permitting cashless payments. All information processed, stored, and retained by Company or on
behalf of Company is subject to the continually evolving risk of intrusion, tampering, and theft.
Although the Company maintains systems to prevent or defend against these risks, these systems
require ongoing monitoring and updating as technologies change, and security could be compromised,
personal or confidential information could be misappropriated, or system disruptions could occur. In
the ordinary course of its business, the Company also provides certain confidential, proprietary, and
personal information to third parties. While the Company seeks to obtain assurances that these third
parties will protect this information and systems in accordance with legal requirements and industry
standards, there is a risk the security of systems and data held by third parties could be compromised.
A compromise of the Company’s systems could adversely affect the Company’s reputation and disrupt
its operations and could also result in litigation against the Company or the imposition of penalties. In
addition, it could be costly to remediate. Although the Company has not experienced cyber incidents
that are individually, or in the aggregate, material, the Company has experienced cyber-attacks in the
past, which have thus far been mitigated by preventative, detective, and responsive measures put in
place by the Company.
In addition, in response to these types of threats, there has been heightened legislative and regulatory
focus on data privacy and security in the United States, European Union, and elsewhere. The
regulatory framework for data privacy and security worldwide is continuously evolving and developing
and, as a result, the Company must monitor a growing and fast-evolving set of legal requirements and
geopolitical risks in this area. This regulatory environment is increasingly challenging and may present
material obligations and risks to the Company’s business, including significantly expanded compliance
requirements, costs, and enforcement risks. As a result, it is possible that these types of inquiries
regarding cybersecurity incidents increase in frequency and scope. In addition, new laws, amendments
to or reinterpretations of existing laws, regulations, standards, and other obligations may require the
Company or its third-party service providers to incur additional costs and restrict its business
operations, and may require the Company or its third-party service providers to change how they use,
collect, store, transfer, or otherwise process certain types of personal information and to implement
new processes to comply with those laws and its Customers’ exercise of their rights thereunder. These
laws also are not uniform, as certain laws may be more stringent or broader in scope, or offer greater
individual rights, with respect to sensitive and personal information, and such laws may differ from
each other, which may complicate compliance efforts. Accordingly, compliance in the event of a
widespread data breach may be costly. Any failure or perceived failure by the Company or its third-
party service providers to comply with any applicable federal, state, or similar foreign laws, rules,
regulations, industry standards, policies, certifications, or orders relating to data privacy and security,
or any compromise of security that results in the theft, unauthorized access, acquisition, use,
disclosure, or misappropriation of personal data or other customer data, could result in significant
awards, fines, civil and/or criminal penalties or judgments, proceedings, or litigation by governmental
agencies or customers, including class action privacy litigation in certain jurisdictions and negative
publicity and reputational harm, one or all of which could have an adverse effect on the Company’s
reputation, business, financial condition, and results of operations.
The Company has a dedicated cybersecurity team and program that focuses on current and emerging
data security matters. The Company continues to assess and invest in the growing needs of the
cybersecurity team through the allocation of skilled personnel, ongoing training, and support of the
adoption and implementation of technologies coupled with cybersecurity risk management
frameworks. Additionally, as cyber attacks become increasingly sophisticated, the Company may also
incur significant costs to modify, upgrade, or enhance its cybersecurity measures to protect against
48