Thoughtworks Holding (TWKS) Risk Analysis

In the ordinary course of business, we collect, use, store, process, transmit and view sensitive or confidential data, including intellectual property, proprietary business information or personally identifiable information belonging to us, our clients, respective employees and other end users. This information is stored on our networks or in the data centers and networks of third-party providers. Physical security and the secure processing, maintenance and transmission of this information is critical to our operations and business strategy. Some of our clients have sought, and may continue to seek, additional assurances for the protection of their sensitive information, including personally identifiable information, and attach greater liability in the event that their sensitive information is disclosed. Despite security measures, information technology and infrastructure may be vulnerable to attacks by hackers, computer malware, viruses, social engineering (including phishing and ransomware attacks), or breached due to software bugs, human error, employee theft, misuse, misconduct or malfeasance, system failure or other disruptions. Any such breach could compromise our networks, or the networks of our third-party providers, and the information stored there could be accessed, held for ransom, publicly disclosed, misappropriated, lost or stolen. Some of our systems will not be fully redundant and any problems at our third-party providers' data centers could result in lengthy interruptions in service. Such a breach, misappropriation or disruption could also disrupt our operations and the services we provide to clients, damage our reputation, and cause a loss of confidence in our tools and services, as well as require us to expend significant resources to protect against further breaches and to rectify problems caused by these events. Any such access, disclosure or other loss of information could result in legal claims or proceedings, liability under applicable laws, and regulatory penalties and could adversely affect our business, revenues and competitive position. The techniques utilized and planned by hackers, bad actors, and other unauthorized entrants are varied and constantly evolving and may not be detected until a breach has occurred. As a result, despite our efforts, it may be difficult or impossible for us to implement measures that fully prevent such attacks or react in a timely manner. Unauthorized parties may in the future attempt to gain access to our systems or facilities through various means, including, among others, hacking into our or our clients' systems or facilities, or attempting to fraudulently induce our employees, clients or others into disclosing usernames, passwords, or other sensitive information, which may, in turn, be used to access our information technology systems and gain access to our data or other confidential, proprietary, or sensitive information. Such efforts may be state-sponsored and supported by significant financial and technological resources, making them even more difficult to detect and prevent. There can be no assurance that any security or other operational measures that we or our third-party providers have implemented will be effective against any of the foregoing threats or issues. In addition, certain of our third-party providers may also be subject to such attempts, which then can be used to attempt to infiltrate our systems or to access our data or other confidential, proprietary, or sensitive information. Because we do not control our third-party service providers or the processing of data by such providers, other than through our contractual relationships, our ability to monitor our third-party providers' data security may be very limited such that we cannot ensure the integrity or security of measures they take to protect and prevent the loss of our or our clients' data. As a result, we are subject to the risk that cyber-attacks on, or other security incidents affecting, our third-party providers may adversely affect our business even if an attack or breach does not directly impact our systems. It is also possible that security breaches sustained by, or other security incidents affecting, our competitors could result in negative publicity for our entire industry that indirectly harms our reputation and diminishes demand for our services and solutions. Furthermore, federal and state regulators and many federal and state laws and regulations require notice of certain data security breaches that involve personal information, which, if applicable, could lead to widespread negative publicity, which may cause our clients to lose confidence in the effectiveness of our data security measures. In addition, we may incur significant costs and operational consequences in connection with investigating, mitigating, remediating, eliminating, and putting in place additional measures designed to prevent future actual or perceived security incidents, as well as in connection with complying with any notification or other obligations resulting from any security incidents. Our insurance policies may not be adequate to reimburse us for losses caused by security breaches, and we may not be able to collect fully, if at all, under these insurance policies. The successful assertion of one or more large claims against us that exceed available insurance coverage, or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could adversely affect our business. Furthermore, we cannot be certain that insurance coverage will continue to be available on acceptable terms or at all, or that the insurer will not deny coverage as to any future claim. If we are unable to fully protect the security and privacy of our data, or if we or our third-party service providers are unable to prevent any data security breach, incident, unauthorized access, and/or misuse of our information by our clients, employees, service providers, or hackers, it could result in significant liability (including litigation and regulatory actions and fines), cause lasting harm to our brand and reputation and cause us to lose existing clients and fail to win new clients.

Our service model relies on maintaining well-functioning voice and data communications, online resource management, financial and operational record management, client service and data processing systems between our client sites and our client management locations. Our business activities may be materially disrupted in the event of a partial or complete failure of any of these technologies, which could be due to software malfunction, computer virus attacks, conversion errors due to system upgrades, damage from fire, earthquake, power loss, telecommunications failure, unauthorized entry, demands placed on internet infrastructure by growing numbers of users and time spent online, increased bandwidth requirements or other events beyond our control. Such events could result in interruptions in service to our clients, damage to our reputation, harm to our client relationships, and reduced revenues and profitability. Further, because we rely on third-party service providers, we may be affected by security incidents that we can neither control nor mitigate, including their vulnerability to damage or interruption from physical theft, fire, natural disasters, acts of terrorism, power loss, war, telecommunications and other service failures, computer viruses, degradation of service attacks, ransomware, insider theft or misuse, break-ins, software bugs, human error, technical malfunctions and similar events. Our crisis management procedures, business continuity plans and disaster recovery capabilities may not be effective at preventing or mitigating the effects of such disruptions, particularly in the case of a catastrophic event. Loss of all or part of the infrastructure or systems for a period of time could hinder our performance or our ability to complete client projects on time which, in turn, could lead to a reduction of our revenues or otherwise materially adversely affect our business and business reputation.

We are subject to many laws and regulations that restrict our international operations, including laws that prohibit activities involving restricted countries, organizations, entities and persons that have been identified as unlawful actors or that are subject to U.S. sanctions. The U.S. Office of Foreign Assets Control ("OFAC)" and other regulatory bodies that may have jurisdiction over aspects of our operations from time to time have imposed sanctions that prohibit us from engaging in trade or financial transactions with certain countries, businesses, industry sectors, organizations and individuals. We are also subject to the FCPA and anti-bribery and anti-corruption laws in other countries, all of which prohibit companies and their intermediaries from bribing government officials and other business partners for the purpose of obtaining or keeping business or otherwise obtaining favorable treatment. We operate in many parts of the world that have experienced government corruption to some degree, and, in certain circumstances, strict compliance with anti-bribery laws may conflict with local customs and practices, although adherence to local customs and practices is generally not a defense under U.S. and other anti-bribery laws. Our compliance program contains controls and procedures designed to ensure our compliance with the FCPA, OFAC and other sanctions, and laws and regulations. The continuing implementation and ongoing development and monitoring of our compliance program may be time consuming, expensive, and could result in the discovery of compliance issues or violations by us or our employees, independent contractors, subcontractors or agents of which we were previously unaware. Any violations of these or other laws, regulations and procedures by our employees or agents, including third parties with whom we associate or companies we acquire, could expose us to administrative, civil or criminal penalties, fines or business restrictions, which could have a material adverse effect on our results of operations and financial condition and would adversely affect our reputation and the market for shares of our common stock and may require certain of our investors to disclose their investment in us under certain state laws.

We conduct business globally and file income tax returns in multiple jurisdictions. Our effective tax rate could be materially adversely affected by several factors, including changes in the amount of income taxed by or allocated to the various jurisdictions in which we operate that have differing statutory tax rates; changing tax laws, regulations and interpretations of such tax laws in one or more jurisdictions; and the resolution of issues arising from tax audits or examinations and any related interest or penalties. The determination of our income tax expense and other tax liabilities requires estimation, judgment and calculations where the ultimate tax determination may not be certain. Our determination of tax liability is always subject to review or examination by authorities in various jurisdictions. If a tax authority in any jurisdiction reviews any of our tax returns and proposes an adjustment, including, but not limited to, a determination that the transfer prices and terms we have applied are not appropriate, such an adjustment could have a negative impact on our results of operations, business and profitability. In addition, any significant changes to the Tax Cuts and Jobs Act ("U.S. Tax Act") enacted in 2017, or to regulatory guidance associated with the U.S. Tax Act, could materially adversely affect our effective tax rate. Many countries in which we operate enacted local legislation related to the Organization for Economic Co-operation and Development Pillar Two Global Anti-Base Erosion ("GloBE") rules, which include the introduction of a 15% global minimum tax. We continue to monitor and evaluate the GloBE rules and their potential impact on our effective tax rate.

The market for technology services and solutions is intensely competitive, highly fragmented and subject to rapid change and evolving industry standards and we expect competition to intensify. Our success depends on creating software services and solutions that deeply connect our clients with consumers and employees. For example, if we are unable to anticipate technology developments, enhance our existing services or develop and introduce new services to keep pace with such changes and meet changing client needs, we may lose clients and our revenues and results of operations could suffer. Our results of operations would also suffer if our innovations are not responsive to the needs of our clients, are not appropriately timed with market opportunities, are not effectively brought to market or are commoditized. Existing and new competitors may be able to offer engineering, design and innovation services that are, or that are perceived to be, substantially similar or better than those we offer, or they may offer such services at a discounted rate. In addition, our competitors may have greater financial, technical and other resources and greater name recognition than we do. Certain competitors may also have, or over time will have, a stronger presence in certain geographic markets. We may also face competition from in-house development by our clients, academic and government institutions, and the open-source community who may offer similar solutions or an adequate substitute for our services and solutions. These factors may force us to compete on other fronts in addition to the quality of our services and to expend significant resources in order to remain competitive, which we may be unable to do.

Our services are marketed to clients and prospective clients based on a number of factors, including reputation. Our corporate reputation is a significant factor in our potential clients' evaluation of whether to engage our services. Our clients' perception of our ability to add value through our services is critical to the profitability of our engagements. We believe that the Thoughtworks brand name and our reputation are important corporate assets that help distinguish our services from those of our competitors and contribute to our efforts to recruit and retain talented employees. Our corporate reputation is potentially susceptible to damage by actions or statements made by current or former clients and employees, competitors, vendors, adversaries in legal proceedings, government regulators, as well as members of the investment community and the media. We and our officers and directors are and may from time to time be subject to legal proceedings in the ordinary course of business or otherwise, which could adversely affect our reputation even if we or they ultimately prevail. There is a risk that negative information about us, even if untrue, could adversely affect our business, could cause damage to our reputation and be challenging to repair, could make potential or existing clients reluctant to select us for new engagements, could lead to a loss of revenue or litigation, and could adversely affect our recruitment and retention efforts. Damage to our reputation could also reduce the value and effectiveness of the Thoughtworks brand name and could reduce investor confidence in us.

If our professionals make errors in the course of delivering services or we fail to meet contractual obligations to a client, these errors or failures could disrupt the client's business or expose confidential or personally identifiable information. Any of these events could result in a reduction in our revenues, damage to our reputation, and could also result in a client terminating our engagement and making claims for substantial damages against us. Some of our client agreements do not limit our potential liability for occurrences such as breaches of confidentiality and indemnification relating to intellectual property infringement, misappropriation or other violations, and we cannot generally limit liability to third parties with which we do not have a contractual relationship. In some cases, breaches of confidentiality obligations, including obligations to protect personally identifiable information, may entitle the aggrieved party to equitable remedies, including injunctive relief. Although we maintain professional liability insurance, product liability insurance, commercial general and property insurance, business interruption insurance, workers' compensation coverage, cyber insurance and umbrella insurance for certain of our operations, our insurance coverage does not insure against all risks in our operations or all claims we may receive. Damage claims from clients or third parties brought against us or claims that we initiate due to the disruption of our business, litigation or natural disasters, may not be covered by our insurance, may exceed the limits of our insurance coverage, and may result in substantial costs and diversion of resources even if insured. Some types of insurance are not available on reasonable terms or at all in some countries in which we operate, and we cannot insure against damage to our reputation. The assertion of one or more large claims against us, whether or not successful and whether or not insured, could materially adversely affect our reputation, business, financial condition and results of operations.

Our functional currency is the U.S. dollar. However, we are exposed to foreign currency exchange transactions related to our non-U.S. operations. Our profit margins are subject to volatility as a result of changes in foreign exchange rates. Significant fluctuations in currency exchange rates have had, and may continue to have, a material impact on our business and results of operations. In some countries, we may be subject to regulatory or practical restrictions on the movement of cash and the exchange of foreign currencies, which would limit our ability to use cash across our global operations and increase our exposure to currency fluctuations. This risk could increase as we continue expanding our global operations, which may include entering emerging markets that may be more likely to impose these types of restrictions. Currency exchange volatility caused by political or economic instability or other factors could also materially impact our results. See "Item 7A. Management's Discussion and Analysis of Financial Condition and Results of Operations-Quantitative and Qualitative Disclosures About Market Risk-Foreign Currency Risk."