Avantax (AVTA) Risk Analysis

Regulations related to data processing by online service providers is evolving as federal, state, and foreign governments continue to adopt new, or modify existing, laws and regulations addressing data privacy and the collection, processing, storage, transfer, and use of data. This includes, for example, the European Union's General Data Protection Regulation, rules and regulations promulgated under the authority of the Federal Trade Commission, the Health Insurance Portability and Accountability Act of 1996, federal and state labor and employment laws, state data breach notification laws, and state privacy laws such as the California Consumer Privacy Act of 2018, the California Privacy Rights Act of 2020, the Colorado Privacy Act, the Virginia Consumer Data Privacy Act, the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act, the Gramm-Leach-Bliley Act of 1999, SEC Regulation S-P, the Fair Credit Reporting Act of 1970, as amended, and Regulation S-ID, and further potential federal and state requirements. If we are unable to engineer products that meet these evolving requirements or help our clients meet their obligations under these or other new data regulations, we might experience reduced demand for our offerings. Further, penalties for non-compliance with these laws may be significant. Other governmental authorities throughout the U.S. and around the world have proposed or are considering similar types of legislative and regulatory proposals. Each of these privacy, security, and data protection laws and regulations could impose significant limitations, require changes to our business, require notification to clients or workers of a security breach, restrict our use or storage of personal information, or cause changes in client purchasing behavior, which may make our business more costly, less efficient or impossible to conduct, and may require us to modify our current or future products or services, which may make clients less likely to purchase our products and may harm our future financial results. Additionally, any actual or alleged noncompliance with these laws and regulations could result in negative publicity and subject us to investigations, claims, or other remedies, including demands that we modify or cease existing business practices, and expose us to significant fines, penalties, and other damages. We have incurred, and may continue to incur, significant expenses to comply with existing privacy and security standards and protocols imposed by law, regulation, industry standards, or contractual obligations. Additionally, the continued occurrence of cyberattacks and data breaches against governments, businesses individuals, indicates that we operate in an external environment where cyberattacks and data breaches are increasingly common. If the global cybersecurity environment worsens, and there are increased instances of security breaches of third-party offerings where consumers' data and sensitive information is compromised, consumers may be less willing to use online offerings, particularly offerings like ours in which clients often share sensitive financial data. In addition, the increased availability of data unlawfully released as a result of breaches of third-party offerings could make our own products more vulnerable to fraudulent activity. Even if our products are not affected directly by such incidents, certain types of indents could damage our reputation and deter current and potential clients from adopting our products and services or lead clients to cease using online and connected software products to transact financial business altogether. We capture and use user data for analytics as well as marketing purposes. In connection with our use of user data for these business efforts, concerns may be expressed about whether our products, services, or processes compromise the privacy expectations of users, clients and others. For example, the use by our former tax software business of the Meta Pixel has recently been the subject of media and policymaker scrutiny. Concerns about our practices with regard to the collection, use, disclosure or security of personal information or other privacy related matters, even if unfounded, could damage the reputation of our business and our brands and adversely affect our operating results.

Our business is reliant upon various providers of financial, accounting, technology, marketing, and business products, tools, platforms, systems, and services that we use to conduct operations. These key relationships include, among others, our network of financial professionals and CPA partner firms, the provider of our clearing platform, and the provider our investment advisory platform, each of which we rely on to conduct many business activities and transactions with clients, financial professionals, vendors, and other third parties. The products, tools, platforms, systems and services provided by key vendors and partners have required, and may continue to require, significant operational, technological, and logistical efforts from our financial professionals, employees and contractors in order to effectively implement and integrate into our operations. We expect to continue to acclimate our current and future employees, financial professionals and clients to these third parties' technology, product offerings, processes, procedures, workflows, and capabilities from time to time. The technology, service and product offerings of other key vendors and partners may not be accepted by key stakeholders, financial professionals or clients at the levels we anticipate, and may not provide the level of benefits that we expect even if accepted. If a significant number of our key stakeholders, including financial professionals and clients, are or become dissatisfied with the different products, tools, platforms, systems, and services, including related technology, processes, policies and products, that our key vendors and partners offer and they leave, use a competitor's product or services, or seek contractual terms with us that are less favorable to our business, it could have a Material Adverse Effect.

The wealth management industry is characterized by rapidly changing technology, evolving industry and security standards, and frequent new product introductions. Our competitors offer new and enhanced products and services every year. Consequently, client expectations are constantly changing. We must successfully innovate and develop or offer new products and features to meet evolving client needs and demands, while continually updating our technology infrastructure. We must devote significant resources to developing our skills, tools, and capabilities in order to capitalize on existing and emerging technologies. Our inability to quickly and effectively innovate our products, services, and infrastructure could result in a Material Adverse Effect.

Companies and individuals with rights relating to the technology industry have frequently resorted to litigation regarding intellectual property rights. These parties have in the past made, and may in the future make, claims against us alleging infringement of patents, copyrights, trademarks, trade secrets, or other intellectual property or proprietary rights, or alleging unfair competition or violations of privacy or publicity rights. Responding to any such claims could be time-consuming, result in costly litigation, divert management's attention, cause product or service release delays, or require removal or redesigning of our products or services, payment of damages for infringement, or entry into royalty or licensing agreements. Our technology, services, and products may not be able to withstand any third-party claims or rights against their use. In some cases, the ownership or scope of an entity's or person's rights is unclear. In addition, the ownership or scope of such rights may be altered by changes in the legal landscape, such as through developments in U.S. or international intellectual property laws or regulations or through court, agency, or regulatory board decisions. If a successful claim of infringement were made against us and we could not develop non-infringing technology or content or license the infringed or similar technology or content on a timely and cost-effective basis, we could experience a Material Adverse Effect. We rely heavily on our technology and intellectual property, but we may be unable to adequately or cost-effectively protect or enforce our intellectual property rights, thereby weakening our competitive position and negatively impacting our business and financial results. We may have to litigate to enforce our intellectual property rights, which can be time consuming, expensive, and difficult to predict. To protect our rights related to our services and technology, we rely on a combination of copyright and trademark laws, trade secrets, confidentiality agreements with employees and third parties, and protective contractual provisions. We also rely on laws pertaining to trademarks and domain names to protect the value of our corporate brands and reputation. Despite our efforts to protect our proprietary rights, unauthorized parties may copy aspects of our services or technology, obtain and use information, marks, or technology that we regard as proprietary, or otherwise violate or infringe our intellectual property rights. In addition, it is possible that others could independently develop substantially equivalent intellectual property. Effectively policing the unauthorized use of our services and technology is time-consuming and costly, and the steps taken by us may not prevent misappropriation of our technology or other proprietary assets. If we do not effectively protect our intellectual property, or if others independently develop substantially equivalent intellectual property, our competitive position could be materially weakened.

Our business is reliant upon financial, accounting and technology systems and networks to process, transmit and store information, including sensitive client and proprietary information, and to conduct many business activities and transactions with clients, advisers, vendors and other third parties. We collect, use, and retain large amounts of confidential personal and financial information from our clients. Maintaining the integrity of our systems and networks is critical to the success of our business operations, including the retention of our clients and financial professionals, and to the protection of our proprietary information and our clients' personal information. The failure to implement, maintain and safeguard an infrastructure commensurate with the size and scope of our business could impede our productivity and growth, which could adversely impact our results of operations and financial condition. Extraordinary trading volumes, malware, ransomware or attempts by hackers to introduce large volumes of fraudulent transactions into our systems, beyond reasonably foreseeable spikes in volumes, could cause our computer systems to operate at an unacceptably slow speed or even fail. A major breach or failure of our systems or those of our third-party service providers or partners, which could result from these or other events beyond our control, or an inability or failure to effectively upgrade those systems or implement new technology-driven products or services, may have materially negative consequences for our business, including possible fines, penalties and damages, unanticipated disruptions in or reduced demand for our services, harm to our reputation and brands, further regulation and oversight by federal or state agencies, and loss of our ability to provide financial transaction services. Cybersecurity requires ongoing investment and diligence against evolving threats and is subject to federal and state regulation relating to the protection of confidential information. We may be required to expend significant additional resources to modify our protective measures, to investigate and remediate vulnerabilities or other exposures, to make required notifications, or to update our technologies, websites and web based applications to comply with industry and regulatory standards, but we may not have adequate personnel, financial or other resources to fully meet these threats and evolving standards. We will also be required to effectively and efficiently govern, manage and ensure timely evolutions in our systems, including in their design, architecture and interconnections as well as their organizational and technical protections. We may detect, or we may receive notices from clients, financial professionals, service providers or public or private agencies that they have detected, vulnerabilities or current or potential failures in our operating systems, our network infrastructure, or our software. The existence of vulnerabilities, even if they do not result in a security breach or system failure, may harm client confidence and require substantial resources to address, and we may not be able to discover or remediate such vulnerabilities, breaches, or failures. Additionally, any system interruptions that result in the unavailability or unreliability of our websites, transaction processing systems, or network infrastructure could materially reduce our revenue and impair our ability to properly process transactions. Any system unavailability or unreliability may cause unanticipated system disruptions, slower response times, degradation in client satisfaction, additional expense, or delays in reporting accurate financial information. In addition, hackers may develop and deploy viruses, worms, and other malicious software programs that can be used to attack our or our third-party service providers' operating systems and network infrastructure. Any such incident could cause a Material Adverse Effect and require us to expend significant resources to address these problems, including notification under data privacy regulations. In addition, our employees (including temporary and seasonal employees) and contractors may have access to sensitive and personal information of our financial professionals, clients, and employees. We conduct background checks on our employees and contractors and limit access to systems and data, but it is possible that one or more of these individuals may circumvent these controls, resulting in a security breach. It is also possible that unauthorized access to or disclosure of client data may occur due to inadequate use of security controls by our clients. Unauthorized persons could gain access to client accounts if clients do not maintain effective access controls of their systems and software. Although we take protective measures and endeavor to modify them as circumstances warrant, our computer systems, software and networks are to some degree vulnerable to unauthorized access, human error, computer viruses, denial-of-service attacks, malicious code, spam attacks, phishing, ransomware or other forms of social engineering and other events that could impact the security, reliability, confidentiality, integrity and availability of our systems. To the extent third parties, such as product sponsors, also retain similarly sensitive information about our advisors or their clients, their systems may face similar vulnerabilities. We are not able to protect against these events completely given the rapid evolution of new vulnerabilities, the complex and distributed nature of our systems, our interdependence on the systems of other companies and the increased sophistication of potential attack vectors and methods against our systems. In particular, advisors work in a wide variety of environments, and although we require compliance with our security policies, we cannot ensure the consistent compliance with these policies across all of our advisors, or that our policy will be adequate to address the evolving threat environment. In addition, even if we and our advisors comply with our policies and procedures, persons who circumvent security measures or bypass authentication controls could infiltrate or damage our systems or facilities and wrongfully use our confidential information or clients' confidential information or cause interruptions or malfunctions in our operations. Cyber-attacks can be designed to collect information, manipulate, destroy or corrupt data, applications, or accounts and to disable the functioning or use of applications or technology assets. If one or more of these events occur, they could jeopardize our own, our advisors' or their clients', or our counterparties' confidential and other information processed, stored in and transmitted through our computer systems and networks, or otherwise cause interruptions or malfunctions in our own, our advisors' or their clients', our counterparties', or third parties' operations. As a result, we could be subject to litigation, client loss, reputational harm, liability for a failure to safeguard client date, the termination of relationships with our advisors, regulatory sanctions and financial losses that are either not insured or are not fully covered through any insurance we maintain. If any person, including any of our employees or advisors, negligently disregards or intentionally breaches our established controls with respect to client data, or otherwise mismanages or misappropriates that data, we could also be subject to significant monetary damages, regulatory enforcement actions, fines and/or criminal prosecution in one or more jurisdictions. As malicious cyber activity escalates, including activity that originates outside of the United States, the risks we face relating to transmission of data and our use of service providers outside of our network, as well as the storing or processing of data within our network, intensify. We maintain cyber liability insurance that provides both third-party liability and first-party liability coverages, but this insurance is subject to exclusions and may not be sufficient to protect us against all losses. In addition, the trend toward broad consumer and general public notification of such incidents could exacerbate the harm to our business, financial condition, or results of operations. Even if we successfully protect our technology infrastructure and the confidentiality of sensitive data, we may incur significant expenses in connection with our responses to any such attacks as well as the adoption, implementation, and maintenance of appropriate security measures. We could also suffer harm to our business and reputation if attempted security breaches are publicized. We cannot be certain that advances in criminal capabilities, discovery of new vulnerabilities, attempts to exploit vulnerabilities in our systems, data thefts, physical system or network break-ins, inappropriate access, or other developments will not compromise or breach the technology or other security measures protecting the networks and systems used in connection with our business. We rely on third-party vendors to provide a variety of services and host and store certain of our sensitive and personal information and data through co-location facilities and cloud services. We may not have the ability to effectively monitor or oversee the implementation of the security and control measures utilized by our third-party partners, and, in any event, individuals or third parties may be able to circumvent and/or exploit vulnerabilities that may exist in these security and business controls, resulting in a loss of sensitive and personal client or employee information and data. We expect that our regulators would hold us responsible for any deficiencies in our oversight and control of our third-party relationships and for the performance of such third parties. If there were deficiencies in the oversight and control of our third-party relationships, and if our regulators held us responsible for those deficiencies, our business, reputation and results of operations could be adversely affected. Additionally, our systems, operations, data centers and cloud services, and those of our third-party service providers and partners, could be susceptible to damage or disruption, including in cases of fire, flood, earthquakes, other natural disasters, power loss, telecommunications failure, internet breakdown, break-in, human error, software bugs, hardware failures, malicious attacks, computer viruses, computer denial of service attacks, terrorist attacks, or other events beyond our control. Such damage or disruption may affect internal and external systems that we rely upon to provide our services, take and fulfill client orders, handle client service requests, and host other products and services. During the period in which any of our services or products are unavailable, we could be unable or severely limited in our ability to generate revenues, and we may also be exposed to liability from those third parties to whom we provide such services or products. We could face significant losses as a result of these events, and our business interruption insurance may not be adequate to compensate us for all potential losses, which could result in a Material Adverse Effect. We have business continuity plans that include secondary disaster recovery centers, but if their primary data centers fail and those disaster recovery centers do not fully restore the failed environments, our business could suffer.

We believe that our future success will depend in part on our ability to anticipate and adapt to technological advancements required to meet the changing demands of our financial professionals and their clients. We depend on highly specialized technology to support our business functions, including among others: - securities trading and custody;- portfolio management;- performance reporting;- customer service;- accounting and internal financial processes and controls; and - regulatory compliance and reporting. Our continued success depends on our ability to effectively adopt new or adapt existing technologies to meet changing client, industry and regulatory demands. The emergence of new industry standards and practices could render our existing systems obsolete or uncompetitive. There cannot be any assurance that another company will not design a similar or better platform that renders our technology less competitive. Maintaining competitive technology requires us to make significant capital expenditures, both in the near term and longer-term. There cannot be any assurance that we will have sufficient resources to adequately update and expand our information technology systems or capabilities, or offer our services on the personal and mobile computing devices that may be preferred by our financial professionals and/or their clients, nor can there be any assurance that any upgrade or expansion efforts will be sufficiently timely, successful, secure and accepted by our current and prospective financial professionals or their clients. The process of upgrading and expanding our systems has at times caused, and may in the future cause, us to suffer system degradations, outages and failures. If our technology systems were to fail and we were unable to recover in a timely way, we would be unable to fulfill critical business functions, which could lead to a loss of advisors and could harm our reputation. A breakdown in advisors' systems could have similar effects. A technological breakdown could also interfere with our ability to comply with financial reporting and other regulatory requirements, exposing us to disciplinary action and to liability to our advisors and their clients. Security, stability and regulatory risks also exist because parts of our infrastructure and software are beyond their manufacturer's stated end of life. We are working to mitigate such risks through additional controls and increased modernization spending, although we cannot provide assurance that our risk mitigation efforts will be effective, in whole or in part.

The wealth management industry in which we operate is highly competitive, and we may not be able to maintain our clients, financial professionals, employees (including our in-house financial professionals), distribution network, or the terms on which we provide our products and services. Our business competes based on a number of factors, including name recognition, service, the quality of investment advice, performance, technology, product offerings and features, price, and perceived financial strength. We and the financial professionals with whom we work compete directly with a variety of financial institutions, including traditional wirehouses, independent broker-dealers, registered investment advisers (including CPA firms that have their own in-house registered investment advisor), asset managers, banks and insurance companies, direct distributors, larger broker-dealers, and robo-advisors. Many of these competitors have greater market share, offer a broader range of products, and have greater financial resources. We have faced significant competition in recent years from firms offering lower fees, which could have a material adverse impact on our business. There has also been a trend toward online internet wealth management services and wealth management services that are based on mobile applications or automated processes as clients increasingly seek to manage their investment portfolios digitally. This is leading to increased utilization of "robo" advisor platforms. In addition, over time, certain sectors of the wealth management industry have become considerably more concentrated, as financial institutions involved in a broad range of financial services have been acquired by or merged into other firms. This consolidation could result in our competitors gaining greater resources, and we may experience pressures on our pricing and market share as a result of these factors and as some of our competitors seek to increase market share by reducing prices. In addition, we seek to differentiate our business on the basis of offering tax-focused investing advice and solutions. There is no guarantee that this differentiation will be meaningful to our clients and potential clients, or that another competitor will not adopt a similar strategy more effectively. In either case, our ability to compete effectively in the wealth management industry could be damaged, which could result in a Material Adverse Effect.

Client service and performance are important factors in the success of our business. Strong client service and product performance help increase client retention and generate sales of products and services. In contrast, poor service or poor performance of our financial or software products could impair our revenues and earnings, as well as our prospects for growth. Clients can terminate their relationships with us or our financial professionals at will, and deficiencies in our service or product performance could lead clients to choose a competitor's product or services. A decline or perceived decline in performance, on an absolute or relative basis, could cause a decline in sales of mutual funds and other investment products, an increase in redemptions, and the termination of asset management relationships. Such actions may reduce our aggregate amount of advisory assets and reduce management fees. Poor performance could also adversely affect our ability to expand the distribution of our products through independent financial professionals. In addition, the emergence of new financial or software products or services from others, or competitive pressures on pricing of such services or products, may result in the loss of clients or accounts. We must also monitor the pricing of our services and financial and software products in relation to competitors and periodically may need to adjust costs and fee structures to remain competitive. Competition from other financial services firms, such as reduced commissions to attract clients or trading volume, direct-to-investor online financial services, or higher deposit interest rates to attract client cash balances, or increased recruiting bonuses to attract financial professionals, could adversely impact our business. Our clients could also reduce the aggregate amount of their assets managed by us or shift their funds to other types of accounts with different rate structures for any number of reasons, including performance, changes in prevailing interest rates, changes in investment preferences, changes in our (or our financial professionals') reputation in the marketplace, changes in client management or ownership, loss of key investment management personnel and financial market performance. Our clients (or clients of our financial professionals) can withdraw the assets we manage on short notice, making our future client and revenue base unpredictable. A reduction in assets and the resulting decrease in revenues and earnings could have a Material Adverse Effect. Moreover, investors in the mutual funds and some other pooled investment vehicles that we advise may redeem their investments in those funds at any time without prior notice, and investors in other types of pooled vehicles we advise may typically redeem their investments with fairly limited or no prior notice, thereby reducing our advisory assets. These investors may redeem their investments for any number of reasons, including general financial market conditions, the absolute or relative performance we have achieved, or their own financial condition and requirements. In a declining stock market, the pace of redemptions could accelerate. Poor performance relative to other funds tends to result in decreased purchases and increased redemptions of fund shares. In a declining stock market, the pace of redemptions could accelerate, resulting in a decline in our advisory assets, which could negatively impact our fee revenues and result in a Material Adverse Effect.

We operate in the United States with broad exposure to the global financial markets. Accordingly, we are affected by United States and global economic and political conditions that directly and indirectly impact a number of factors in the domestic and global financial markets and economies, which may be detrimental to our operating results. In addition, all of our revenue is now earned within the United States, and therefore, economic conditions in the United States have an even greater impact on us than companies with an international presence. Domestic and international factors that could affect our business include, but are not limited to, trading levels, investing, origination activity in the securities markets, security and underlying asset valuations, the absolute and relative level and volatility of interest and currency rates, real estate values, the actual and perceived quality of issuers and borrowers, the supply of and demand for loans and deposits, United States and foreign government fiscal and tax policies, United States and foreign government ability, real or perceived, to avoid defaulting on government securities, inflation, decline and stress or recession in the United States and global economies generally, terrorism, war and armed conflicts, economic sanctions, trade wars and their collateral impacts, the impact of the United Kingdom's exit from the European Union, climate change, natural disasters such as weather catastrophes, and widespread health emergencies, such as the COVID-19 pandemic. Furthermore, changes in consumer economic variables, such as the number and size of personal bankruptcy filings, the rate of unemployment, decreases in property values, certain life events, and the level of consumer confidence and consumer debt may substantially affect consumer loan levels and credit quality. A period of sustained downturns and/or volatility in the securities markets, a return to increased credit market dislocations, reductions in the value of real estate, and other negative market factors could have a Material Adverse Effect on our business. We could experience a decline in commission revenue from lower trading volumes, a decline in fees from reduced portfolio values of securities managed on behalf of our clients, a reduction in revenue from capital markets and advisory transactions due to reduced activity, increased credit provisions and charge-offs, losses sustained from our clients' and market participants' failure to fulfill their settlement obligations, reduced net interest earnings, and other losses. Periods of reduced revenue and other losses could be accompanied by periods of reduced profitability because certain of our expenses, including, but not limited to, our interest expense on debt, rent, facilities and salary expenses are fixed and, our ability to reduce them over short time periods is limited. Other more specific trends may also affect our financial condition and results of operations, including, for example, changes in the mix of products preferred by investors that may cause increases or decreases in our fee revenues associated with such products, depending on whether investors gravitate towards or away from such products. The timing of such trends, if any, and their potential impact on our financial condition and results of operations are beyond our control. Each of these factors could impact client activity in our business and have a Material Adverse Effect. In addition, these factors may have an impact on our ability to achieve our strategic objectives and to grow our business.

Climate change may cause extreme weather events that disrupt operations at one or more of our offices, which may negatively affect our ability to provide service to our clients and our financial professionals and the ability of our financial professionals to interact with their clients. Climate change may also have a negative impact on the financial condition of our clients, which may decrease revenues from those clients. New regulations or guidance relating to climate change, as well as the perspectives of shareholders, employees, and other stakeholders regarding climate change, may affect whether and on what terms and conditions we engage in certain activities or offer certain products.