IDEXX Laboratories Inc.: 10-K Risk Factor Changes

We are subject to risks associated with public health issues, including pandemics and other events beyond our control. Public health issues and crises may adversely impact our operations, supply chain and logistics network if the locations where we operate, manufacture or distribute our products; where our raw materials or product components are sourced, manufactured or distributed; or where our third-party distributors, suppliers and other service providers operate, are disrupted, temporarily closed or experience worker shortages for a sustained period of time. In addition, public health issues and crises may adversely impact our customers’ businesses due to business lockdowns, decreased companion animal clinical visits, labor shortages, the delay of elective procedures and wellness visits, and disruption of veterinary clinic and other customer operations, all of which 28 28 28 could cause a decline in demand for our products and services. These disruptions could also cause economic slowdowns or increased economic uncertainty. A future public health issue, pandemic, or outbreak could lead to delays in the manufacturing and supply of products, or adversely affect the ability of the USDA, FDA, EPA or other government agencies to timely review and process our regulatory submissions, which could have a material adverse effect on our business and results of operations. Moreover, any future public health issue, pandemic, or outbreak could result in the imposition of new governmental restrictions, quarantine requirements or other public health measures, which could result in closures or other restrictions that significantly disrupt our operations or those of our third-party distributors, suppliers or other service providers, or otherwise adversely affect our customers’ businesses or operations, or result in actual or perceived economic weakness or slowdowns in one or more of our key geographies, any of which could adversely affect our financial condition.

We are subject to risks associated with public health issues, including pandemics and other events beyond our control. Public health issues and crises may adversely impact our operations, supply chain and logistics network if the locations where we operate, manufacture or distribute our products; where our raw materials or product components are sourced, manufactured or distributed; or where our third-party distributors, suppliers and other service providers operate, are disrupted, temporarily closed or experience worker shortages for a sustained period of time. In addition, public health issues and crises may adversely impact our customers’ businesses due to business lockdowns, decreased companion animal clinical visits, labor shortages, the delay of elective procedures and wellness visits, and disruption of veterinary clinic and other customer operations, all of which could cause a decline in demand for our products and services. These disruptions could also cause economic slowdowns or increased economic uncertainty. A future public health issue, pandemic, or outbreak of COVID-19 could lead to delays in the manufacturing and supply of products, which could have a material adverse effect on our business and results of operations. Moreover, any future public health issue such as a resurgence in COVID-19 infections, including due to new variants of the virus for which current vaccines may not be effective, could result in the imposition of new governmental restrictions, quarantine requirements or other measures to slow the spread of the virus, which could result in closures or other restrictions that significantly disrupt our operations or those of our third-party distributors, suppliers or other service providers, or otherwise adversely affect our customers’ businesses or operations, or result in economic weakness or slowdowns in one or more of our key geographies, any of which could adversely affect our financial condition.

We rely on our information systems, as well as third-party information systems, to provide access to our web-based products and services, keep financial records, analyze results of operations, process orders and shipments, manage inventory, store confidential or proprietary information, and operate other critical functions. In addition, some of our products and services include information systems that collect and use data on behalf of customers (e.g., veterinary practice management systems and customer communication tools and services), and some products and services rely on third-party providers for cloud computing and storage. Although we maintain security policies and measures, employ system backup measures, and engage in redundancy planning and processes, such policies, measures, planning and processes, as well as our current disaster recovery plans, may be ineffective or inadequate to address all eventualities. Further, our information systems and our business partners’ and suppliers’ information systems have experienced, and will likely continue to experience, attacks by hackers and other threat actors and other cybersecurity breaches and incidents, including, among other things, computer viruses and malware, ransomware, denial of service actions, phishing schemes, the compromise, misappropriation and/or unauthorized acquisition or disclosure of confidential or otherwise protected information and similar events through the internet (including via devices and applications connected to the internet), and through email attachments and persons with access to these information systems, such as our employees or third parties with whom we do business. The continued use of remote and hybrid work arrangements may additionally result in some increased risk associated with our employees accessing our data and systems remotely. In addition, security industry experts and government officials have warned about the risks of threat actors, such as hackers, nation state actors, and organized groups, targeting U.S. organizations, and recent developments in the cyber threat landscape include the growing use of AI, which could enable or create more sophisticated cybersecurity attacks and increase attack volume and frequency. As information systems and the use of software and related applications by us, our business partners, suppliers, and customers become more cloud-based and connected to the “Internet of Things” (“IoT”), there has been an increase in global cybersecurity vulnerabilities and threats, including more sophisticated and targeted cyber-related attacks that pose a risk to the security of our information systems and networks and the security, confidentiality, availability and integrity of data and information. We process credit card payments electronically over secure networks and offer IoT products and services, such as our connected devices (e.g., IDEXX VetLab instruments). Any such attack or breach could compromise our networks and the information stored thereon could be accessed, publicly disclosed, lost, or stolen. While we have implemented network security and internal control measures, especially for the purpose of protecting our connected products and services from cyberattacks, and invested in our data and information technology infrastructure, these efforts have not always been successful in preventing, and there can be no assurance that these efforts (or any future investments or efforts) will prevent, a system disruption, attack, or security breach. Our software and some of our other products and services incorporate or rely on information technology and systems that are highly technical and complex, and the timely development, testing, release and deployment of software updates are important for defending against security vulnerabilities. If we or our business partners and suppliers fail to timely develop, test and deploy software updates, the security of our and our customers’ networks and information systems may be at risk. Vulnerabilities may persist even after a software update is released if the update fails to address the vulnerability’s root cause or is otherwise insufficient, testing of the update delays its timely deployment, there is a failure to install the most recent updates, or customers persist in using solutions that are end of life and no longer receive updates. Furthermore, updates or other software changes can lead to software or system inoperability or inadvertently introduce security vulnerabilities, including vulnerabilities 25 25 25 that had been previously remedied or from malicious code injected in a “supply chain” cyberattack. In addition, in some cases, we rely on third-party providers to develop, test and release software updates on a timely basis, and there can be no assurance that these third-party providers will timely or effectively remedy vulnerabilities. We, and some of our third-party vendors, have experienced cybersecurity attacks and incidents in the past and will likely experience further attacks and incidents in the future, potentially with more frequency. To our knowledge, none have resulted in any material adverse impact to the Company, our business strategy, results of operations or financial condition. We have adopted measures to mitigate potential risks associated with information technology disruptions and cybersecurity threats; however, given the unpredictability of the timing, nature and scope of such disruptions and the evolving nature of cybersecurity threats, which vary in technique and sources, if we or our business partners or suppliers were to experience a system disruption, attack or security breach or incident that impacts any of our critical functions, or our customers were to experience a system disruption, attack or security breach or incident via any of our software or connected products and services, we could potentially be subject to production downtimes, operational and/or productivity delays, other detrimental impacts on our operations or ability to provide products and services to our customers, the compromise, misappropriation and/or unauthorized acquisition or disclosure of confidential or otherwise protected information, destruction or corruption of data, security breaches, other manipulation or misuse of our systems or networks, financial losses and additional costs from remedial actions, repairs to infrastructure, physical systems or data processing systems, increased cybersecurity and information technology protection costs, loss of business or potential liability, and/or damage to our reputation, any of which could have a material adverse effect on our business strategy, competitive position, results of operations, cash flows, financial condition, or prospects. Additionally, the post-acquisition integration process of acquired companies that may have less sophisticated information systems, cybersecurity practices, or training, may result in an increased risk of cybersecurity incidents. Our customers and/or employees could also face negative consequences such as the compromise of sensitive or critical information or systems. Furthermore, access to, public disclosure of, or other loss of data or information (including any of our confidential or proprietary information or personal data or information) as a result of an attack or security breach or incident has given, and in the future may give, rise to notification obligations to individuals, regulators, customers, employees, and others, and could result in governmental actions or private claims or proceedings, any of which could damage our reputation, cause a loss of confidence in our products and services, damage our ability to develop (and protect our rights to) our differentiated technologies and have a material adverse effect on the Company, our business strategy, financial condition, results of operations or prospects. While we maintain a cyber risk insurance policy intended to address risk of loss due to certain types of cybersecurity events, it may not cover any or all claims, costs or losses associated with such events. For more information regarding personal data and information privacy and data protection risks, refer to “Our operations and reputation may be impaired if we, our products, or our services do not comply with our global privacy policy or evolving laws and regulations regarding data privacy and protection” below.

We rely on our information systems, as well as our third-party business partners’ and suppliers’ information systems, to provide access to our web-based products and services, keep financial records, analyze results of operations, process customer orders, manage inventory, process shipments to customers, store confidential or proprietary information, and operate other critical functions. In addition, some of our products and services include information systems that collect and use data on behalf of customers (e.g., veterinary practice management systems and customer communication tools and services), and some of these products and services rely on third-party providers for cloud computing and storage. Although we maintain security policies, employ system backup measures, and engage in redundancy planning and processes, such policies, measures, planning and processes, as well as our current disaster recovery plans, may be ineffective or inadequate to address all eventualities. Further, our information systems and our business partners’ and suppliers’ information systems have experienced, and will likely continue to experience, attacks by hackers and other security breaches, including, among other things, computer viruses and malware, ransomware, denial of service actions, the compromise, misappropriation and/or unauthorized acquisition or disclosure of confidential or otherwise protected information and similar events through the internet (including via devices and applications connected to the internet), and through email attachments and persons with access to these information systems, such as our employees or third parties with whom we do business. The continued use of remote working and hybrid work-from-home arrangements may additionally result in some increased risk of attacks associated with a number of our employees accessing our data and systems remotely. In addition, security industry experts and government officials have warned about the risks of hackers and cybersecurity attacks targeting U.S. organizations, such as IDEXX, and recent developments in the cyber threat landscape include the growing use of AI, which could enable or create more sophisticated cybersecurity attacks and increase the volume and frequency of attacks. As information systems and the use of software and related applications by us, our business partners, suppliers, and customers become more cloud-based and connected to the “Internet of Things,” which is inherently susceptible to cyberattacks, there has been an increase in global cybersecurity vulnerabilities and threats, including more sophisticated and targeted cyber-related attacks that pose a risk to the security of our information systems and networks and the security, confidentiality, availability and integrity of data and information. We process credit card payments electronically over secure networks and also offer products and services that connect to and are part of the “Internet of Things,” such as our connected devices (e.g., IDEXX VetLab instruments). Any such attack or breach could compromise our networks and the information stored thereon could be accessed, publicly disclosed, lost, or stolen. While we have implemented network security and internal control measures, especially for the purpose of protecting our connected products and services from cyberattacks, and invested in our data and information technology infrastructure, these efforts have not always been successful in preventing, and there can be no assurance that these efforts will in the future prevent, a system disruption, attack, or security breach and, as such, there continues to be risk of system disruptions and security breaches from a cyberattack. We, and some of our third-party vendors, have experienced cybersecurity attacks in the past and will likely experience further attacks in the future, potentially with more frequency. To our knowledge, none have resulted in any material adverse impact to the Company, our business strategy, results of operations or financial condition. We have adopted measures to mitigate potential risks associated with information technology disruptions and cybersecurity threats; however, given the unpredictability of the timing, nature and scope of such disruptions and the evolving nature of cybersecurity threats, which vary in technique and sources, if we or our business partners or suppliers were to experience a system disruption, attack or security breach that impacts any of our critical functions, or our customers were to experience a system disruption, attack or security breach via any of our connected products and services, we could potentially be subject to production downtimes, operational and/or productivity delays, other detrimental impacts on our operations or ability to provide products and services to our customers, the compromise, misappropriation and/or unauthorized acquisition or disclosure of confidential or otherwise protected information, destruction or corruption of data, security breaches, other manipulation or improper use of our systems or networks, financial losses and additional costs from remedial actions, repairs to infrastructure, physical systems or data processing systems, increased cybersecurity and information technology protection costs, loss of business or potential liability, and/or damage to our reputation, any of which could have a material adverse effect on our business strategy, competitive position, results of operations, cash flows, financial condition, or prospects. Our customers and/or employees could also face negative consequences such as the compromise of sensitive or critical information or systems. Furthermore, access to, public disclosure of, or other loss of data or information (including any of our confidential or proprietary information or personal data or information) as a result of an attack or security breach has given, and in the future may give, rise to notification obligations to individuals, regulators, customers, employees, and others, and could result in governmental actions or private claims or proceedings, any of which could damage our reputation, cause a loss of confidence in our products and services, damage our ability to develop (and protect our rights to) our differentiated technologies and have a material adverse effect on the Company, our business strategy, financial condition, results of operations or prospects. For more information regarding personal data and 25 25 25 information privacy and data protection risks, refer to “Our operations and reputation may be impaired if we, our products, or our services do not comply with our global privacy policy or evolving laws and regulations regarding data privacy and protection” below.

Regulators, as well as our investors, customers, employees, and other stakeholders, are increasingly focused on environmental, social, and governance matters, including climate-related issues; human capital matters; and responsible sourcing, human rights, and supply chain. Regulators in the U.S., Europe, and elsewhere are considering or have proposed or adopted various laws, directives or regulations regarding these matters, which include specific, target-driven disclosure requirements or obligations, including the European Union’s Corporate Sustainability Reporting Directive and Corporate Sustainability Due Diligence Directive and California’s Climate Corporate Data Accountability Act and Climate-Related Financial Risk Act. Furthermore, our investors, customers and other stakeholders have additional (and sometimes different or contradictory) expectations. We strive to align our environmental, social and governance goals with our long-term business-strategy and Purpose. Some stakeholders, however, including government regulators, may disagree with some or all of our goals and initiatives. The focus of our various stakeholders may also change and evolve over time, and they may have very different (and sometimes contradictory) views on which matters should be prioritized or even undertaken at all. Meeting these emerging and evolving regulations, standards and expectations will require us to make strategic choices and investments, incur compliance costs, and create new practices, processes, and procedures. In addition, if we fail to comply with applicable regulations, or our practices do not meet evolving investor, customer or other stakeholder expectations and standards, then our reputation, ability to attract, retain employees, relationships with some customers and attractiveness as an investment, business partner, acquiror or product or service provider could be negatively impacted, which could adversely affect our business, results of operations, financial condition, reputation, or stock price. Our ability to achieve any of these goals is subject to numerous risks, many of which are outside of our control and depend in part on third-party performance or data, and there can be no assurance that we will achieve them. Our failure to adequately update, accomplish or accurately track and report on these goals on a timely basis, or at all, could adversely affect our reputation and expose us to increased scrutiny from the investment community, special interest groups and enforcement authorities.

U.S. and international regulators, as well as our investors, customers, employees, and other stakeholders, are increasingly focused on ESG matters, including climate-related issues; diversity, equity, and inclusion; human capital matters; and responsible sourcing, human rights, and supply chain. Regulators in the U.S., Europe, and elsewhere are considering or have proposed or adopted various laws, directives or regulations regarding ESG matters, which include specific, target-driven disclosure requirements or obligations, including the EU Corporate Sustainability Reporting Directive and the proposed EU Corporate Sustainability Due Diligence Directive. Furthermore, our investors, customers and other stakeholders have additional (and sometimes different) ESG expectations for companies such as IDEXX. Meeting these emerging and evolving regulations, standards and expectations will require us to make investments, incur compliance costs and create new practices, processes, and 29 29 29 procedures. In addition, if we fail to comply with applicable ESG regulations, or our ESG practices do not meet evolving investor, customer or other stakeholder expectations and standards, then our reputation, our ability to attract or retain employees, our relationships with some customers, and our attractiveness as an investment, business partner, acquiror or product or service provider could be negatively impacted, which could adversely affect our business, results of operations, financial condition, reputation, or stock price. We have publicly established certain ESG goals and targets aligned with our business strategy. Our ability to achieve any ESG goal or target is subject to numerous risks, many of which are outside of our control and depend in part on third-party performance or data, and there can be no assurance that we will achieve them. Our failure to adequately update, accomplish or accurately track and report on these goals and targets on a timely basis, or at all, could adversely affect our reputation and expose us to increased scrutiny from the investment community, special interest groups and enforcement authorities.