Exhibit 99.4

Risks Related to Data Privacy and Cybersecurity

If our information technology systems or those of third parties with whom we work, or our data are or were compromised, we could experience material adverse consequences resulting from such compromise, including but not limited to regulatory investigations or actions; litigation; fines and penalties; disruptions of our business operations; reputational harm; loss of revenue or profits; and other adverse consequences.

In the ordinary course of business, including when we provide our services to clients, we collect, receive, store, process, generate, use, transfer, disclose, make accessible, protect, secure, dispose of, transmit, and share (collectively, “process”) personal data and other sensitive information (collectively, sensitive data). As a result, our business, brand, reputation and ability to attract and retain clients partly depends upon the satisfactory performance, reliability, and availability of our services and protection of our client information. Cyber-attacks, malicious internet-based activity, online and offline fraud, and other similar activities threaten the confidentiality, integrity, and availability of our sensitive data and information technology systems, and those of the third parties with whom we work. Such threats are prevalent and continue to rise, are increasingly difficult to detect, and come from a variety of sources, including traditional computer “hackers,” threat actors, “hacktivists,” organized criminal threat actors, personnel (such as through theft or misuse), sophisticated nation states, and nation-state-supported actors.

Some actors now engage and are expected to continue to engage in cyber-attacks, including without limitation nation-state actors for geopolitical reasons and in conjunction with military conflicts and defense activities. During times of war and other major conflicts, we and the third parties with whom we work may be vulnerable to a heightened risk of these attacks, including retaliatory cyber-attacks, that could materially disrupt our systems and operations.

We and the third parties with whom we work are subject to a variety of evolving threats, including but not limited to social-engineering attacks (including through deep fakes, which may be increasingly more difficult to identify as fake, and phishing attacks), malicious code (such as viruses and worms), malware (including as a result of advanced persistent threat intrusions), credential harvesting, personnel misconduct or error, ransomware attacks, supply-chain attacks, software bugs, server malfunctions, software or hardware failures, loss of data or other information technology assets, adware, attacks enhanced or facilitated by AI, telecommunications failures, earthquakes, fire, flood, power loss, system failures, computer viruses, software errors, physical or electronic break-ins or malicious hacks or attacks on our systems (such as denial of service attacks), and other similar threats.

In particular, severe ransomware attacks are becoming increasingly prevalent and can lead to significant interruptions in our operations, ability to provide services, loss of sensitive data and income, and diversion of funds. Extortion payments may alleviate the negative impact of a ransomware attack, but we may be unwilling or unable to make such payments due to, for example, applicable laws or regulations prohibiting such payments.

It may be difficult and/or costly to detect, investigate, mitigate, contain, and remediate a security incident. Our efforts to do so may not be successful. Actions taken by us or the third parties with whom we work to detect, investigate, mitigate, contain, and remediate a security incident could result in outages, data losses, and disruptions of our business. Threat actors may also gain access to other networks and systems after a compromise of our networks and systems.

Further, certain of our automated methods may include artificial intelligence, and use of this technology could make us susceptible to additional cybersecurity threats. Additionally, confidential and sensitive data of the Company and our clients may be leaked, disclosed, or revealed as a result of or in connection with our employees’, personnel’s, or vendors’ use of technology.

Remote work has increased risks to our information technology systems and data, as more of our employees utilize network connections, computers, and devices outside our premises or network, including working at home, while in transit, and in public locations. Additionally, future or past business transactions (such as acquisitions or integrations) could expose us to additional cybersecurity risks and vulnerabilities, as our systems could be negatively affected by vulnerabilities present in acquired or integrated entities’ systems and technologies. Furthermore, we may discover security issues that were not found during due diligence of such acquired or integrated entities, and it may be difficult to integrate companies into our information technology environment and security program.

Furthermore, because the techniques used to obtain unauthorized access to, or to sabotage, systems change frequently and often are not recognized until launched against a target, we have in the past been, and may in the future be, unable to anticipate these techniques or implement adequate preventative measures. We may also experience security breaches that may remain undetected for an extended period, due to, among other things, the breadth and complexity of our operations and the high volume of transactions that we process, the large number of clients, counterparties and third party service providers with which we do business, the proliferation and increasing sophistication of cyber-attacks, and the possibility that a third party, after establishing a foothold on an internal network without being detected, might obtain access to other networks and systems.

We have also outsourced certain elements of our information technology infrastructure to third parties, including, without limitation, cloud-based infrastructure, encryption and authentication technology, employee email, content delivery to clients, and other functions. We also rely on third parties to support the operation of our business. Our reliance on these third parties introduces new cybersecurity risks and vulnerabilities. Our ability to monitor these third parties’ information security practices is limited, and these third parties may not have adequate information security measures in place. If the third parties with whom we work experience a security incident or other interruption, we could experience adverse consequences. While we may be entitled to damages if the third parties with whom we work fail to satisfy their privacy or security-related obligations to us, any award may be insufficient to cover our damages, or we may be unable to recover such award.

While we have implemented security measures designed to protect against security incidents, there can be no assurance that these measures will be effective. We take steps designed to detect, mitigate, and remediate vulnerabilities in our information systems (such as our hardware and/or software, including that of third parties upon which we rely). We have not and may not in the future, however, detect and remediate all such vulnerabilities including on a timely basis. Further, we have experienced, and may in the future experience, delays in developing and deploying remedial measures and patches designed to address identified vulnerabilities.

Certain of the previously identified or similar threats have in the past and may in the future cause a security incident or other interruption that could result in unauthorized, unlawful, or accidental acquisition, modification, destruction, loss, alteration, encryption, disclosure of, or access to our sensitive data or our information technology systems, or those of the third parties with whom we work.

We may expend significant resources or modify our business activities to try to protect against security incidents. Additionally, certain data privacy and security obligations may require us to implement and maintain specific security measures or industry-standard or reasonable security measures to protect our information technology systems and sensitive data.

Applicable data privacy and security obligations may require us, or we may voluntarily choose, to notify relevant stakeholders, including affected individuals, clients, regulators, and investors, of security incidents, or to take other actions, such as providing credit monitoring and identity theft protection services. Such disclosures and related actions can be costly, and the disclosure or the failure to comply with such applicable requirements could lead to adverse consequences.

If we (or a third party with whom we work) experience a security incident or are unable to protect our computer systems, software, networks, sensitive data and other technology assets, or there is a perception that we have failed to do so, we may experience material adverse consequences, such as government enforcement actions (for example, investigations, fines, penalties, audits, and inspections); additional reporting requirements and/or oversight; restrictions on processing sensitive data (including personal data); litigation (including class claims); indemnification obligations; negative publicity; reputational harm; monetary fund diversions; diversion of management attention; interruptions in our operations (including availability of data); financial loss; and other similar harms. These events may have a material adverse effect on our business, financial condition, and results of operations.

In addition to experiencing a security incident, third parties may gather, collect, or infer sensitive data about us from public sources, data brokers, or other means that reveals competitively sensitive details about our organization and could be used to undermine our competitive advantage or market position.

We, and the third parties with whom we work, are subject to stringent and evolving U.S. and foreign laws, regulations, and rules, contractual obligations, industry standards, policies and other obligations related to data privacy and security. Our (or the third parties with whom we work) actual or perceived failure to comply with applicable U.S. and foreign privacy and security laws, regulations, industry standards, contractual obligations, and other requirements could lead to regulatory investigations or actions; litigation (including class claims) and mass arbitration demands; fines and penalties; disruptions of our business operations; reputational harm; loss of revenue or profits; and other adverse business consequences.

We process sensitive data in our operations that subjects us to a variety of laws, regulations, guidance, industry standards, external and internal privacy and security policies, contractual requirements, and other obligations relating to data privacy and security. In the United States, federal, state, and local governments have enacted numerous data privacy and security laws, including data breach notification laws, data privacy laws, consumer protection laws (e.g., Section 5 of the Federal Trade Commission Act), and other similar laws (e.g., wiretapping laws). These laws and regulations are constantly evolving and may be interpreted, applied, created, or amended in a manner that could harm our current or future business and operations. Implementation standards and enforcement practices are likely to remain uncertain for the foreseeable future, and we cannot yet determine the impact future laws, regulations, standards, or perception of their requirements may have on our business. This evolution creates uncertainty in our business and may affect our ability to operate in certain jurisdictions or to process personal data, necessitate the acceptance of more onerous obligations in our contracts, or result in liability or impose additional costs on us. These laws, regulations, and other obligations may also be interpreted and applied inconsistently from jurisdiction to jurisdiction which may make compliance difficult or impossible in certain circumstances.

In the course of offering personalized health and wellness recommendations, we collect a substantial amount of personalized health information, subjecting us to the Health Insurance Portability and Accountability Act (“HIPAA”). Certain states have signed into law or are intending to enact laws governing the use and disclosure of such de-identified information, and there is some uncertainty regarding those laws’ conformity with the HIPAA de-identification standards. Compliance with state laws could require additional investment and management attention and may subject us to significant liabilities if we do not comply appropriately with new and potentially conflicting regulations. If there is a future change in law, we may also face limitations on our ability to use de-identified information that could harm our business. There is also a risk that the third-party vendors that provide our data sets may fail to properly de-identify protected health information (“PHI”) under HIPAA or applicable state laws, some of which impose different standards for de-identification than those imposed by HIPAA. There is also a risk that clients and third-party vendors who are subject to HIPAA and interface with us may misunderstand the limits of our ability to conform to HIPAA given our posture that we remain outside of the HIPAA regulation by virtue of de-identifying our data, and may expose us inadvertently to PHI that we need to then make efforts to excise from our systems. We are also required to ensure that such information remains de-identified and our failure to do so could result in non-compliance with privacy laws and contractual obligations.

The privacy, security and breach notification rules promulgated under HIPAA establish a set of national privacy and security standards for the protection of PHI, by health plans, health care clearinghouses, and certain health care providers, referred to as covered entities, and the business associates with whom such covered entities contract for services that involve creating, receiving, maintaining or transmitting PHI, and their covered subcontractors.

In addition to government regulations, privacy advocates and other key industry players have established or may establish various new, additional, or different policies or self-regulatory standards in certain digital environments that may place additional resource constraints on us. Our clients may expect us to meet voluntary certifications or adhere to other standards established by third parties. If we are unable to maintain these certifications or meet these standards, it could reduce demand for our solutions and adversely affect our business and operating results.

Many data privacy and security obligations protect more than health-related information, and although they vary by jurisdiction, these obligations can extend to employee information, business information, healthcare provider information and other information relating to individual consumers. Our actual or perceived failure to comply with these laws may result in, among other things, civil and criminal liability, vulnerability to class actions where private right of action is available to individuals, regulatory fines and sanctions, negative publicity, damage to our reputation and liability under contractual provisions. These obligations may also increase our compliance costs and influence or limit the types of services we can provide. The occurrence of any of the foregoing could impact our ability to provide the same level of service to our clients, require us to modify our offerings or increase our costs, which could have a material adverse effect on our business, financial condition and results of operations.

Numerous U.S. states have enacted comprehensive privacy laws that impose certain obligations on covered businesses, including providing specific disclosures in privacy notices and affording residents with certain rights concerning their personal data. As applicable, such rights may include the right to access, correct, or delete certain personal data, and to opt-out of certain data processing activities, such as targeted advertising, profiling, and automated decision-making. The exercise of these rights may impact our business and ability to provide our services. Certain states also impose stricter requirements for processing certain personal data, including sensitive data, such as further requirements for explicit opt-in consent in some cases, as well as conducting data privacy impact assessments. Further, some of these laws allow authorized agents or third parties to act on behalf of individuals who wish to exercise their privacy rights. In some cases, the legislation has made it easier for such third-party agents to provide evidence of their authority to make the necessary request (e.g., by use of a signed permission slip). This factor has contributed to a substantial increase in the volume of third party, authorized agent requests with associated risks, including potential risks to our systems, in the case of large volumes of requests, resources, and compliance costs. The designated response time for privacy requests is relatively short in certain jurisdictions resulting in great administrative and compliance challenges. Additionally, wee may be subject to new laws governing the privacy of consumer health data, including reproductive, sexual orientation, and gender identity privacy rights.

We have established frameworks, models, processes and technologies designed to manage data privacy and security for many data types and from a variety of sources, though such measures may not always be effective. Due to the complex and evolving nature of privacy obligations, we cannot guarantee that the safeguards and controls employed by us, or third parties upon which we rely, will be sufficient to prevent a breach of these obligations, or that claims, complaints, investigations, or inquiries will not be filed or lodged against us or our data suppliers despite such safeguards and controls. Furthermore, we are bound by contractual obligations and industry standards related to data privacy and security, and our efforts to comply with such obligations may not be successful.

Obligations related to data privacy and security (and consumers’ data privacy expectations) are quickly changing, becoming increasingly stringent, and creating uncertainty. Additionally, these obligations may be subject to differing applications and interpretations, which may be inconsistent or conflict among jurisdictions. Preparing for and complying with these obligations requires us to devote significant resources, which may necessitate changes to our services, information technologies, systems, and practices and to those of any third parties that process personal data on our behalf.

We may at times fail (or be perceived to have failed) in our efforts to comply with our data privacy and security obligations. Moreover, despite our efforts, our personnel or third parties upon which we rely may fail to comply with such obligations, which could negatively impact our business operations. If we or the third parties with whom we work fail, or are perceived to have failed, to address or comply with applicable data privacy and security obligations, we could face significant consequences, including but not limited to: government enforcement actions (e.g., investigations, fines (including regulatory fines and sanctions), penalties, audits, inspections, and similar); litigation (including class-action claims) and mass arbitration demands; additional reporting requirements and/or oversight; bans on processing personal data; and orders to destroy or not use personal data. In particular, plaintiffs have become increasingly more active in bringing privacy-related claims against companies, including class claims and mass arbitration demands. Some of these claims allow for the recovery of statutory damages on a per violation basis, and, if viable, carry the potential for monumental statutory damages, depending on the volume of data and the number of violations. Any of these events could have a material adverse effect on our reputation, business, or financial condition, including but not limited to: loss of clients; inability to process personal data or to operate in certain jurisdictions; limited ability to develop or commercialize our products; expenditure of time and resources to defend any claim or inquiry; adverse publicity; or substantial changes to our business model or operations.

We may be subject to claims that our employees, consultants, or independent contractors have wrongfully used or disclosed confidential information of third parties.

We employ individuals who were previously employed at other companies. Although we try to ensure that our employees, consultants and advisors do not use the proprietary information or know-how of others in their work for us, we may be subject to claims that we or our employees, consultants, or independent contractors have inadvertently or otherwise used or disclosed confidential information of our employees’ former employers or other third parties. Litigation may be necessary to defend against these claims. There is no guarantee of success in defending these claims, and even if we are successful, litigation could result in substantial cost and be a distraction to our management and other employees. Even if we are successful in defending against these types of claims, litigation or other legal proceedings relating to intellectual property claims may cause us to incur significant expenses and could distract our technical and management personnel from their normal responsibilities. Uncertainties resulting from the initiation and continuation of intellectual property litigation or other intellectual property related proceedings could adversely affect our ability to compete in the marketplace.