---
ticker: IRM
company: IRM
filing_type: 10-K
year_current: 2025
year_prior: 2024
risks_added: 0
risks_removed: 0
risks_modified: 2
risks_unchanged: 13
source: SEC EDGAR
url: https://riskdiff.com/irm/2025-vs-2024/
markdown_url: https://riskdiff.com/irm/2025-vs-2024/index.md
generated: 2026-06-01
---

# IRM: 10-K Risk Factor Changes 2025 vs 2024

> Source: U.S. Securities and Exchange Commission (EDGAR)  
> Generated: 2026-06-01  
> All data extracted directly from official filings. No hallucinated content.

## Summary

| Status | Count |
|--------|-------|
| New risks added | 0 |
| Risks removed | 0 |
| Risks modified | 2 |
| Unchanged | 13 |

---

## Modified: IRON MOUNTAIN 2024 FORM 10-K

**Key changes:**

- Reworded sentence: "19 Table of ContentsPart I Table of Contents Part I Our business could be adversely impacted if there are deficiencies in our disclosure controls and procedures or internal control over financial reporting."

**Prior (2024):**

9 Table of ContentsPart I Table of Contents Part I Our customers may shift from paper and tape storage to alternative technologies that may shift our revenue mix away from storage revenue. We derive substantial revenues from rental fees for the storage of physical records and computer backup media and from storage related services. Storage volume and/or demand for our traditional storage related services may decline as our customers adopt alternative storage technologies or as retention requirements evolve, which may require significantly less space than traditional physical records and tape storage. While volumes in our Global RIM Business segment were relatively steady in 2023 and we expect them to remain relatively consistent in the near term, we can provide no assurance that our customers will continue to store most or a portion of their records as paper documents or as tapes, or that the paper documents or tapes they do store with us will require our storage related services at the same levels as they have in the past. A significant shift by our customers to storage of data through non-paper or non-tape-based technologies, whether now existing or developed in the future, could adversely affect our businesses. In addition, the digitization of records may shift our revenue mix from the more predictable storage revenue to service revenue, which is inherently more volatile. We and our customers are subject to laws and governmental regulations relating to data privacy and cybersecurity, and our customers' demands in this area are increasing. This may cause us to incur significant expenses and non-compliance with such regulations and demands could harm our business. We and our customers are subject to numerous laws and regulations relating to data privacy and cybersecurity. These regulations are complex, change frequently and have tended to become more stringent over time. In addition, a growing number of regulatory bodies have adopted data breach notification requirements and increased enforcement of regulations regarding the use, access, accuracy and security of personal information. Finally, as a result of the continued emphasis on information security and instances in which personal information has been compromised, our customers are requesting that we take increasingly sophisticated measures to enhance security and comply with data privacy regulations, and that we assume higher liability under our contracts. We have an established privacy compliance framework and devote substantial resources, and may in the future have to devote significant additional resources, to facilitate compliance with global laws and regulations, our customers' data privacy, data residency and security demands, and to investigate, defend or remedy actual or alleged violations or breaches. Any failure by us to comply with, or remedy any violations or breaches of, laws and regulations or customer requirements could negatively impact our operations, result in the imposition of fines and penalties, contractual liability and litigation, significant costs and expenses and reputational harm. Expansion into Digital and ALM services means that our privacy and security risk profile is increasing. In particular, we are hosting increasing volumes of customer digital data, including sensitive and confidential data, and disposing of customer data-bearing devices. This may result in increased regulatory exposure, contractual liability and security expectations from customers. Finally, emerging artificial intelligence ("AI") regulations, increasing use of AI and generative AI tools and their integration into our businesses may require additional resources and create additional compliance and cybersecurity risks. Attacks on our internal IT systems could damage our reputation, cause us to lose revenues, and adversely affect our business, financial condition and results of operations. Our reputation for providing secure information storage to customers is critical to the success of our business. Our reputation or brand, and specifically, the trust our customers place in us, could be negatively impacted in the event of perceived or actual failures by us to store information securely. Although we seek to prevent and detect attempts by unauthorized users to gain access to our IT systems, and incur significant costs to do so, our IT and network infrastructure has in the past been and may in the future be vulnerable to attacks by hackers, including state-sponsored organizations with significant financial and technological resources, breaches due to employee error, fraud or malice or other disruptions (including, but not limited to, computer viruses and other malware, denial of service, and ransomware), which may involve a breach requiring us to notify regulators, clients or employees and enlist identity theft protection. Moreover, until we have migrated businesses we acquire onto our IT systems or ensured compliance with our information technology security standards, we have in the past and may in the future face additional risks because of the continued use of predecessor IT systems. We utilize remote work arrangements and outsource certain support services, including cloud storage systems and cloud computing services, to third parties, which has in the past and may in the future subject our IT and other sensitive information to additional risk. A successful breach of the security of our IT systems could lead to theft or misuse of our customers' proprietary or confidential information or our employees' personal information and result in third party claims against us, regulatory penalties, and reputational harm. Although we maintain insurance coverage for various cybersecurity risks, there is no guarantee that all costs or losses incurred will be fully insured. Damage to our reputation could make us less competitive, which could negatively impact our business, financial condition and results of operations. Failure to successfully integrate acquired businesses could negatively impact our balance sheet and results of operations. Strategic acquisitions are an important element of our growth strategy and the success of any acquisition we make depends in part on our ability to integrate the acquired business and realize anticipated synergies. The process of integrating acquired businesses, particularly in new markets or for new offerings, may involve unforeseen difficulties and may require a disproportionate amount of our management's attention and our financial and other resources.

**Current (2025):**

9 Table of ContentsPart I Table of Contents Part I Our customers continue to evolve the way they store records, which could impact our storage revenue. We derive substantial revenues from rental fees for the storage of physical records and computer backup media and from storage related services. Volume in and demand for our traditional storage related services has evolved as our customers adopt alternative storage technologies or as retention requirements change, which may require significantly less space than traditional physical records and tape storage; however, volumes in our Global RIM Business segment were relatively steady in 2024 and we expect them to remain relatively consistent in the near term. We can provide no assurance that our customers will continue to store most or a portion of their records as paper documents or as tapes, or that the paper documents or tapes they do store with us will require our storage related services at the same levels as they have in the past. A significant shift by our customers to storage of data through non-paper or non-tape-based technologies, whether now existing or developed in the future, could adversely affect our businesses. In addition, the digitization of records may shift our revenue mix from the more predictable storage revenue to service revenue, which is inherently more volatile. We and our customers are subject to laws and governmental regulations relating to data privacy and cybersecurity, and our customers' demands in this area are increasing. This may cause us to incur significant expenses and non-compliance with such regulations and demands could harm our business. We and our customers are subject to numerous laws and regulations relating to data privacy and cybersecurity. These regulations are complex, change frequently and have tended to become more stringent over time. In addition, a growing number of regulatory bodies have adopted data breach notification requirements and increased enforcement of regulations regarding the use, access, accuracy and security of personal information. Finally, as a result of the continued emphasis on information security and instances in which personal information has been compromised, our customers are requesting that we take increasingly sophisticated measures to enhance security and comply with cybersecurity and data privacy regulations and that we assume higher liability under our contracts. We have an established global privacy compliance program and devote substantial resources, and may in the future have to devote significant additional resources, to facilitate compliance with global laws and regulations, our customers' data privacy, data residency and security demands, and to investigate, defend or remedy actual or alleged violations or breaches. Any failure by us to comply with, or remedy any violations or breaches of, laws and regulations or customer requirements could negatively impact our operations, result in the imposition of fines and penalties, contractual liability and litigation, significant costs and expenses and reputational harm. Expansion into Global Digital Solutions and ALM services means that our privacy and security risk profile is increasing. In particular, we are hosting increasing volumes of customer digital data, including sensitive and confidential data, and disposing of customer data-bearing devices. This may result in increased regulatory exposure, contractual liability and security expectations from customers. Finally, emerging AI regulations, increasing use of AI and generative AI tools and their integration into our businesses may require additional resources and create additional compliance and cybersecurity risks. Attacks on our internal IT systems could damage our reputation, cause us to lose revenues and adversely affect our business, financial condition and results of operations. Our reputation for providing secure information storage to customers is critical to the success of our business. Our reputation or brand, and specifically, the trust our customers place in us, could be negatively impacted in the event of perceived or actual failures by us to store information securely. Although we seek to prevent and detect attempts by unauthorized users to gain access to our IT systems, and incur significant costs to do so, our IT and network infrastructure has in the past been and may in the future be vulnerable to attacks by hackers, including state-sponsored organizations with significant financial and technological resources, breaches due to employee error, fraud or malice or other disruptions (including, but not limited to, computer viruses and other malware, denial of service and ransomware), which may involve a breach requiring us to notify regulators, clients or employees and enlist identity theft protection. Moreover, until we have migrated businesses we acquire onto our IT systems or ensured compliance with our information technology security standards, we have in the past and may in the future face additional risks because of the continued use of predecessor IT systems. We utilize remote work arrangements and outsource certain support services, including cloud storage systems and cloud computing services, to third parties, which has in the past and may in the future subject our IT and other sensitive information to additional risk. A successful breach of the security of our IT systems could lead to theft or misuse of our customers' proprietary or confidential information or our employees' personal information and result in third party claims against us, regulatory penalties and reputational harm. Although we maintain insurance coverage for various cybersecurity risks, there is no guarantee that all costs or losses incurred will be fully insured. Damage to our reputation could make us less competitive, which could negatively impact our business, financial condition and results of operations. Failure to successfully integrate acquired businesses could negatively impact our balance sheet and results of operations. Strategic acquisitions are an important element of our growth strategy and the success of any acquisition we make depends in part on our ability to integrate the acquired business and realize anticipated synergies. The process of integrating acquired businesses, particularly in new markets or for new offerings, may involve difficulties and may require a disproportionate amount of our management's attention and our financial and other resources.

---

## Modified: GENERAL RISK FACTORS

**Key changes:**

- Removed sentence: "Our business could be adversely impacted if there are deficiencies in our disclosure controls and procedures or internal control over financial reporting."
- Removed sentence: "The design and effectiveness of our disclosure controls and procedures and internal control over financial reporting may not prevent all errors, misstatements or misrepresentations."
- Removed sentence: "While management will continue to review the effectiveness of our disclosure controls and procedures and internal control over financial reporting, there can be no guarantee that our internal control over financial reporting will be effective in accomplishing all control objectives all of the time."
- Removed sentence: "Furthermore, our disclosure controls and procedures and internal control over financial reporting with respect to entities that we do not control or manage may be substantially more limited than those we maintain with respect to the subsidiaries that we have controlled or managed over the course of time."
- Removed sentence: "Deficiencies, including any material weakness, in our internal control over financial reporting which may occur in the future could result in misstatements of our results of operations, restatements of our financial statements, a decline in our stock price, or otherwise materially adversely affect our business, reputation, results of operations, financial condition or liquidity."

**Prior (2024):**

Our cash distributions are not guaranteed and may fluctuate. As a REIT, we are generally required to distribute at least 90% of our REIT taxable income to our stockholders. Furthermore, we are committed to growing our dividends, and have stated this publicly. Our board of directors, in its sole discretion, will determine, on a quarterly basis, the amount of cash to be distributed to our stockholders based on a number of factors including, but not limited to, our results of operations, cash flow and capital requirements, economic conditions, tax considerations, borrowing capacity and other factors, including debt covenant restrictions that may impose limitations on cash payments, future acquisitions and divestitures, any stock repurchase program and general market demand for our space and related services. Consequently, our distribution levels may fluctuate and we may not be able to meet our public commitments with respect to dividend growth. Our business could be adversely impacted if there are deficiencies in our disclosure controls and procedures or internal control over financial reporting. The design and effectiveness of our disclosure controls and procedures and internal control over financial reporting may not prevent all errors, misstatements or misrepresentations. While management will continue to review the effectiveness of our disclosure controls and procedures and internal control over financial reporting, there can be no guarantee that our internal control over financial reporting will be effective in accomplishing all control objectives all of the time. Furthermore, our disclosure controls and procedures and internal control over financial reporting with respect to entities that we do not control or manage may be substantially more limited than those we maintain with respect to the subsidiaries that we have controlled or managed over the course of time. Deficiencies, including any material weakness, in our internal control over financial reporting which may occur in the future could result in misstatements of our results of operations, restatements of our financial statements, a decline in our stock price, or otherwise materially adversely affect our business, reputation, results of operations, financial condition or liquidity.

**Current (2025):**

Our cash distributions are not guaranteed and may fluctuate. As a REIT, we are generally required to distribute at least 90% of our REIT taxable income to our stockholders. Furthermore, we are committed to growing our dividends, and have stated this publicly. Our board of directors, in its sole discretion, will determine, on a quarterly basis, the amount of cash to be distributed to our stockholders based on a number of factors including, but not limited to, our results of operations, cash flow and capital requirements, economic conditions, tax considerations, borrowing capacity and other factors, including debt covenant restrictions that may impose limitations on cash payments, future acquisitions and divestitures, any stock repurchase program and general market demand for our space and related services. Consequently, our distribution levels may fluctuate and we may not be able to meet our public commitments with respect to dividend growth.

---

*Data sourced from SEC EDGAR. Last updated 2026-06-01.*