--- ticker: EXR company: Extra Space Storage Inc. filing_type: 10-K year_current: 2024 year_prior: 2023 risks_added: 2 risks_removed: 1 risks_modified: 3 risks_unchanged: 25 source: SEC EDGAR url: https://riskdiff.com/exr/2024-vs-2023/ markdown_url: https://riskdiff.com/exr/2024-vs-2023/index.md generated: 2026-05-11 --- # Extra Space Storage Inc.: 10-K Risk Factor Changes 2024 vs 2023 > Source: U.S. Securities and Exchange Commission (EDGAR) > Generated: 2026-05-11 > All data extracted directly from official filings. No hallucinated content. > **[AI-Generated Summary]** The paragraph below was produced by a language > model and may contain errors. All other content on this page is deterministically > extracted from the original SEC filing. > Extra Space Storage added two material risk disclosures in 2024 centered on post-acquisition integration challenges from the Life Storage business combination and credit rating downgrade vulnerability, while removing outdated guidance on LIBOR transition. The three substantively modified risks reflect the company's evolving operational priorities, particularly regarding pandemic-related disruptions, technology infrastructure resilience, and data privacy compliance obligations. --- ## Summary | Status | Count | |--------|-------| | New risks added | 2 | | Risks removed | 1 | | Risks modified | 3 | | Unchanged | 25 | --- ## New in Current Filing: We face continuing risks and costs in connection with integrating the Life Storage business following our business combination with Life Storage, Inc. ("Life Storage") in July 2023, and we may not be able to successfully realize the synergies and other benefits of the acquisition or do so within the anticipated time frame. The acquisition of Life Storage involves the combination of two companies that previously operated as independent public companies and their respective operating partnerships. Although we believe the combined company has benefited from the elimination of duplicative costs associated with supporting a public company platform, we have devoted, and will continue to devote, significant management attention and resources to integrating the operations of Extra Space and Life Storage. Although much of Life Storage's business is integrated, we may encounter costs and difficulties in the continuing integration process include the following: •the inability to fully combine the operations of Life Storage into our business, including the integration of employees, customer records and maintaining cybersecurity protections, in a manner that permits us to achieve the cost savings anticipated to result from the transaction; •the inability to dispose of former Life Storage assets or operations that we may desire to dispose of; •the difficulties of operating separate brands and the costs of potentially rebranding Life Storage stores over an extended period of time; •the complexities associated with managing the combined businesses out of different locations and integrating personnel from the two companies; •the failure to retain key employees of either of the two companies; •potential unknown liabilities and unforeseen increased expenses, delays or regulatory conditions associated with the Life Storage business; and •performance shortfalls as a result of the diversion of management's attention caused by completing the Life Storage transaction and integrating the companies' operations. For all these reasons, it is possible that the continuing integration process could result in the distraction of our management and ongoing business or inconsistencies in our operations, services, standards, controls, procedures and policies, any of which could adversely affect our ability to maintain relationships with customers, vendors and employees or to achieve the anticipated benefits of the Life Storage transaction, or could otherwise adversely affect our business and financial results. 10 10 10 --- ## New in Current Filing: A downgrade in our credit ratings could materially adversely affect our business and financial condition and the market value of our outstanding notes. The credit ratings assigned to the outstanding publicly-traded notes and other debt securities of the operating partnership could change based upon, among other things, our results of operations and financial condition. These ratings are subject to ongoing evaluation by credit rating agencies, and we cannot assure you that any rating will not be changed or withdrawn by a rating agency in the future if, in its judgment, circumstances warrant. Moreover, these credit ratings are not recommendations to buy, sell or hold the notes or any other securities. If any of the credit rating agencies that have rated the outstanding notes or other debt securities of the operating partnership downgrades or lowers its credit rating, or if any credit rating agency indicates that it has placed any such rating on a so-called "watch list" for a possible downgrading or lowering or otherwise indicates that its outlook for that rating is negative, it could have a material adverse effect on our costs and availability of capital, which could in turn have a material adverse effect on our financial condition, results of operations, cash flows and our ability to satisfy our debt service obligations (including payments on the outstanding notes) and to make dividends and other distributions to our security holders and could also have the material adverse effect on the market value of the outstanding notes. --- ## No Match in Current: Changes in the method pursuant to which the London Interbank Offered Rate ("LIBOR") is determined and the transition to other benchmarks may adversely affect our financial results. *This section from the 2023 filing does not have a high-confidence textual match in 2024. It may have been removed, merged, or substantially reworded.* LIBOR and certain other "benchmarks" have been the subject of continuing national, international and other regulatory guidance and proposals for reform. In July 2017, the United Kingdom's Financial Conduct Authority ("FCA"), which regulates LIBOR, publicly announced that it intends to phase out LIBOR, and on March 5, 2021, the FCA announced that USD LIBOR will no longer be provided by any administrator or no longer be representative immediately after December 31, 2021, in the case of one week and two month USD settings, and immediately after June 30, 2023, in the case of the remaining USD settings. In anticipation of the planned discontinuation of LIBOR, we have converted most of our contracts from LIBOR to the Secured Overnight Financing Rate ("SOFR"), and expect to have converted all remaining contracts indexed to LIBOR to SOFR by June 30, 2023. SOFR is a measure of the cost of borrowing cash overnight, collateralized by U.S. Treasury securities, and is based on directly observable U.S. Treasury-backed repurchase transactions. The ongoing transition from LIBOR to SOFR has and may continue to impact our business, including by affecting interest on loans and amounts received and paid on derivative instruments. These risks arise in connection with transitioning contracts to an alternative rate, including any resulting value transfer that may occur, and may vary by contract. The value of loans, securities, or derivative instruments tied to LIBOR, as well as interest rates on our current or future indebtedness, have been and will continue to be impacted by the transition from LIBOR to SOFR or other benchmark rates. In addition, transitioning to an alternative reference rate can be challenging, especially if we cannot agree with the respective counterparty about how to make the transition. These risks may have a material adverse effect on our financing costs, and as a result, our financial condition, operating results and cash flows. --- ## Modified: Public health emergencies, and measures intended to prevent the spread of a public health emergency, could adversely affect our results of operations. **Key changes:** - Reworded sentence: "We face risks related to public health emergencies, such as epidemics and pandemics that could materially and adversely impact our results of operations in the future." - Reworded sentence: "Although the self-storage industry has historically been resilient to ordinary market downturns, the impact of pandemics, epidemics or public health emergencies on the U.S." **Prior (2023):** We face risks related to public health emergencies, such as epidemics and pandemics, including the COVID-19 pandemic, which impacted our business in 2020, and could materially and adversely impact our results of operations in the future. The impact of a public health emergency, and measures to prevent the spread of a virus or the underlying causes of a health crisis, could lower demand for storage facilities due to, among other things, stay-at home orders and other restrictions which may lead to lower rental rates, reduced late fee collection and impaired ability to hold auctions resulting in higher accounts receivable and bad debt. In addition, a public health emergency could cause general economic and market disruptions which could impair our ability to expand our business, raise capital and adversely affect the value of our securities. Although the self-storage industry has historically been resilient to ordinary market downturns, the impact of the COVID-19 pandemic and other pandemics, epidemics or public health emergencies on the U.S. and world economies generally, and on our future results in particular, could be significant and will largely depend on future developments, which are highly uncertain and cannot be predicted. **Current (2024):** We face risks related to public health emergencies, such as epidemics and pandemics that could materially and adversely impact our results of operations in the future. The impact of a public health emergency, and measures to prevent the spread of a virus or the underlying causes of a health crisis, could lower demand for storage facilities due to, among other things, stay-at home orders and other restrictions which may lead to lower rental rates, reduced late fee collection and impaired ability to hold auctions resulting in higher accounts receivable and bad debt. In addition, a public health emergency could cause general economic and market disruptions which could impair our ability to expand our business, raise capital and adversely affect the value of our securities. Although the self-storage industry has historically been resilient to ordinary market downturns, the impact of pandemics, epidemics or public health emergencies on the U.S. and world economies generally, and on our future results in particular, could be significant and will largely depend on future developments, which are highly uncertain and cannot be predicted. --- ## Modified: We and our vendors rely on information technology, and any material failure, inadequacy, interruption or security incident affecting that technology could harm our business, results of operations and financial condition. **Key changes:** - Reworded sentence: "We rely on information technology networks and systems, including the Internet, to process, transmit and store confidential information, and to manage or support a variety of business processes, including financial transactions and records, intellectual property, proprietary business information, and personal information of our employees, contractors and customers, such as tenant and lease data (collectively, "Confidential Information")." - Reworded sentence: "ransomware), misconfigurations, bugs or other vulnerabilities, malicious code, natural disasters, terrorism, war, telecommunication and electrical failures, hacking, cyberattacks, phishing attacks and other social engineering schemes, employee theft or misuse, human error fraud, denial or degradation of service attacks, and sophisticated nation-state and nation-state-supported actors." - Reworded sentence: "Any failure to maintain the proper functioning, confidentiality, security and availability of our or our third-party service providers' information technology systems or our Confidential Information could interrupt our 11 11 11 operations, damage our reputation, divert significant management attention and resources to remedy any damages that result, subject us to liability and claims or regulatory investigations and enforcement actions, which could result in, among other things, fines and penalties, and have a material adverse effect on our business, financial condition and results of operations." **Prior (2023):** We rely on information technology networks and systems, including the Internet, to process, transmit and store electronic information, and to manage or support a variety of business processes, including financial transactions and records, personally identifiable information, and tenant and lease data. We purchase some of our information technology from vendors, on whom our systems depend. We rely on commercially available systems, software, tools and monitoring to provide security for processing, transmission and storage of confidential tenant and other sensitive information. Our information technology systems and those of our third-party service providers, strategic partners and other contractors or consultants are vulnerable to attack and damage or interruption from computer viruses and malware (e.g. ransomware), malicious code, natural disasters, terrorism, war, telecommunication and electrical failures, hacking, cyberattacks, phishing attacks and other social engineering schemes, employee theft or misuse, human error (e.g., social engineering, phishing), fraud, denial or degradation of service attacks, sophisticated nation-state and nation-state-supported actors or unauthorized access or use by persons inside our organization, or persons with access to systems inside our organization. Although we have taken steps to protect the security of our information systems and the data maintained in those systems, it is possible that our safety and security measures will not be able to prevent the systems' improper functioning or damage, or the improper access or disclosure of personally identifiable information such as in the event of cyber-attacks. Security breaches, including physical or electronic break-ins, computer viruses, attacks by hackers and similar breaches, can create system disruptions, shutdowns or unauthorized disclosure of confidential information. We and certain of our service providers are from time to time, subject to cyberattacks and security incidents. While to date, we do not believe that we have experienced any significant system failure, accident or security breach, this risk has generally increased as the number, intensity and sophistication of such breaches and attempted breaches from around the world have increased. Furthermore, because the technologies used to obtain unauthorized access to, or to sabotage or disrupt, systems change frequently and often are not recognized until launched against a target, we may be unable to anticipate these techniques or implement adequate preventative measures. We may also experience security breaches that may remain undetected for an extended period. Even if identified, we may be unable to adequately investigate or remediate incidents or breaches due to attackers increasingly using tools and techniques that are designed to circumvent controls, to avoid detection, and to remove or obfuscate forensic evidence. Any failure to maintain proper function, security and availability of our information systems could interrupt our operations, damage our reputation, divert significant management attention and resources to remedy any damages that result, subject us to liability claims or regulatory penalties and have a material adverse effect on our business and results of operations. Further, our insurance coverage may not be sufficient to cover the financial, legal, business or reputational losses that may result from an interruption or breach of our systems. **Current (2024):** We rely on information technology networks and systems, including the Internet, to process, transmit and store confidential information, and to manage or support a variety of business processes, including financial transactions and records, intellectual property, proprietary business information, and personal information of our employees, contractors and customers, such as tenant and lease data (collectively, "Confidential Information"). We also rely on third-party vendors for information technology and services, including commercially available systems, software, tools and monitoring to provide security for the processing, transmission and storage of Confidential Information. Our information technology systems and those of our third-party service providers, strategic partners and other contractors or consultants are vulnerable to attack and damage or interruption from computer viruses and malware (e.g. ransomware), misconfigurations, bugs or other vulnerabilities, malicious code, natural disasters, terrorism, war, telecommunication and electrical failures, hacking, cyberattacks, phishing attacks and other social engineering schemes, employee theft or misuse, human error fraud, denial or degradation of service attacks, and sophisticated nation-state and nation-state-supported actors. Although we have taken steps to protect the security of our information technology systems and Confidential Information, it is possible that our cybersecurity risk management program and processes, including our policies, safety and security measures will not be fully implemented, complied with or able to prevent such systems' improper functioning or damage, or the improper accessing or disclosure of Confidential Information, from such security breaches, disruptions, and shutdowns. The costs associated with the investigation, remediation and potential notification of such breaches to counter-parties and data subjects could be material. We and certain of our service providers are, from time to time, subject to cyberattacks and security incidents. While to date, we do not believe that we have experienced any significant system failure, accident or security breach, this risk has generally increased as the number, intensity and sophistication of such breaches and attempted breaches from around the world have increased. Furthermore, because the technologies used to obtain unauthorized access to, or to sabotage or disrupt, systems change frequently and often are not recognized until launched against a target, we may be unable to anticipate these techniques or implement adequate preventative measures. We may also experience security breaches that may remain undetected for an extended period. Even if identified, we may be unable to adequately investigate or remediate incidents or breaches due to attackers increasingly using tools and techniques that are designed to circumvent controls, to avoid detection, and to remove or obfuscate forensic evidence. Any failure to maintain the proper functioning, confidentiality, security and availability of our or our third-party service providers' information technology systems or our Confidential Information could interrupt our 11 11 11 operations, damage our reputation, divert significant management attention and resources to remedy any damages that result, subject us to liability and claims or regulatory investigations and enforcement actions, which could result in, among other things, fines and penalties, and have a material adverse effect on our business, financial condition and results of operations. Further, our insurance coverage may not be sufficient to cover the financial, legal, business or reputational losses that may result from an interruption or breach of our systems. --- ## Modified: Actual or perceived failures to comply with laws and regulations relating to data privacy and protection, could adversely affect our business, results of operations, and our financial condition. **Key changes:** - Reworded sentence: "In the United States, both federal and various state governments have adopted, or are considering, laws, guidelines or rules for the collection, distribution, use, storage and security of personal information, and we are or may become subject to such obligations with respect to information collected from or about our employees, contractors or customers." **Prior (2023):** In the United States, both federal and various state governments have adopted, or are considering, laws, guidelines or rules for the collection, distribution, use and storage of information collected from or about consumers or their devices. For example, the California Consumer Privacy Act of 2018 ("CCPA") went into effect on January 1, 2020, and creates individual privacy rights for California consumers and increases the privacy and security obligations of entities handling certain personal information. The CCPA provides for civil penalties for violations, as well as a private right of action for data breaches that has increased the likelihood of, and risks associated with, data breach litigation. Further, the California Privacy Rights Act ("CPRA") generally went into effect in January 2023, and significantly amends the CCPA and will impose additional data protection obligations on covered businesses, including additional consumer rights processes, limitations on data uses, new audit requirements for higher risk data, and opt outs for certain uses of sensitive data. It also creates a new California data protection agency authorized to issue substantive regulations and could result in increased privacy and information security enforcement. Additional compliance investment and potential business process changes may be required. Similar laws have passed in Virginia, Utah, Connecticut and Colorado, and have been proposed in other states and at the federal level, reflecting a trend toward more stringent privacy legislation in the United States. The enactment of such laws could have potentially conflicting requirements that would make compliance challenging. Although we work to comply with applicable laws, regulations and standards, our contractual obligations and other legal obligations, these requirements are evolving and may be modified, interpreted and applied in an inconsistent manner from one jurisdiction to another, and may conflict with one another or other legal obligations with which we must comply. Any failure or perceived failure by us or our employees, representatives, contractors, consultants, collaborators, or other third parties to 10 10 10 comply with such requirements or adequately address privacy and security concerns, even if unfounded, could result in additional cost and liability to us, damage our reputation, and adversely affect our business and results of operations. **Current (2024):** In the United States, both federal and various state governments have adopted, or are considering, laws, guidelines or rules for the collection, distribution, use, storage and security of personal information, and we are or may become subject to such obligations with respect to information collected from or about our employees, contractors or customers. For example, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, requires certain businesses that process personal information of California residents to, among other things: provide certain disclosures to California residents regarding the business's collection, use, and disclosure of their personal information; receive and respond to requests from California residents to access, delete, and correct their personal information, or to opt-out of certain disclosures of their personal information; and enter into specific contractual provisions with service providers that process California resident personal information on the business's behalf. Although we work to comply with applicable laws, regulations and standards, our contractual obligations and other legal obligations, these requirements are evolving and may be modified, interpreted and applied in an inconsistent manner from one jurisdiction to another, may conflict with one another or other legal obligations with which we must comply, may require us to incur significant costs, implement new processes, or otherwise affect our ability to use and disclose the information we collect, which could affect our results of operations, business, and financial condition. Any failure or perceived failure by us or our employees, representatives, contractors, consultants, collaborators, or other third parties to comply with such requirements or adequately address privacy and security concerns, even if unfounded, could result in additional cost and liability to us, damage our reputation, and adversely affect our business, financial condition and results of operations. --- *Data sourced from SEC EDGAR. Last updated 2026-05-11.*