PRIA Logo
← All companies

CVLT · CIK 0001169561

What Commvault Systems, Inc. told the SEC could break it.

Commvault's sharpest exposure is its distribution channel: a single partner (Partner A) was about 32% of fiscal 2026 revenue and 29% of receivables, with a second partner adding another 11% — so its top line flows through just a couple of intermediaries. Its operations are also geographically concentrated, with roughly 40% of employees in India (where wage costs are rising faster than elsewhere) and about 47% of revenue earned internationally, adding offshore-labor and currency exposure. As a global data-protection and AI software vendor, it also operates under U.S. export controls and OFAC sanctions, anti-bribery laws, and fast-evolving data-privacy, cybersecurity and AI-governance regulation.

3 self-disclosed vulnerabilities, pulled from its own filings — each in the company’s words, with the source. This is the risk register almost nobody reads.

In its own words

What could break it.

Customer concentration

  • channel Partner A = 32% of revenue (29% of AR); Partner B = 11%high

    Commvault's revenue is concentrated in its distribution channel: Partner A was ~32% of FY2026 revenue (35%/36% prior years) and 29% of accounts receivable, and Partner B was ~11% of FY2026 revenue.

    Partner A accounted for approximately 32 %, 35 % and 36 % of our total revenues for the years ended March 31, 2026, 2025 and 2024, respectively. In addition, Partner A accounted for approximately 29 % of our total accounts receivable as of March 31, 2026 and 2025. Partner B accounted for approximately 11 % of our total revenues for the year ended March 31, 2026.

    SEC filing →As of 2026

Geographic concentration

  • ~40% of employees in India; 47% international revenuemedium

    About 40% of Commvault's workforce is in India (with rising wage/competition pressure) and ~47% of revenue is international, concentrating R&D/operations in India and exposing it to FX and offshore-labor risk.

    As of March 31, 2026, approximately 40% of our employees were located in India. Wage and benefit costs vary by region, and compensation levels in India have increased, and may continue to increase, at a faster rate than in many other countries, including the United States.

    SEC filing →As of 202631 others exposed to India →

Regulatory & policy

  • export controls (EAR/OFAC) + data-privacy/AI-governance regulationmedium

    As a global data-protection/AI software vendor, Commvault is subject to U.S. Export Administration Regulations and OFAC sanctions, FCPA/UK Bribery Act, and rapidly evolving data-privacy, cybersecurity and AI-governance regulation.

    we are also subject to global laws and regulations that govern or restrict our business and activities in certain countries and with certain persons, including the U.S. Commerce Department's Export Administration Regulations and economic and trade sanctions regulations maintained by the Office of Foreign Assets Control, as well as anti-bribery and anti-corruption laws and regulations, including the Foreign Corrupt Practices Act and the U.K. Bribery Act.

    SEC filing →As of 202647 others exposed to Export Controls →

In the MyPRIA app, this is checked against the companies you actually own.

← World Watch