process and could in turn lead us to have significant deficiencies or material weaknesses in our own internal control over financial reporting. These and any other costs, liabilities and disruptions associated with any of our past acquisitions and any future acquisitions could harm our operating results.

Based on our current corporate structure, we may be subject to taxation in several jurisdictions around the world with increasingly complex tax laws, the application of which can be uncertain. The amount of taxes we pay in these jurisdictions could increase substantially as a result of changes in the applicable tax rules, including increased tax rates, new tax laws or revised interpretations of existing tax laws and precedents. In addition, the authorities in these jurisdictions could challenge our methodologies for valuing developed technology or intercompany arrangements, including our transfer pricing. The relevant taxing authorities may determine that the manner in which we operate our business does not achieve the intended tax consequences. If such a disagreement were to occur, and our position were not sustained, we could be required to pay additional taxes, interest and penalties. Such authorities could claim that various withholding requirements apply to us or our subsidiaries or assert that benefits of tax treaties are not available to us or our subsidiaries. Any increase in the amount of taxes we pay or that are imposed on us could increase our worldwide effective tax rate and adversely affect our business and operating results.

A portion of our self-hosted license sales, including maintenance renewals associated with such products, as well as sales of our time-based subscription offerings, are to a number of different departments of the U.S. federal government. In certain calendar quarters, particularly the first and third calendar quarters, this portion may be meaningful. Any factors that cause a decline, delay or disruption in government expenditures generally or government IT expenditures in particular could cause our revenue to grow less rapidly or even to decline. Following the Cyber Incident, our government contracts have received enhanced scrutiny and negative media attention. If we are unable to secure the data we maintain, our ability to maintain our existing and acquire new government contracts may be substantially impacted. Other challenges include, but are not limited to, constraints on the budgetary process, including changes in the policies and priorities of the U.S. federal government, continuing resolutions, adherence to government audit and certification requirements such as FedRAMP, OMB Memo 22-18 and the NIST Secure Software Development Framework, debt ceiling disruptions, deficit-reduction legislation, and any shutdown or default of the U.S. federal government. Furthermore, sales orders from the U.S. federal government tend to be dependent on many factors and thus the timing of the procurement process can be unpredictable. Any sales we expect to make in a quarter may not be made in that quarter or at all, and our operating results for that quarter may therefore be adversely affected.

To increase our revenue, we must regularly add new customers, including new customers within existing client organizations, and sell additional products or upgrades, including conversions to our subscription products, to existing customers. Even if we capture a significant volume of leads from our digital marketing activities, we must be able to convert those leads into sales of our products in order to achieve revenue growth. We primarily rely on our direct sales force to sell our products to new and existing customers and convert qualified leads into sales using our high-velocity "selling from the inside" sales model, which we augment with a targeted, high-touch enterprise sales team and Customer Success motion. Accordingly, our ability to achieve significant growth in revenue in the future will depend on our ability to recruit, train and retain sufficient numbers of sales personnel, and on the productivity of those personnel. We plan to continue to expand our sales force both domestically and internationally. Our recent and planned personnel additions may not become as productive as we would like or in a timely manner, and we may be unable to hire or retain sufficient numbers of qualified individuals in the future in the markets where we do or plan to do business. In addition, as we augment our sales model and our solutions expand, additional training for new hires and our existing personnel may be required to successfully execute those strategies. If we are unable to sell products to new customers and additional products or upgrades to our existing customers through our direct sales force or through our channel partners, which supplement our direct sales force by distributing our products and generating sales opportunities, we may be unable to grow our revenue and our operating results could be adversely affected.