PARTI Item1. Business channels, including those mentioned above, are not incorporated by reference into this Form 10-K or in any other report or documentwefilewiththeSEC,andanyreferencestoourwebsitesoronlineandsocialmediachannelsareintendedtobe inactive textual referencesonly. Item1A.RiskFactors Youshouldcarefullyconsidertherisks and uncertaintiesdescribedbelow, in addition to other informationappearingin this Form10-K, including our consolidated financial statements and related notes, for important information regarding risks and uncertainties that could affect us. These risk factors do not identify all risks we face, and additional risks and uncertainties that we are unaware of, or that we currently believe are not material, may also become important factors that adversely affect our business. If any of the following risks actually occur, our business, financial condition, results of operations, future prospects,andthetradingpriceofourcommonstockcouldbemateriallyandadverselyaffected. CybersecurityandTechnologyRisks Cyberattacksandsecurityvulnerabilitiescouldresultinseriousharmtoourreputation,business, andfinancialcondition. The techniques used to attempt to obtain unauthorized or illegal access to systems and information (including customers personal data), disable or degrade service, exploit vulnerabilities, or sabotage systems are constantly evolving. In some circumstances, these attempts may not be recognized or detected until after they have been launched against a target. Unauthorized parties will continue to attempt to gain access to our systems or facilities through various means, including throughhackingintooursystemsorfacilitiesorthoseofourcustomers,partners,orvendors,andattemptingtofraudulently induce users of our systems (including employees, vendor and partner personnel and customers) into disclosing user names, passwords, payment card information, multi-factor authentication application access or other sensitive information used to gain access to such systems or facilities. This information may, in turn, be used to access our customers confidential personal or proprietary information and financial instrument data that are stored on or accessible through our information technology systems and those of third parties with whom we partner. This information may also be used to execute fraudulent transactions or otherwise engage in fraudulent actions. Numerous and evolving cybersecurity threats, including advanced and persisting cyberattacks, cyberextortion, distributed denial-of-service attacks, ransomware, spear phishing and social engineering schemes, the introduction of computer viruses or other malware, and the physical destruction of all or portions of our information technology and infrastructure and those of third parties with whom we partner, are becoming increasingly sophisticated and complex, may be difficult to detect, and could compromise the confidentiality, availability, and integrity of the data in our systems, as well as the systems themselves. Webelieve that cybercriminals may target PayPal due to our name, brand recognition, types of data (including sensitive payments- and identity-related data) that customers provide to us, and the widespread adoption and use of our products andservices.Wehaveexperiencedfromtimetotime,andmayexperienceinthefuture,breachesofoursecuritymeasures due to human error, deception, malfeasance, insider threats, system errors, defects, vulnerabilities, or other irregularities. For example, in November 2017, we suspended the operations of TIO Networks (“TIO”) (acquired in July 2017) as part of an investigation of security vulnerabilities of the TIO platform, and in December 2017, we announced that we had identified evidence of unauthorized access to TIOs network and the potential compromise of personally identifiable information for approximately1.6 million TIO customers. Anycyberattacksor data security breaches affecting the information technology or infrastructure of companies we acquire or of our customers, partners, or vendors (including data center and cloud computing providers) could have similar negativeeffects. Under payment card network rules and our contracts with our payment processors, if there is a breach of payment card information stored by us or our direct payment card processing vendors, we could be liable to the payment card issuing banks, including for their cost of issuing new cards and related expenses. Cybersecurity breaches and other exploited security vulnerabilities could subject us to significant costs and third-party liabilities, result in improper disclosure of data and violations of applicable privacy and other laws, require us to change our business practices, cause us to incur significant remediation costs, lead to loss of customer confidence in, or decreased use of, our products and services, damage our reputation and brands, divert the attention of management from the operation of our business, result in significant compensation or contractual penalties from us to our customers and their business partners as a result of losses to or claims by them, or expose us to litigation, regulatory investigations, and significant fines and penalties. While we maintain insurance policies intended to help offset the financial impact we may experience from these risks, our coverage may be insufficient to compensate us for all losses caused by security breaches and other damage to or unavailability of oursystems. 14 •2022AnnualReport
