--- ticker: CMG company: Chipotle Mexican Grill Inc. filing_type: 10-K year_current: 2026 year_prior: 2025 risks_added: 1 risks_removed: 3 risks_modified: 9 risks_unchanged: 13 source: SEC EDGAR url: https://riskdiff.com/cmg/2026-vs-2025/ markdown_url: https://riskdiff.com/cmg/2026-vs-2025/index.md generated: 2026-05-11 --- # Chipotle Mexican Grill Inc.: 10-K Risk Factor Changes 2026 vs 2025 > Source: U.S. Securities and Exchange Commission (EDGAR) > Generated: 2026-05-11 > All data extracted directly from official filings. No hallucinated content. > **[AI-Generated Summary]** The paragraph below was produced by a language > model and may contain errors. All other content on this page is deterministically > extracted from the original SEC filing. > Chipotle consolidated three separate stock price and earnings volatility risks into a single unified risk disclosure focused on meeting market expectations and stock price impacts, reflecting a streamlined approach to financial performance communication risks. The company removed technology and automation execution risk while simultaneously emphasizing third-party relationship risks - particularly around delivery services and brand reputation - suggesting a shift in focus from internal operational uncertainties to external partnership dependencies. Nine substantive modifications to existing risks indicate material recalibration of risk disclosures across brand management, third-party relationships, and operational vulnerabilities. --- ## Summary | Status | Count | |--------|-------| | New risks added | 1 | | Risks removed | 3 | | Risks modified | 9 | | Unchanged | 13 | --- ## New in Current Filing: Failure to meet market expectations for our financial performance or any announced guidance will likely adversely affect the market price and increase the volatility of our stock, and fluctuations in the stock market as a whole may also impact the market price and volatility of our stock. We have in the past failed, and may in the future fail, to meet our forecasted guidance or market expectations, which has adversely affected, and could in the future adversely affect, the market price of our stock. Any guidance we provide is based on certain assumptions at the time the guidance is given, which may or may not prove to be correct. Failure to meet announced guidance or market expectations of future results, particularly with respect to our operational and financial results and shareholder returns, whether due to our assumptions not being met or the impact of various risks and uncertainties, will likely result in either or both a decline in or increased volatility in the market price of our stock. In addition, price and volume fluctuations in the stock market as a whole may affect the market price of our stock in ways that may be unrelated to our financial performance. Our quarterly financial results may fluctuate significantly and could fail to meet investors' expectations for various reasons, including: •negative publicity about the safety of our food, employment-related issues, guest safety, litigation or other issues involving our restaurants; •fluctuations in supply costs, particularly for our most significant ingredients, and our inability to offset the higher cost with price increases, without adversely impacting guest traffic; •our inability to purchase sufficient quantities of our key ingredients and equipment as our restaurant count grows; •labor availability and wages of restaurant management and employees; •increases in marketing or promotional expenses; •the timing of new restaurant openings and related revenues and expenses, and the operating costs at newly opened restaurants; •the impact of inclement weather and natural disasters, such as freezes and droughts, which could decrease guest traffic and increase the costs of ingredients; •the amount and timing of stock-based compensation; •litigation, settlement costs and related legal expenses; •taxes, new or increased tariffs or trade sanctions, asset impairment charges and non-operating costs; and •macroeconomic conditions described above. 19 19 19 Table of Contents Table of Contents For these reasons, results for any one quarter are not necessarily indicative of results to be expected for any other quarter or for any year. A significant or sudden decrease in our stock price could entice an activist shareholder to initiate a campaign against the Company. If we are the target of public activism, it could cause us to incur significant costs, including legal expenses, divert the attention of our management and Board, create uncertainty about our strategic direction and cause stock price volatility that is unrelated to our business fundamentals. --- ## No Match in Current: Our investments in technology and automation to transform and enhance the experience of our employees and guests may not generate the expected results. *This section from the 2025 filing does not have a high-confidence textual match in 2026. It may have been removed, merged, or substantially reworded.* We have launched several initiatives to make our food preparation and cooking processes more efficient and drive a better experience for our employees and consumers, most of which are still moving through our "stage gate" development and evaluation process. These initiatives include a dual sided plancha, which is our cooking grill; an automated produce slicer; an automated make line by Hyphen, which would automatically assemble guest ordered bowls and salads; and Autocado, an automated avocado processing device that cuts, cores and scoops avocados. We have invested significant time and resources into developing and testing these technologies, but there can be no guarantee that all or any of them will be widely deployed throughout our restaurant network or, if deployed, will materially improve employee or guest experience or our financial performance. We also continue to build upon our investments in digital ordering and guest engagement to enhance guest experience and strengthen our ties with our guests. If these initiatives are not ultimately deployed or if we do not fully realize the intended benefits of these significant investments, our business results may suffer. --- ## No Match in Current: The market price of our common stock may be more volatile than the market price of our peers. *This section from the 2025 filing does not have a high-confidence textual match in 2026. It may have been removed, merged, or substantially reworded.* We believe the market price of our common stock generally has traded at a higher price-earnings ratio than stocks of most of our peer companies as well as the overall market, which typically has reflected market expectations for higher future operating results. At any given point in time, our price-earnings ratio may trade at more than twice the price-earnings ratio of the S&P 500. Also, the trading market for our common stock has been volatile at times, including because of adverse publicity events. As a result, if we fail to meet market expectations for our operating results in the future, any resulting decline in the price of our common stock could be significant. --- ## No Match in Current: Our quarterly financial results may fluctuate significantly, including due to factors that are not in our control. *This section from the 2025 filing does not have a high-confidence textual match in 2026. It may have been removed, merged, or substantially reworded.* Our quarterly financial results may fluctuate significantly and could fail to meet investors' expectations for various reasons, including: •negative publicity about the safety of our food, employment-related issues, guest safety, litigation or other issues involving our restaurants; •fluctuations in supply costs, particularly for our most significant ingredients, and our inability to offset the higher cost with price increases, without adversely impacting guest traffic; •our inability to purchase sufficient quantities of our key ingredients and equipment as our restaurant count grows; •labor availability and wages of restaurant management and employees; •increases in marketing or promotional expenses; •the timing of new restaurant openings and related revenues and expenses, and the operating costs at newly opened restaurants; •the impact of inclement weather and natural disasters, such as freezes and droughts, which could decrease guest traffic and increase the costs of ingredients; •the amount and timing of stock-based compensation; •litigation, settlement costs and related legal expenses; •taxes, new or increased tariffs or trade sanctions, asset impairment charges and non-operating costs; and •variations in general economic conditions, including the impact of rising inflation and the impact of rising interest rates on consumer demand trends. As a result of any of these factors, results for any one quarter are not necessarily indicative of results to be expected for any other quarter or for any year. Average restaurant sales or comparable restaurant sales in any future period may decrease. --- ## Modified: If we partner with third parties or acquire new businesses that do not align with our core values or that do not fulfill their contractual responsibilities and commitments, our brand reputation and international growth plans could suffer. **Key changes:** - Reworded sentence: "As of December 31, 2025, we had 14 international partner-operated Chipotle restaurants in the Middle East in partnership with the Alshaya Group, and we have plans to open more partner-operated Chipotle restaurants in the Middle East, Mexico and Asia." - Reworded sentence: "17 17 17 Table of Contents Table of Contents" **Prior (2025):** Our global growth strategy includes expanding our existing restaurant footprint and introducing Chipotle in new international jurisdictions in which we currently do not operate. The success of our strategy will depend on our identifying and partnering with new business partners, including licensees, joint venture partners, suppliers and distributors, and may include identifying suitable acquisition targets in these new jurisdictions that align with our core values. In 2024, the first licensed Chipotle restaurants opened in Kuwait and Dubai in partnership with international franchise retail operator Alshaya Group, and there are plans to open more licensed restaurants in other areas in the Middle East. We believe guests expect the same high quality food and excellent customer service at restaurants operated by licensees and joint venture partners as they receive in Chipotle-owned and operated restaurants. We provide extensive training to our business partners and we require compliance with specific food quality and safety standards and guest service levels in our agreements with business partners; however, we do not have direct control over the restaurants operated by third-party partners, and the quality and service in those restaurants may be less than the quality and service of Chipotle-operated restaurants. Failure of our business partners to adhere to our high food quality and operating standards, comply with applicable law, adhere to high ethical standards, and create a culture of respect in their restaurants could damage our brand reputation, domestically and internationally, and impair our international expansion plans. New partnerships and/or acquisitions also may divert management's attention from other initiatives and/or day-to-day operations, which could adversely affect our business and results of operations. 18 18 18 Table of Contents Table of Contents **Current (2026):** Our global growth strategy includes expanding our existing restaurant footprint and introducing Chipotle in new international jurisdictions in which we currently do not operate. The success of our strategy will depend on our identifying and partnering with new business partners, including licensees, joint venture partners, suppliers and distributors, and may include identifying suitable acquisition targets in these new jurisdictions that align with our core values. As of December 31, 2025, we had 14 international partner-operated Chipotle restaurants in the Middle East in partnership with the Alshaya Group, and we have plans to open more partner-operated Chipotle restaurants in the Middle East, Mexico and Asia. We believe guests expect the same high quality food and excellent customer service at partner-operated restaurants as they receive in Chipotle-owned and operated restaurants. We provide extensive training to our business partners and we require compliance with specific food quality and safety standards and guest service levels in our agreements with business partners; however, we do not have direct control over the partner-operated restaurants, and the quality and service in those restaurants may be less than the quality and service of Chipotle-owned restaurants. Failure of our business partners to adhere to our high food quality and operating standards, comply with applicable law, adhere to high ethical standards, and create a culture of respect in the partner-operated restaurants could damage our brand reputation, domestically and internationally, and impair our international expansion plans. New partnerships and/or acquisitions also may divert management's attention from other initiatives and/or day-to-day operations, which could adversely affect our business and results of operations. 17 17 17 Table of Contents Table of Contents --- ## Modified: Our use of third-party delivery services may not be profitable and substandard service may negatively impact our reputation. **Key changes:** - Reworded sentence: "Over 16% of our 2025 food and beverage revenue consisted of delivery orders for which we are reliant on third-party delivery companies." - Reworded sentence: "10 10 10 Table of Contents Table of Contents" **Prior (2025):** Over 15% of our 2024 food and beverage revenue consisted of delivery orders for which we are reliant on third-party delivery companies. Depending on which ordering platform a guest uses - our platform or the third-party delivery service platform - the delivery fee we collect from the guest may be less than the actual delivery cost. As the delivery industry consolidates, delivery companies gain greater leverage in negotiating the terms of contracts and increasing pricing, which in turn could negatively impact our profits from this channel. If the third-party delivery companies we utilize increase the fees they charge users or give greater priority or promotions on their platforms to other restaurants, our delivery business and our sales may be negatively impacted. In addition, if a third-party delivery driver fails to deliver an order on time, fails to deliver the complete order or otherwise provides a bad guest experience, our guest may attribute that negative experience to Chipotle and our reputation and sales could be adversely impacted. The ordering and payment platforms used by these third parties, our mobile app or our online ordering site have been and could again be interrupted by technological failures, user errors, cyber-attacks or other factors, which could adversely impact sales through these channels and negatively impact our overall sales and reputation. 11 11 11 Table of Contents Table of Contents **Current (2026):** Over 16% of our 2025 food and beverage revenue consisted of delivery orders for which we are reliant on third-party delivery companies. Depending on which ordering platform a guest uses - our brand platform or the third-party delivery platform - the delivery fee we collect from the guest may be less than the actual delivery cost. If we increase our menu prices on third-party delivery platforms to cover higher delivery fees, we may not be competitive with other restaurant options offered on that platform. If the third-party delivery companies we use increase the fees they charge users or give greater priority or promotions on their platforms to other restaurants, our delivery business and our sales may be negatively impacted. In addition, if a third-party delivery driver fails to deliver an order on time, fails to deliver the complete order or otherwise provides a bad guest experience, our guest may attribute that negative experience to Chipotle and our reputation and sales could be adversely impacted. The ordering and payment platforms used by these third parties, our mobile app or our online ordering site have been and could again be interrupted by technological failures, user errors, cyber-attacks or other factors, which could adversely impact sales through these channels and negatively impact our overall sales and reputation. 10 10 10 Table of Contents Table of Contents --- ## Modified: Failure to maintain the value and reputation of the Chipotle brand could negatively impact our financial results. **Key changes:** - Reworded sentence: "Incidents that could erode trust in our brand include actual or perceived food safety or food-borne illnesses; allegations of unethical or unprofessional behavior by employees and/or guests; privacy breaches or violations of privacy laws; safety-related incidents occurring in or around our restaurants; guest perceptions regarding smaller entrée portion sizes; or other events or incidents described in this risk factors section." - Reworded sentence: "Social media, video-sharing, networking, and gaming and messaging platforms dramatically increase the speed and reach at which negative publicity is disseminated, often before we have a meaningful opportunity to investigate, respond to and address an issue." - Reworded sentence: "9 9 9 Table of Contents Table of Contents Additionally, consumer demand for our products and our brand value could diminish significantly if we, our employees or business partners fail to comply with applicable laws and regulations, take positions or actions that may be considered controversial, fail to deliver a consistently positive guest experience or fail to foster an inclusive and welcoming environment." **Prior (2025):** We built strong value in the Chipotle brand by serving delicious, high quality food, made fresh every day using responsibly sourced ingredients served in generous portions. Our continued success depends on maintaining this compelling brand value, which may be eroded by numerous factors, some of which are outside of our control. Incidents that could erode trust in our brand include actual or perceived food safety or food-borne illnesses; allegations of unethical, racially-biased, inequitable, or socially irresponsible behavior by employees and/or guests; privacy breaches or violations of privacy laws; safety-related incidents occurring in or around our restaurants; guest perceptions regarding smaller entrée portion sizes; or other events or incidents described in this risk factors section. The adverse impact of such incidents may be compounded by negative publicity, including through social or digital media, or if they result in litigation. Social media, video-sharing, networking, and gaming and messaging platforms dramatically increase the speed with which negative publicity is disseminated, often before we have a meaningful opportunity to investigate, respond to and address an issue. Negative online postings or comments about us, including as a result of inaccurate, fictitious or malicious postings or media content, have in the past and could in the future magnify and prolong the adverse impact of any one incident and increase the damage to the value of our brand. 10 10 10 Table of Contents Table of Contents Additionally, consumer demand for our products and our brand value could diminish significantly if we, our employees or business partners fail to comply with applicable laws and regulations, take controversial positions or actions, fail to deliver a consistently positive guest experience or fail to foster an inclusive and welcoming environment. In addition, we cannot ensure that our restaurant crew or business partners will not take actions that adversely affect our brand reputation and relevance. **Current (2026):** We built strong value in the Chipotle brand by serving delicious, high quality food, made fresh every day using responsibly sourced ingredients served in generous portions. Our continued success depends on maintaining this compelling brand value, which may be eroded by numerous factors, some of which are outside of our control. Incidents that could erode trust in our brand include actual or perceived food safety or food-borne illnesses; allegations of unethical or unprofessional behavior by employees and/or guests; privacy breaches or violations of privacy laws; safety-related incidents occurring in or around our restaurants; guest perceptions regarding smaller entrée portion sizes; or other events or incidents described in this risk factors section. The adverse impact of such incidents may be compounded by negative publicity, including through social or digital media, or if they result in litigation. Social media, video-sharing, networking, and gaming and messaging platforms dramatically increase the speed and reach at which negative publicity is disseminated, often before we have a meaningful opportunity to investigate, respond to and address an issue. Negative online postings or comments about us, including as a result of inaccurate, fictitious or malicious postings or media content, have in the past and could in the future magnify and prolong the adverse impact of any one incident and increase the damage to the value of our brand. 9 9 9 Table of Contents Table of Contents Additionally, consumer demand for our products and our brand value could diminish significantly if we, our employees or business partners fail to comply with applicable laws and regulations, take positions or actions that may be considered controversial, fail to deliver a consistently positive guest experience or fail to foster an inclusive and welcoming environment. In addition, we cannot ensure that our restaurant crew or business partners will not take actions that adversely affect our brand reputation and relevance. --- ## Modified: We are heavily dependent on information technology systems and failures or interruptions in our IT systems could harm our ability to effectively operate our business and/or result in the loss of guests or employees. **Key changes:** - Reworded sentence: "We are heavily dependent on information technology systems, including for point-of-sale and payment processing in our restaurants, digital ordering and order delivery, tracing ingredients back to suppliers and growers, digital Hazard Analysis and Critical Control Points monitoring, monitoring and managing our supply chain, our guest rewards program, payroll processing, sales forecasting, marketing initiatives, business analytics and various other processes and transactions." - Reworded sentence: "Although we have operational safeguards in place and we take efforts to ensure that our third-party providers have implemented proper safeguards and controls, we cannot guarantee that breaches or failures caused by these third-party systems or platforms will not occur." - Added sentence: "We continue to invest in and utilize emerging technologies that have potential to make business tasks easier, more efficient and less labor intensive, including artificial intelligence and machine learning." - Added sentence: "These new technologies may not deliver the expected efficiencies and could expose us to new risks, including risks related to cybersecurity, data privacy, inaccuracies, hallucinations, bias or discrimination and claims of intellectual property infringement." - Added sentence: "12 12 12 Table of Contents Table of Contents" **Prior (2025):** We are heavily dependent on information technology systems, including for administrative functions, point-of-sale and payment processing in our restaurants, digital ordering and delivery business, tracing ingredients back to suppliers and growers, digital Hazard Analysis and Critical Control Points monitoring, monitoring and managing our supply chain, our guest rewards program, marketing initiatives, employee engagement and payroll processing, and various other processes and transactions. Our ability to effectively manage our business and coordinate the procurement, production, distribution, safety and sale of our products depends significantly on the consistent availability, reliability and security of these systems. Many of these critical systems are provided and managed by third parties, and we are reliant on these third-party providers to implement protective measures that ensure the security and availability of their systems. Although we have operational safeguards in place and we take efforts to ensure that our third-party providers have implemented proper standards and controls, we cannot guarantee that breaches or failures caused by these third-party systems or platforms will not occur. Failures may be caused by various factors, including power outages, natural disasters and other catastrophic events, physical theft, computer and network failures, inadequate or ineffective redundancy, problems with transitioning to upgraded or replacement systems or platforms, flaws in third-party software or services, errors or improper use by our employees or the third-party service providers. If any of our critical IT systems were to become unreliable, unavailable, compromised or otherwise fail, and we were unable to recover in a timely manner, we could experience an interruption in our operations that could have a material adverse impact on our profitability. **Current (2026):** We are heavily dependent on information technology systems, including for point-of-sale and payment processing in our restaurants, digital ordering and order delivery, tracing ingredients back to suppliers and growers, digital Hazard Analysis and Critical Control Points monitoring, monitoring and managing our supply chain, our guest rewards program, payroll processing, sales forecasting, marketing initiatives, business analytics and various other processes and transactions. Our ability to effectively manage our business and coordinate the procurement, production, distribution, safety and sale of our products depends significantly on the consistent availability, reliability and security of these systems. Many of these critical systems are provided and managed by third parties, and we are reliant on these third-party providers to implement protective measures that ensure the security and availability of their systems. Although we have operational safeguards in place and we take efforts to ensure that our third-party providers have implemented proper safeguards and controls, we cannot guarantee that breaches or failures caused by these third-party systems or platforms will not occur. Failures may be caused by factors such as power outages, natural disasters and other catastrophic events, physical theft, computer and network failures, inadequate or ineffective redundancy, problems with transitioning to upgraded or replacement systems or platforms, flaws in third-party software or services, or errors or improper use by our employees or our third-party service providers. If any of our critical IT systems were to become unreliable, unavailable, compromised or otherwise fail, and we were unable to recover in a timely manner, we could experience an interruption in our operations that could have a material adverse impact on our profitability. We continue to invest in and utilize emerging technologies that have potential to make business tasks easier, more efficient and less labor intensive, including artificial intelligence and machine learning. These new technologies may not deliver the expected efficiencies and could expose us to new risks, including risks related to cybersecurity, data privacy, inaccuracies, hallucinations, bias or discrimination and claims of intellectual property infringement. 12 12 12 Table of Contents Table of Contents --- ## Modified: Breaches or other unauthorized access, theft, modification or destruction of guest and/or employee personal information, or Chipotle confidential or proprietary information that is stored in our information technology systems or by third parties could damage our reputation and expose us to potential liabilities and loss of revenue. **Key changes:** - Reworded sentence: "As our dependence on technology has grown, the scope and severity of potential risks from cyber-attacks and security threats have increased." - Removed sentence: "The rapid evolution and increased adoption of artificial intelligence technologies may intensify our cybersecurity risks." - Reworded sentence: "Given the increasing complexity and sophistication of techniques used by bad actors to obtain unauthorized access to or disable information technology systems, and the fact that cyberattacks are being made by groups and individuals with a wide range of expertise and motives, it is increasingly difficult to anticipate, defend against and detect cyberattacks." - Reworded sentence: "and international privacy, cyber and other laws or trigger data breach notification laws, including under the SEC's disclosure rules, and subject us to private third party or securities litigation and governmental investigations and proceedings, any of which could result in our exposure to material civil or criminal liability." - Removed sentence: "Media or other reports of existing or perceived security vulnerabilities in our systems or those of our third-party business partners or service providers can also adversely impact our brand and reputation and negatively impact our business." **Prior (2025):** As our reliance on technology has grown, the scope and severity of potential risks from cyber threats has increased. Many of our information technology systems (whether cloud-based or hosted in proprietary servers), including those used for our point-of-sale, web and mobile platforms, online and mobile payment systems, delivery services and rewards programs and administrative functions, contain personal, financial or other information that is entrusted to us by our guests, business partners and employees. Many of our information technology systems also contain confidential information about our business, such as business strategies, development initiatives and designs, and confidential information about third parties, such as suppliers. Similar to many other restaurant companies, we have in the past experienced, and we expect to continue to experience, cyber-attacks, including phishing, and other attempts to breach, or gain unauthorized access to, our systems and databases. To date, these attacks have not had a material impact on our operations, but we cannot provide assurance that they will not have an impact in the future. 13 13 13 Table of Contents Table of Contents Our third-party providers' and business partners' information technology systems and databases are subject to similar risks. The number and frequency of these attempts varies from year to year and increases as the scope and scale of our technology footprint and digital operations increases. In addition, we provide guest and employee data, as well as confidential information important to our business to third parties. Individuals performing work for us and these third parties also may access some of this data, including on personally owned digital devices. To the extent we, a third party or such an individual were to experience a breach of our or their information technology systems that results in the unauthorized access, theft, use, destruction or other compromises of guests' or employees' data or confidential information of Chipotle stored in or transmitted through such systems, including through cyber-attacks or other external or internal methods, it could result in a material loss of revenues from the potential adverse impact to our reputation and brand, a decrease in our ability to retain guests or attract new ones, the imposition of potentially significant costs (including loss of data or payment for recovery of data) and liabilities, loss of business, loss of business partners and licensees and the disruption to our supply chain, business and plans. Unauthorized access, theft, use, destruction or other compromises are becoming increasingly sophisticated and may occur through a variety of methods, including attacks using malicious code, vulnerabilities in software, hardware or other infrastructure (including systems used by our supply chain), system misconfigurations, phishing, deepfakes, ransomware, malware or social engineering. The rapid evolution and increased adoption of artificial intelligence technologies may intensify our cybersecurity risks. Our logging capabilities, or the logging capabilities of third parties, are not always complete or sufficiently granular, affecting our ability to fully understand the scope of security breaches. Given the increasing complexity and sophistication of techniques used by bad actors to obtain unauthorized access to or disable information technology systems, and the fact that cyberattacks are being made by groups and individuals with a wide range of expertise and motives, it is increasingly difficult to anticipate and defend against cyberattacks, and a cyberattack could occur and persist for an extended period of time before being detected. Moreover, the extent of a particular cyber incident and the steps that we may need to take to investigate the incident may not be immediately clear, and it may take a significant amount of time before such investigation can be finalized and completed and reliable information about the incident is known. During the pendency of any such investigation, we may not know the extent of the harm or how best to remediate it, and we may be required to disclose incidents before their full extent is known. Such security breaches also could result in a violation of applicable U.S. and international privacy, cyber and other laws or trigger data breach notification laws, including new disclosure rules promulgated by the SEC, and subject us to private third party or securities litigation and governmental investigations and proceedings, any of which could result in our exposure to material civil or criminal liability. These risks also exist in companies that license our brand, that we partner with or invest in that use separate information systems. We may be required to make significant capital investments and other expenditures to investigate security incidents, remedy cybersecurity problems, recuperate lost data, prevent future compromises and adapt systems and practices to react to the changing threat environment. These include costs associated with notifying affected individuals and other agencies, additional security technologies and training, hiring additional employees, retention of experts and providing credit monitoring services for individuals whose data has been breached. These costs could be material and could adversely impact our results of operations in the period in which they are incurred, including by causing us to delay the pursuit of other important business strategies and initiatives, and may not meaningfully limit the success of future attempts to breach our information technology systems. Media or other reports of existing or perceived security vulnerabilities in our systems or those of our third-party business partners or service providers can also adversely impact our brand and reputation and negatively impact our business. Additionally, the techniques and sophistication used to conduct cyber-attacks and compromise information technology systems, as well as the sources and targets of these attacks, change frequently and are often not recognized until such attacks are launched or have been in place for a period of time. The rapid evolution and increased adoption of artificial intelligence technologies amplifies these concerns. We continue to make significant investments in technology, third-party services and employees to develop and implement systems and processes that are designed to anticipate cyber-attacks and to prevent or minimize breaches of our information technology systems or data loss, but these security measures cannot provide assurance that we will be successful in preventing such breaches or data loss. **Current (2026):** As our dependence on technology has grown, the scope and severity of potential risks from cyber-attacks and security threats have increased. We expect that the rapid evolution and increased adoption of artificial intelligence have heightened and will continue to heighten those risks. Many of our information technology systems and the systems of our third-party business partners (whether cloud-based or hosted in proprietary servers) contain personal, financial or other information of our guests, employees, and business partners, and confidential information about our business, such as business strategies, financial results, development initiatives, and confidential information about third parties, such as suppliers. Similar to many other restaurant companies, we have in the past experienced, and we expect to continue to experience, cyber-attacks, including phishing, and other attempts to breach, or gain unauthorized access to, our systems and databases and we expect the number and frequency of these attempts to increase as the scope and scale of our technology footprint and digital operations increases. In addition, individuals performing work for us and our third-party business partners may access some of this data, including on personally owned digital devices. To the extent we, a third party or any such individual were to experience a breach of our or their information technology systems that results in the unauthorized access, theft, use, destruction or other compromises of guests' or employees' data or confidential information of Chipotle, including through cyber-attacks or other external or internal methods, it could have an adverse impact on our reputation and brand and we could experience a material loss of revenues, a decrease in our ability to retain guests or attract new ones, the imposition of potentially significant costs (including loss of data or payment for recovery of data) and liabilities, loss of business partners and the disruption to our supply chain and business plans. Unauthorized access, theft, use, destruction or other compromises are becoming increasingly sophisticated and may occur through a variety of methods, including attacks using malicious code, vulnerabilities in software, hardware or other infrastructure (including systems used by our supply chain), system misconfigurations, phishing, deepfakes, ransomware, malware or social engineering. Our logging capabilities, or the logging capabilities of third parties, are not always complete or sufficiently granular, affecting our ability to fully understand the scope of security breaches. Given the increasing complexity and sophistication of techniques used by bad actors to obtain unauthorized access to or disable information technology systems, and the fact that cyberattacks are being made by groups and individuals with a wide range of expertise and motives, it is increasingly difficult to anticipate, defend against and detect cyberattacks. A cyberattack could occur and persist for an extended period of time before we detect it. Moreover, the extent of a particular cyber incident and the steps that we may need to take to investigate the incident may not be immediately clear, and it may take a significant amount of time before such investigation can be finalized and completed and reliable information about the incident is known. During the pendency of any such investigation, we may not know the extent of the harm or how best to remediate it, and we may be required to disclose incidents before their full extent is known. Such security breaches also could result in a violation of applicable U.S. and international privacy, cyber and other laws or trigger data breach notification laws, including under the SEC's disclosure rules, and subject us to private third party or securities litigation and governmental investigations and proceedings, any of which could result in our exposure to material civil or criminal liability. These risks also exist in companies that license our brand, that we partner with or invest in that use separate information systems. We may be required to make significant capital investments and other expenditures to investigate security incidents, remedy cybersecurity problems, recuperate lost data, prevent future compromises and adapt systems and practices to react to the changing threat environment. These include costs associated with notifying affected individuals and other agencies, additional security technologies and training, hiring additional employees, retention of experts and providing credit monitoring services for individuals whose data has been breached. These costs could be material and could adversely impact our results of operations in the period in which they are incurred, including by causing us to delay the pursuit of other important business strategies and initiatives, and may not meaningfully limit the success of future attempts to breach our information technology systems. --- ## Modified: Shortages or interruptions in the supply of ingredients could adversely affect our operating results. **Key changes:** - Reworded sentence: "Our business is dependent on frequent and consistent deliveries of ingredients that comply with our Food with Integrity specifications, such as dairy (for cheese, sour cream and queso), and beef, pork and chicken that meets our Responsibly Raised requirements." - Reworded sentence: "Several states have adopted, and others are considering adopting, extended producer requirement (EPR) laws covering end-of-life management of packaging, which aim to reduce waste and encourage sustainable product design through fees and processing requirements." - Added sentence: "14 14 14 Table of Contents Table of Contents" **Prior (2025):** Our business is dependent on frequent and consistent deliveries of ingredients that comply with our Food with Integrity specifications, such as dairy (for cheese, sour cream and queso) and chicken that meets our Responsibly Raised requirements. We may experience shortages, delays or interruptions in the supply of ingredients and other supplies to our restaurants due to higher or more lucrative demand from other sources; inclement weather or natural disasters; animal disease outbreaks (such as avian flu); social or labor unrest; shortages of agricultural workers (including due to changes in immigration laws); operational disruptions at our suppliers, distributors or transportation providers (including due to cyberattacks, malware or ransomware); financial distress or insolvency of suppliers or distributors, or the inability of suppliers or distributors to manage adverse business conditions; or other conditions beyond our control. Ongoing global conflicts have disrupted and could continue to disrupt some shipping routes, which could result in shortages or delays of certain ingredients and packaging. In addition, we have a single or a limited number of suppliers for some of our ingredients, including lemon and lime juice, tomatoes and adobo. Although we believe we have potential alternative suppliers and sufficient reserves of ingredients, shortages or interruptions in our supply of ingredients could adversely affect our financial results. **Current (2026):** Our business is dependent on frequent and consistent deliveries of ingredients that comply with our Food with Integrity specifications, such as dairy (for cheese, sour cream and queso), and beef, pork and chicken that meets our Responsibly Raised requirements. We may experience shortages, delays or interruptions in the supply of ingredients and other supplies to our restaurants due to higher or more lucrative demand from other sources; inclement weather or natural disasters; animal disease outbreaks (such as avian flu); social or labor unrest; shortages of agricultural workers (including due to changes in immigration laws); operational disruptions at our suppliers, distributors or transportation providers (including due to cyberattacks, malware or ransomware); financial distress or insolvency of suppliers or distributors, or the inability of suppliers or distributors to manage adverse business conditions; or other conditions beyond our control. Several states have adopted, and others are considering adopting, extended producer requirement (EPR) laws covering end-of-life management of packaging, which aim to reduce waste and encourage sustainable product design through fees and processing requirements. We could incur shortages of or increased costs for certain food packaging we use due to changes made by our suppliers to comply with these EPR laws. In addition, we have a limited number of suppliers for some of our ingredients, including lemon and lime juice, tomatoes and adobo. Although we believe we have potential alternative suppliers and sufficient reserves of ingredients, shortages or interruptions in our supply of ingredients could adversely affect our financial results. 14 14 14 Table of Contents Table of Contents --- ## Modified: We are subject to evolving public disclosure obligations, including with respect to sustainability matters, which could expose us to numerous risks and could adversely affect our reputation and results of operations. **Key changes:** - Removed sentence: "In addition, investors, guests and other stakeholders increasingly are focusing on sustainability matters and related disclosures." - Reworded sentence: "For example, measuring Scope 1, 2 and 3 greenhouse gas emissions relating to our business, developing reduction plans and initiatives, and creating and disclosing achievable reduction goals can be costly, difficult and time consuming and is subject to evolving reporting standards, including California's Climate Corporate Data Accountability Act and Climate-Related Financial Risk Act, and similar proposals by other national, local and international regulatory agencies." - Reworded sentence: "We previously announced that we had set science-based targets validated by the Science Based Targets Initiative to reduce absolute Scope 1, 2 and 3 greenhouse gas emissions 50% by 2030 from a 2019 base year, and achievement of this goal is subject to risks and uncertainties, including the challenge of lowering emissions from a 2019 base year as the number of restaurants we operate has increased significantly since 2019 and continues to increase." - Removed sentence: "In addition, statements about our sustainability-related initiatives and goals, and progress toward those goals, may be based on standards for measuring progress that are still developing, internal controls and processes that continue to evolve, and assumptions that are subject to change in the future." - Removed sentence: "If we are unable to meet our sustainability-related goals or evolving stakeholder or industry expectations and standards, or if we are perceived to have not responded appropriately to the growing concern for sustainability issues, investors, guests and other stakeholders may choose to patronize a competitor that they perceive to be more responsive, and our reputation, business or financial condition may be adversely affected." **Prior (2025):** We are subject to evolving disclosure obligations promulgated by governmental and regulatory organizations relating to sustainability factors that impact our business. These disclosure obligations are complex and not always consistent, making compliance difficult and uncertain. In addition, investors, guests and other stakeholders increasingly are focusing on sustainability matters and related disclosures. We have incurred and expect to continue to incur increased expenses and management time and attention to comply with these disclosure obligations and stakeholder expectations. For example, measuring Scope 1, 2 and 3 greenhouse gas emissions relating to our business, developing reduction plans and initiatives, and creating and disclosing achievable reduction goals can be costly, difficult and time consuming and is subject to evolving reporting standards, including California's Climate Corporate Data Accountability Act, California's Greenhouse Gases: Climate-Related Financial Risk Bill and similar proposals by other national, local and international regulatory agencies. We may also communicate certain initiatives, goals and strategies regarding environmental sustainability and human capital management related matters, such as workforce metrics, responsible sourcing and social investments in our SEC filings or in other public disclosures. We previously announced that we had set science-based targets validated by the Science Based Targets Initiative to reduce absolute Scope 1, 2 and 3 greenhouse gas emissions 50% by 2030 from a 2019 base year, and achievement of this goal is subject to risks and uncertainties, many of which are outside of our control. Achievement of this goal may prove to be more difficult and costly than we anticipate. In addition, statements about our sustainability-related initiatives and goals, and progress toward those goals, may be based on standards for measuring progress that are still developing, internal controls and processes that continue to evolve, and assumptions that are subject to change in the future. If we are unable to meet our sustainability-related goals or evolving stakeholder or industry expectations and standards, or if we are perceived to have not responded appropriately to the growing concern for sustainability issues, investors, guests and other stakeholders may choose to patronize a competitor that they perceive to be more responsive, and our reputation, business or financial condition may be adversely affected. If our sustainability-related data, processes and reporting are incomplete or inaccurate, or if we fail to achieve progress with respect to our sustainability goals on a timely basis, or at all, our reputation, business, financial performance and growth could be adversely affected. In addition, we could be criticized by anti-ESG stakeholders for the scope or nature of our sustainability initiatives or goals or for any revisions to these goals. We could also be subjected to negative responses by governmental actors (such as anti-ESG legislation or retaliatory legislative treatment) or consumers (such as boycotts or negative publicity campaigns) that could adversely affect our reputation, business, financial performance and growth. 19 19 19 Table of Contents Table of Contents **Current (2026):** We are subject to evolving disclosure obligations promulgated by governmental and regulatory organizations relating to sustainability factors that impact our business. These disclosure obligations are complex and not always consistent, making compliance difficult and uncertain. We have incurred and expect to continue to incur increased expenses and management time and attention to comply with these disclosure obligations and stakeholder expectations. For example, measuring Scope 1, 2 and 3 greenhouse gas emissions relating to our business, developing reduction plans and initiatives, and creating and disclosing achievable reduction goals can be costly, difficult and time consuming and is subject to evolving reporting standards, including California's Climate Corporate Data Accountability Act and Climate-Related Financial Risk Act, and similar proposals by other national, local and international regulatory agencies. We may also communicate certain initiatives, goals and strategies regarding environmental sustainability and human capital management related matters, such as workforce metrics, responsible sourcing and social investments in our SEC filings or in other public disclosures. We previously announced that we had set science-based targets validated by the Science Based Targets Initiative to reduce absolute Scope 1, 2 and 3 greenhouse gas emissions 50% by 2030 from a 2019 base year, and achievement of this goal is subject to risks and uncertainties, including the challenge of lowering emissions from a 2019 base year as the number of restaurants we operate has increased significantly since 2019 and continues to increase. Achievement of this goal may prove to be more difficult and costly than we anticipate. In addition, we could be criticized by anti-ESG stakeholders for the scope or nature of our sustainability initiatives or goals or for any revisions to these goals. We could also be subjected to negative responses by governmental actors (such as anti-ESG legislation or retaliatory legislative treatment) or consumers (such as boycotts or negative publicity campaigns) that could adversely affect our reputation, business, financial performance and growth. --- ## Modified: If we fail to fully comply with privacy and data protection laws and regulations, we could incur significant civil and criminal penalties and liabilities, suffer reputational damage, and adverse publicity. **Key changes:** - Reworded sentence: "These privacy, consumer protection, and data protection laws and regulations are quickly evolving, with new or modified laws and regulations proposed and implemented frequently and existing laws and regulations subject to new or different interpretations and enforcement." **Prior (2025):** Complex local, state, federal and international laws and regulations apply to the collection, use, retention, protection, disclosure, transfer and other processing of personal data. These privacy and data protection laws and regulations are quickly evolving, with new or modified laws and regulations proposed and implemented frequently and existing laws and regulations subject to new or different interpretations and enforcement. Complying with these laws and regulations can be costly and can delay or impede the development of new services. 14 14 14 Table of Contents Table of Contents For example, Europe's General Data Protection Regulation ("GDPR") and the U.K. General Data Protection Regulation (which implements the GDPR into U.K. law), impose stringent data protection requirements and provide for significant penalties for noncompliance. Additionally, the California Consumer Privacy Act ("CCPA") requires, among other things, covered companies to provide specified disclosures to California consumers and allows them to exercise certain rights in connection with their personal information, such as the right to opt-out of certain sales of personal information and to request deletion of personal information (subject to certain exceptions). The CCPA also provides for civil penalties for violations as well as a private right of action for data breaches that may increase data breach litigation. Further, the California Privacy Rights Act, which became effective in January 2023, significantly modified the CCPA to include additional compliance obligations. Since the CCPA was first passed, 19 other states have enacted similar data privacy legislation, eight of which are in effect as of the end of 2024. In addition, a number of other states have passed or are considering additional privacy laws, including laws on health data and biometric data that are in effect, or are expected to take effect in the near future. These state privacy laws will require us to incur additional costs and expenses in our efforts to comply. If we fail or are perceived to have failed to comply with applicable privacy and data protection laws, or fail to properly respond to or honor consumer requests under any of the foregoing privacy laws, we could be subject to enforcement actions and regulatory investigations, or claims for damages by guests and other affected individuals or parties, or incur fines and damage to our brand reputation, any of which could have a material adverse effect on our operations, financial performance, and business. The amount and scope of insurance we maintain may not cover all types of claims that may arise. **Current (2026):** Complex local, state, federal and international laws and regulations apply to the collection, use, retention, protection, disclosure, transfer and other processing of personal data. These privacy, consumer protection, and data protection laws and regulations are quickly evolving, with new or modified laws and regulations proposed and implemented frequently and existing laws and regulations subject to new or different interpretations and enforcement. Complying with these laws and regulations is costly and can delay or impede the development of new services or the continued use of existing services or data. 13 13 13 Table of Contents Table of Contents If we fail or are perceived to have failed to comply with applicable privacy, consumer protection, and data protection laws, or to properly respond to or honor individual requests under such laws, we may face enforcement actions, regulatory investigations, and oversight, consent orders limiting our ability to use data or requiring data or model disgorgement, or claims for damages by guests and other affected parties. The matters could result in regulatory fines, civil actions, reputational harm, any of which could materially adversely effect on our operations, financial performance, and business. The amount and scope of insurance we maintain may not cover all types of claims that may arise. --- ## Modified: Our financial condition and results of operations have been, and may continue to be, adversely affected by a number of macroeconomic and other factors, many of which are largely outside our control. **Key changes:** - Reworded sentence: "Restaurant dining generally is dependent upon consumer discretionary spending, which may be affected by macroeconomic conditions that are beyond our control." - Reworded sentence: "If economic uncertainty persists, guests may adopt lasting changes in spending habits, potentially affecting our sales, profitability, and growth plans." - Removed sentence: "20 20 20 Table of Contents Table of Contents" **Prior (2025):** Restaurant dining generally is dependent upon consumer discretionary spending, which may be affected by general economic conditions that are beyond our control. Increasing or prolonged high inflation, international, domestic and regional economic conditions, consumer income levels, financial market volatility, a slow or stagnant pace of economic growth, mass layoffs, rising energy costs, rising interest rates, social unrest, military conflicts and governmental, political and budget concerns or divisions may have a negative effect on consumer confidence and discretionary spending. Persistent inflation and concern about a prolonged economic downturn may lead consumers to decrease their discretionary spending. A significant decrease in guest traffic or average transaction size would negatively impact our financial performance. The actual or perceived threat of a pandemic or communicable disease, terrorist attack, mass shooting, heightened security requirements, including cybersecurity, or a failure to protect information systems for critical infrastructure, such as the electrical grid and telecommunications systems, could harm our operations, the economy or consumer confidence generally. Any of the above factors or other unfavorable changes in business and economic conditions affecting our guests could increase our costs, reduce traffic in our restaurants or limit our ability to increase pricing, any of which could lower our profit margins and have a material adverse effect on our sales, financial condition and results of operations. These factors also could cause us to, among other things, reduce the number and frequency of new restaurant openings, close restaurants or delay remodeling of our existing restaurant locations. Further, poor economic conditions may force nearby businesses to shut down, which could reduce traffic to our restaurants or cause our restaurant locations to be less attractive. In addition, we purchase ingredients, packaging and equipment from both U.S. and international suppliers and we may need to increase our menu prices in response to increased inflation, higher taxes, new tariffs on imported goods, wage increases due to a tighter job market and other macro-economic factors. Higher menu prices or the perceived value of our meals relative to competitors may lead consumers to reduce their spending in our restaurants or switch to competitors' value or lower-priced meals. If competitive or other factors prevent us from offsetting these higher costs through menu price increases, our profitability may decline. 20 20 20 Table of Contents Table of Contents **Current (2026):** Restaurant dining generally is dependent upon consumer discretionary spending, which may be affected by macroeconomic conditions that are beyond our control. A prolonged economic downturn or slow recovery may reduce consumer spending, leading to lower demand or shifts to lower-priced options. Factors such as unemployment, inflation, interest rate changes, taxes, access to credit, public health crises, trade disputes, and geopolitical instability can all impact consumer behavior, including discretionary spending, potentially reducing demand for our products. A significant decrease in guest traffic or average transaction size would negatively impact our financial performance. If economic uncertainty persists, guests may adopt lasting changes in spending habits, potentially affecting our sales, profitability, and growth plans. 18 18 18 Table of Contents Table of Contents Our operating results have been, and will continue to be, subject to a number of other macroeconomic and other factors, many of which are largely outside our control. Any one or more of the factors listed below could have a material adverse impact on our business, financial condition, or results of operations: •Rising real estate costs in certain markets; •Supply chain disruptions; •Climate change and extreme weather affecting costs and availability of ingredients; •Changes in tax laws and government regulations, such as the One Big Beautiful Bill Act, enacted in the U.S. in July 2025; •Adverse litigation outcomes; •Inflation and interest rate fluctuations; •Natural or man-made disasters disrupting major markets; •Government shutdowns and election-related impacts globally, including regime change and political and civil unrest; •Terminations of or changes in existing trade agreements among the countries in which we purchase ingredients; and •Tariffs imposed on commodities or goods, including recent tariffs imposed or threatened to be imposed by the U.S. on other countries, and any retaliation measures taken by such countries. These factors also could cause us to, among other things, reduce the number and frequency of new restaurant openings, close restaurants or delay remodeling of our existing restaurant locations. Further, poor economic conditions may force nearby businesses to shut down, which could reduce traffic to our restaurants or cause our restaurant locations to be less attractive. In addition, we purchase ingredients, packaging and equipment from both U.S. and international suppliers and we may need to increase our menu prices in response to increased inflation, higher taxes, new tariffs on imported goods, wage increases due to a tighter job market and other macro-economic factors. Higher menu prices or the perceived value of our meals relative to competitors may lead consumers to reduce their spending in our restaurants or switch to competitors' value or lower-priced meals. If competitive or other factors prevent us from offsetting these higher costs through menu price increases, our profitability may decline. --- *Data sourced from SEC EDGAR. Last updated 2026-05-11.*