Johnson Controls International plc: 10-K Risk Factor Changes

Much of the demand for installation of our products and solutions is driven by commercial, institutional, industrial, data center, governmental and residential construction, industrial facility expansion, retrofit activity, maintenance projects and other capital investments in buildings within the sectors that we serve. Construction and other capital investment projects are heavily dependent on general economic conditions, localized demand for real estate and availability of credit, public funding or other sources of financing. Some of the real estate markets we serve are prone to significant fluctuations in supply and demand. In addition, most real estate developers rely heavily on project financing in order to initiate and complete projects. Declines in real estate values and increases in prevailing interest rates could lead to significant reductions in the demand for and availability of project financing, even in markets where demand may otherwise be sufficient to support new construction. These factors could in turn temper demand for new building products and solutions and have a corresponding impact on our financial condition, results of operations and cash flows. Levels of industrial capital expenditures for facility expansions and maintenance are dependent on general economic conditions, economic conditions within specific industries we serve, expectations of future market behavior and available financing. The 17 17 17 businesses of many of our industrial customers are to varying degrees cyclical and have experienced periodic downturns. During such economic downturns, customers in these industries tend to delay major capital projects, including greenfield construction, maintenance projects and upgrades. Additionally, demand for our products and services may be affected by volatility in energy, component and commodity prices, commodity and component availability and fluctuating demand forecasts, as our customers may be more conservative in their capital planning, which may reduce demand for our products and services as projects are postponed or cancelled. Increases in prevailing interest rates or disruptions in financial markets and banking systems could make credit and capital markets difficult for our customers to access and could significantly raise the cost of new debt for our customers. Any difficulty in accessing these markets and the increased associated costs can have a negative effect on investment in large capital projects, including necessary maintenance and upgrades, even during periods of favorable end-market conditions. Many of our customers inside and outside of the industrial and commercial sectors, including governmental and institutional customers, have experienced budgetary constraints as sources of revenue have been negatively impacted by adverse or stagnant economic conditions, including continued increases in interest rates. These budgetary constraints have in the past, and may in the future, reduce demand for our products and services among governmental and institutional customers. Reduced demand for our products and services could result in the delay or cancellation of existing orders or lead to excess capacity, which unfavorably impacts our absorption of fixed costs. This reduced demand may also erode average selling prices in the industries we serve. Any of these results could materially and adversely affect our business, financial condition, results of operations and cash flows.

Much of the demand for installation of HVAC, security products, and fire detection and suppression solutions is driven by commercial and residential construction and industrial facility expansion and maintenance projects. Commercial and residential construction projects are heavily dependent on general economic conditions, localized demand for commercial and residential real estate and availability of credit. Commercial and residential real estate markets are prone to significant fluctuations in supply and demand. In addition, most commercial and residential real estate developers rely heavily on project financing in order to initiate and complete projects. Declines in real estate values and increases in prevailing interest rates could lead to significant reductions in the demand for and availability of project financing, even in markets where demand may otherwise be sufficient to support new construction. These factors could in turn temper demand for new HVAC, fire detection and suppression and security installations. Levels of industrial capital expenditures for facility expansions and maintenance are dependent on general economic conditions, economic conditions within specific industries we serve, expectations of future market behavior and available financing. The businesses of many of our industrial customers are to varying degrees cyclical and have experienced periodic downturns. During such economic downturns, customers in these industries tend to delay major capital projects, including greenfield construction, maintenance projects and upgrades. Additionally, demand for our products and services may be affected by volatility in energy, component and commodity prices, commodity and component availability and fluctuating demand forecasts, as our customers may be more conservative in their capital planning, which may reduce demand for our products and services as projects are postponed or cancelled. Although our industrial customers tend to be less dependent on project financing than real estate developers, increases in prevailing interest rates or disruptions in financial markets and banking systems could make credit and capital markets difficult for our customers to access and could significantly raise the cost of new debt for our customers. Any difficulty in accessing these markets and the increased associated costs can have a negative effect 11 11 11 on investment in large capital projects, including necessary maintenance and upgrades, even during periods of favorable end-market conditions. Many of our customers inside and outside of the industrial and commercial sectors, including governmental and institutional customers, have experienced budgetary constraints as sources of revenue have been negatively impacted by adverse or stagnant economic conditions. These budgetary constraints have in the past, and may in the future, reduce demand for our products and services among governmental and institutional customers. Reduced demand for our products and services could result in the delay or cancellation of existing orders or lead to excess capacity, which unfavorably impacts our absorption of fixed costs. This reduced demand may also erode average selling prices in the industries we serve. Any of these results could materially and adversely affect our business, financial condition, results of operations and cash flows.

We compete around the world in various geographic regions and product markets. Global economic and political conditions affect each of our primary businesses and the businesses of our customers and suppliers. Recessions, economic downturns, price instability, inflation, slowing economic growth and social and political instability in the industries and/or markets where we compete could negatively affect our revenues and financial performance in future periods, result in future restructuring charges, and adversely impact our ability to grow or sustain our business. For example, current macroeconomic and political instability caused by rising interest rates, global supply chain disruptions, inflation, ongoing conflicts between Russia and Ukraine as well as Israel and Hamas, geopolitical tensions and the strengthening of the U.S. dollar, have and could continue to adversely impact our results of operations. Other potential consequences arising from the conflicts, the further escalation of geopolitical tensions globally and their effect on our business and results of operations as well as the global economy, cannot be predicted. This may include further economic sanctions, embargoes, regional instability, geopolitical shifts, regional or international expansion of current conflicts, energy instability, potential retaliatory action by governments, supply chain disruptions, disruption to local markets, increased cybersecurity attacks against us, our third-party service providers and customers, collateral consequences from cyber conflicts between nation-states or other politically motivated actors targeting critical technology infrastructure. and increased tensions among countries in which we operate. Our failure to adequately react to these and other political and economic conditions could materially and adversely affect our results of operations, financial condition or liquidity. The capital and credit markets provide us with liquidity to operate and grow our business beyond the liquidity that operating cash flows provide. A worldwide economic downturn and/or disruption of the credit markets could reduce our access to capital necessary for our operations and executing our strategic plan. In addition, we have experienced, and expect to continue to experience, increased capital costs due to increases in global interest rates. If our access to capital were to become significantly constrained, or if costs of capital increased significantly due to increased interest rates, lowered credit ratings, prevailing industry conditions, the volatility of the capital markets or other factors; then our financial condition, results of operations and cash flows could be adversely affected.

We compete around the world in various geographic regions and product markets. Global economic and political conditions affect each of our primary businesses and the businesses of our customers and suppliers. Recessions, economic downturns, price instability, inflation, slowing economic growth and social and political instability in the industries and/or markets where we compete could negatively affect our revenues and financial performance in future periods, result in future restructuring charges, and adversely impact our ability to grow or sustain our business. For example, current macroeconomic and political instability caused by the conflict between Russia and Ukraine, global supply chain disruptions, inflation and the strengthening of the U.S. dollar, have and could continue to adversely impact our results of operations. Other potential consequences arising from the Russia/Ukraine conflict and its effect on our business and results of operations as well as the global economy, cannot be predicted. This may include further sanctions, embargoes, regional instability, geopolitical shifts, energy instability, potential retaliatory action by the Russian government, increased cybersecurity attacks, increased tensions among countries in which we operate. The capital and credit markets provide us with liquidity to operate and grow our business beyond the liquidity that operating cash flows provide. A worldwide economic downturn and/or disruption of the credit markets could reduce our access to capital necessary for our operations and executing our strategic plan. If our access to capital were to become significantly constrained, or if costs of capital increased significantly due to lowered credit ratings, prevailing industry conditions, the volatility of the capital markets or other factors; then our financial condition, results of operations and cash flows could be adversely affected. If we are unable to adequately react to negative economic impacts that decrease demand for our products and services and/or negative movements in capital markets our results of operations, financial condition or liquidity could be adversely affected.

Our operations and employees are subject to various U.S. federal, state and local licensing laws, codes and standards and similar foreign laws, codes, standards and regulations. Changes in laws or regulations could require us to change the way we operate or to utilize resources to maintain compliance, which could increase costs or otherwise disrupt operations. In addition, failure to comply with any applicable laws or regulations could result in substantial fines or revocation of our operating permits and licenses. Competition or other regulatory investigations can continue for several years, be costly to defend and can result in substantial fines. If laws and regulations were to change or if we or our products failed to comply, our business, financial condition and results of operations could be adversely affected. Due to the international scope of our operations, the system of laws and regulations to which we are subject is complex and includes regulations issued by the U.S. Customs and Border Protection, the U.S. Department of Commerce's Bureau of Industry and Security, the U.S. Treasury Department's Office of Foreign Assets Control and various non U.S. governmental agencies, including applicable export controls, anti-trust, customs, currency exchange control and transfer pricing regulations, laws regulating the foreign ownership of assets, and laws governing certain materials that may be in our products. No assurances can be made that we will continue to be found to be operating in compliance with, or be able to detect violations of, any such laws or regulations. We are also subject to a complex network of tax laws and tax treaties that impact our effective tax rate. For more information on risks related to tax regulation, see “Risks Related to Tax Matters” below. We cannot predict the nature, scope or effect of future regulatory requirements to which our operations might be subject or the manner in which existing laws might be administered or interpreted.

Our operations and employees are subject to various U.S. federal, state and local licensing laws, codes and standards and similar foreign laws, codes, standards and regulations. Changes in laws or regulations could require us to change the way we operate or to utilize resources to maintain compliance, which could increase costs or otherwise disrupt operations. In addition, failure to comply with any applicable laws or regulations could result in substantial fines or revocation of our operating permits and licenses. Competition or other regulatory investigations can continue for several years, be costly to defend and can result in substantial fines. If laws and regulations were to change or if we or our products failed to comply, our business, financial condition and results of operations could be adversely affected. Due to the international scope of our operations, the system of laws and regulations to which we are subject is complex and includes regulations issued by the U.S. Customs and Border Protection, the U.S. Department of Commerce's Bureau of Industry and Security, the U.S. Treasury Department's Office of Foreign Assets Control and various non U.S. governmental agencies, including applicable export controls, anti-trust, customs, currency exchange control and transfer pricing regulations, laws regulating the foreign ownership of assets, and laws governing certain materials that may be in our products. No assurances can be made that we will continue to be found to be operating in compliance with, or be able to detect violations of, any such laws or regulations. Existing free trade laws and regulations, provide certain beneficial duties and tariffs for qualifying imports and exports, subject to compliance with the applicable classification and other requirements. Changes in laws or policies governing the terms of foreign trade, and in particular increased trade restrictions, tariffs or taxes on imports from countries where we manufacture products or from where we import products or raw materials (either directly or through our suppliers) could have an impact on our competitive position, business and financial results. For example, the U.S., China and other countries continue to implement restrictive trade actions, including tariffs, export controls, sanctions, legislation favoring domestic investment and other actions impacting the import and export of goods, foreign investment and foreign operations in jurisdictions in which we operate. Additional measures imposed by such countries on a broader range of imports or economic activity, or retaliatory trade measures taken by other countries in response, could increase the cost of our products, create disruptions to our supply chain and impair our ability to effectively operate and compete in such countries. We are also subject to a complex network of tax laws and tax treaties that impact our effective tax rate. For more information on risks related to tax regulation, see “Risks Related to Tax Matters” below. We cannot predict the nature, scope or effect of future regulatory requirements to which our operations might be subject or the manner in which existing laws might be administered or interpreted.

We are subject to numerous federal, state and local environmental laws and regulations governing, among other things, solid and hazardous waste storage, treatment and disposal, and remediation of releases of hazardous materials. There are significant capital, operating and other costs associated with compliance with these environmental laws and regulations. Environmental laws and regulations may become more stringent in the future, which could increase costs of compliance, decrease demand for our products, create reputational harm or require us to manufacture with alternative technologies and materials. For example, our subsidiary Tyco Fire Protection Products announced it will discontinue the production and sale of fluorinated firefighting foams by June 2024, including Aqueous Film-Forming Foam ("AFFF") and related products, and will transition to non-fluorinated foam alternatives. Federal, state and local authorities also regulate a variety of matters, including, but not limited to, health, safety laws governing employee injuries, and permitting requirements in addition to the environmental matters discussed above. If we are unable to adequately comply with applicable health and safety regulations and provide our employees with a safe working environment, we may be subject to litigation and regulatory action, in addition to negatively impacting our ability to attract and retain talented employees. New legislation and regulations may require us to make material changes to our operations, resulting in significant increases to the cost of production. Additionally, violations of environmental, health and safety laws are subject to civil, and, in some cases, criminal sanctions. As a result of these various uncertainties, we may incur unexpected interruptions to operations, fines, penalties or other reductions in income which could adversely impact our business, financial condition and results of operations.

We are subject to numerous federal, state and local environmental laws and regulations governing, among other things, solid and hazardous waste storage, treatment and disposal, and remediation of releases of hazardous materials. There are significant capital, operating and other costs associated with compliance with these environmental laws and regulations. Environmental laws and regulations may become more stringent in the future, which could increase costs of compliance or require us to manufacture with alternative technologies and materials. For example, proposed federal, state and European Union legislative action concerning the use and clean-up of fire-fighting foam products, including the United States Environmental Protection Agency’s proposal to designate perfluorooctane sulfonate ("PFOS") and perfluorooctanoic acid ("PFOA") as hazardous substances under the Comprehensive Environmental Response, Compensation, and Liability Act, could negatively impact our fire-fighting business and our results of operations, thereby enhancing the risks to our business described under “Potential liability for environmental contamination could result in substantial costs” below. Federal, state and local authorities also regulate a variety of matters, including, but not limited to, health, safety laws governing employee injuries, and permitting requirements in addition to the environmental matters discussed above. If we are unable to adequately comply with applicable health and safety regulations and provide our employees with a safe working environment, we may be subject to litigation and regulatory action, in addition to negatively impacting our ability to attract and retain talented employees. New legislation and regulations may require us to make material changes to our operations, resulting in significant increases to the cost of production. Additionally, violations of environmental, health and safety laws are subject to civil, and, in some cases, criminal sanctions. As a result of these various uncertainties, we may incur unexpected interruptions to operations, fines, penalties or other reductions in income which could adversely impact our business, financial condition and results of operations. 18 18 18

The effects of climate change create financial risks to our business. For example, the effects of climate change could disrupt our operations by impacting the availability and cost of materials needed for manufacturing, exacerbate existing risks to our supply chain and increase insurance and other operating costs. These factors may impact our decisions to construct new facilities or maintain existing facilities in areas most prone to physical climate risks. We could also face indirect financial risks passed through the supply chain and disruptions that could result in increased prices for our products and the resources needed to produce them. Increased public awareness and concern regarding global climate change has resulted in more regulations designed to reduce greenhouse gas emissions. These regulations tend to be implemented under global, national and sub-national climate objectives or policies, and target the global warming potential (“GWP”) of refrigerants, equipment energy efficiency, and the combustion of fossil fuels as a heating source. Many of our products consume energy and use refrigerants. Regulations which seek to reduce greenhouse gas emissions present a risk to our global products business, predominantly our HVAC business, if we do not adequately prepare our product portfolio. As a result, we have and may be in the future required to make increased research and development and other capital expenditures to improve our product portfolio in order to meet new regulations and standards. Further, our customers and the markets we serve may impose emissions or other environmental standards through regulation, market-based emissions policies or consumer preference that we may not be able to timely meet due to the required level of capital investment or technological advancement. While we have been committed to continuous improvements to our product portfolio to meet and exceed anticipated regulations and preferences, there can be no assurance that our commitments will be successful, that our products will be accepted by the market, that proposed regulation or deregulation will not have a negative competitive impact or that economic returns will reflect our investments in new product development. We are subject to emerging and competing climate regulations. There continues to be a lack of consistent climate legislation, which creates economic and regulatory uncertainty. Such regulatory uncertainty extends to incentives, which if discontinued, could adversely impact the demand for energy efficient buildings, and could increase costs of compliance. These factors may impact the demand for our products, obsolescence of our products and our results of operations.

The effects of climate change create financial risks to our business. For example, the effects of climate change could disrupt our operations by impacting the availability and cost of materials needed for manufacturing, exacerbate existing risks to our supply chain and increase insurance and other operating costs. These factors may impact our decisions to construct new facilities or maintain existing facilities in areas most prone to physical climate risks. We could also face indirect financial risks passed through the supply chain and disruptions that could result in increased prices for our products and the resources needed to produce them. 17 17 17 Increased public awareness and concern regarding global climate change has resulted in more regulations designed to reduce greenhouse gas emissions. These regulations tend to be implemented under global, national and sub-national climate objectives or policies, and target the global warming potential (“GWP”) of refrigerants, equipment energy efficiency, and the combustion of fossil fuels as a heating source. Many of our products consume energy and use refrigerants. Regulations which seek to reduce greenhouse gas emissions present a risk to our global products business, predominantly our HVAC business, if we do not adequately prepare our product portfolio. As a result, we may be required to make increased research and development and other capital expenditures to improve our product portfolio in order to meet new regulations and standards. Further, our customers and the markets we serve may impose emissions or other environmental standards through regulation, market-based emissions policies or consumer preference that we may not be able to timely meet due to the required level of capital investment or technological advancement. While we have been committed to continuous improvements to our product portfolio to meet and exceed anticipated regulations and preferences, there can be no assurance that our commitments will be successful, that our products will be accepted by the market, that proposed regulation or deregulation will not have a negative competitive impact or that economic returns will reflect our investments in new product development. We are subject to emerging and competing climate regulations. There continues to be a lack of consistent climate legislation, which creates economic and regulatory uncertainty. Such regulatory uncertainty extends to incentives, which if discontinued, could adversely impact the demand for energy efficient buildings, and could increase costs of compliance. These factors may impact the demand for our products, obsolescence of our products and our results of operations. As of the date of this filing, we have made several public commitments regarding our intended reduction of carbon emissions, including commitments to achieve net zero carbon emissions by 2040 and the establishment of science-based targets to reduce carbon emissions from our operations and the operations of our customers. Although we intend to meet these commitments, we may be required to expend significant resources to do so, which could increase our operational costs. Further, there can be no assurance of the extent to which any of our commitments will be achieved, or that any future investments we make in furtherance of achieving such targets and goals will meet investor expectations or any binding or non-binding legal standards regarding sustainability performance. Moreover, we may determine that it is in the best interest of our company and our shareholders to prioritize other business, social, governance or sustainable investments over the achievement of our current commitments based on economic, regulatory and social factors, business strategy or pressure from investors, activist groups or other stakeholders. If we are unable to meet these commitments, then we could incur adverse publicity and reaction from investors, activist groups and other stakeholders, which could adversely impact the perception of our brand and our products and services by current and potential customers, as well as investors, which could in turn adversely impact our results of operations.

We rely upon the capacity, reliability and security of our IT and data security infrastructure and our ability to expand and continually update this infrastructure in response to the changing needs of our business. As we implement new systems or integrate existing systems, they may not perform as expected. We also face the challenge of supporting our older systems, which are vulnerable to increased risks, including the risk of further security breaches, system failures and disruptions, and implementing necessary upgrades. In addition, certain of our employees work remotely at times, which increases our vulnerability to cybersecurity and other IT risks. If we experience a problem with the functioning of an important IT system as a result of increased burdens placed on our IT infrastructure or a security breach of our IT systems, the resulting disruptions could have a material adverse effect on our business. Global cybersecurity threats and incidents can range from uncoordinated individual attempts to gain unauthorized access to IT systems to sophisticated and targeted measures known as advanced persistent threats directed at the Company, its products, its customers and/or its third-party service providers, including cloud providers. These threats and incidents originate from many sources globally and include malware that takes the form of computer viruses, ransomware, worms, Trojan horses, spyware, adware, scareware, rogue software, and programs that act against the computer user. Techniques used to obtain unauthorized access to, or to sabotage, IT systems or networks are constantly evolving and may not be recognized until launched against a 12 12 12 target. We and third parties we utilize as vendors to support our business and operations have experienced, and expect to continue to experience, these types of threats and incidents. We and our third-party service providers have experienced and expect to continue to experience threats from sophisticated nation-state actors and organized criminal groups who engage in attacks (including advanced persistent threat intrusions) that add to the risks to our IT systems (including our cloud services providers’ systems), internal networks, our customers’ systems and the information that they store and process. Our customers, including the U.S. government, are increasingly requiring cybersecurity protections and mandating cybersecurity standards in our products, and we may incur additional costs to comply with such demands. We deploy countermeasures to deter, prevent, detect, respond to and mitigate these threats, including identity and access controls, data protection, vulnerability assessments, product software designs which we believe are less susceptible to cyber-attacks, monitoring of our IT networks and systems, maintenance of backup and protective systems and the incorporation of cybersecurity design throughout the lifecycle of our products. Despite these efforts, the Company has experienced, and will likely continue to experience, attacks and resulting breaches or breakdowns of the Company’s, or its third-party service providers’, databases or systems. Cybersecurity incidents, depending on their nature and scope, have resulted, and may in the future result, in the misappropriation, destruction, corruption or unavailability of critical data and confidential or proprietary information (our own or that of third parties) and the disruption of business operations. Such incidents have remained, and could in the future remain, undetected for an extended period of time, and the losses arising from such incidents could exceed our available insurance coverage for such matters. In addition, security breaches impacting our IT systems have in certain cases resulted in, and in the future could result in, a risk of loss or unauthorized disclosure or theft of information, which could lead to enforcement actions, litigation, regulatory or governmental audits, investigations and possible liability. An increasing number of our products, services and technologies, including our OpenBlue software platform, are delivered with digital capabilities and accompanying interconnected device networks, which include sensors, data, building management systems and advanced computing and analytics capabilities. If we are unable to manage the lifecycle cybersecurity risk in development, deployment and operation of our digital platforms and services, they could become susceptible to cybersecurity incidents and lead to third-party claims that our product failures have caused damages to our customers. This risk is enhanced by the increasingly connected nature of our products and the role they play in managing building systems. During the fourth quarter of fiscal 2023, we experienced a cybersecurity incident that disrupted portions of our internal information technology infrastructure and applications consisting of unauthorized access by a third party, exfiltration of data and the deployment of ransomware, which in turn caused disruptions and limitation of access to portions of our business applications that support aspects of our operations and corporate functions. As a result of this incident, we experienced disruptions to our normal operations which had an adverse impact on our financial performance, as discussed in Item 7, Management’s Discussion and Analysis of Financial Condition and Results of Operations. We have and may continue to incur significant costs in connection with the cybersecurity incident and any future cybersecurity incidents, including infrastructure investments or remediation efforts. Further, we could experience other additional consequences in the future as a result of the incident, including, reputational damage, exposure to legal claims or enforcement actions and fines levied by governmental organizations, which in turn could materially and adversely affect our results of operations. In addition, limitations on our ability to analyze and investigate the incident due to limitations on the availability of historical logs and other forensic data may impact our ability to identify all of the impacts and root causes of the cybersecurity incident. There can be no assurance that additional unauthorized access or cyber incidents will not occur or that we will not suffer material losses in the future. Unauthorized access or cyber incidents could occur more frequently and on a more significant scale to those we have suffered to date. We could also experience similar consequences as a result of future cybersecurity incidents. Other potential consequences of future cybersecurity incidents could include the theft of intellectual property and the diminution in the value of our investment in research, development and engineering, which in turn could materially and adversely affect our competitiveness and results of operations.

We rely upon the capacity, reliability and security of our IT and data security infrastructure and our ability to expand and continually update this infrastructure in response to the changing needs of our business. As we implement new systems or integrate existing systems, they may not perform as expected. We also face the challenge of supporting our older systems and implementing necessary upgrades. In addition, we are relying on our IT infrastructure to support our employees’ ability to work remotely. If we experience a problem with the functioning of an important IT system as a result of increased burdens placed on our IT infrastructure or a security breach of our IT systems, the resulting disruptions could have an adverse effect on our business. Global cybersecurity threats and incidents can range from uncoordinated individual attempts to gain unauthorized access to IT systems to sophisticated and targeted measures known as advanced persistent threats directed at the Company, its products, its customers and/or its third-party service providers, including cloud providers. These threats and incidents originate from many sources globally and include malwares that take the form of computer viruses, ransomware, worms, Trojan horses, spyware, adware, scareware, rogue software, and programs that act against the computer user. While we have experienced, and expect to continue to experience, these types of threats and incidents, none of them to date has been material to the Company. Our customers, including the U.S. government, are increasingly requiring cybersecurity protections and mandating cybersecurity standards in our products, and we may incur additional costs to comply with such demands. We seek to deploy comprehensive measures to deter, prevent, detect, respond to and mitigate these threats, including identity and access controls, data protection, vulnerability assessments, product software designs which we believe are less susceptible to cyber-attacks, continuous monitoring of our IT networks and systems, maintenance of backup and protective systems and the incorporation of cybersecurity design throughout the lifecycle of our products. Despite these efforts, cybersecurity incidents, depending on their nature and scope, could potentially result in the misappropriation, destruction, corruption or unavailability of critical data and confidential or proprietary information (our own or that of third parties) and the disruption of business operations. Such incidents could remain undetected for an extended period of time, and the losses arising from such incidents could exceed our available insurance coverage for such matters. An increasing number of our products, services and technologies, including our OpenBlue software platform, are delivered with digital capabilities and accompanying interconnected device networks, which include sensors, data, building management systems and advanced computing and analytics capabilities. If we are unable to manage the lifecycle cybersecurity risk in development, deployment and operation of our digital platforms and services, they could become susceptible to cybersecurity 14 14 14 incidents and lead to third-party claims that our product failures have caused damages to our customers. This risk is enhanced by the increasingly connected nature of our products and the role they play in managing building systems. The potential consequences of a material cybersecurity incident include financial loss, reputational damage, adverse health, safety, and environmental consequences, exposure to legal claims or enforcement actions, theft of intellectual property, fines levied by the Federal Trade Commission or other governmental organizations, diminution in the value of our investment in research, development and engineering, and increased cybersecurity protection and remediation costs, which in turn could materially and adversely affect our competitiveness and results of operations.

We collect, store, have access to and otherwise process certain confidential or sensitive data, including proprietary business information, customer data, personal data or other information that is subject to privacy and security laws, regulations and/or customer-imposed controls. Despite our efforts to protect such data, our business and our products may be vulnerable to security incidents, theft, misplaced or lost data, programming errors, or errors that could potentially lead to compromising such data, improper use of our products, systems, software solutions or networks, unauthorized access, use, disclosure, modification or destruction of information, defective products, production downtimes and operational disruptions. During the fourth quarter of fiscal 2023, we experienced a cybersecurity event consisting of unauthorized access, data exfiltration and deployment of ransomware by a third party to a portion of our internal IT infrastructure. We are currently in the process of analyzing the data accessed, exfiltrated or otherwise impacted during the cybersecurity incident. The actual or perceived risk of theft, loss, fraudulent use or misuse of customer, employee or other data as a result of the cybersecurity incident, as well as non-compliance with applicable industry standards or our contractual or other legal obligations or privacy and information security policies regarding such data, could result in costs, fines, litigation or regulatory actions. We could face similar consequences in the future if we, our suppliers, channel partners, customers or other third parties experience the actual or perceived risk of theft, loss, fraudulent use or misuse of data, including as a result of employee error or malfeasance, or as a result of the imaging, software, security and other products we incorporate into our products. Such an event could lead customers to select the products and services of our competitors. Both the cybersecurity incident and similar future incidents could harm our reputation, cause unfavorable publicity or otherwise adversely affect certain potential customers’ perception of the security and reliability of our services as well as our credibility and reputation, which could result in lost sales. In addition, we operate in an environment in which there are different and potentially conflicting data privacy laws in effect in the various U.S. states and foreign jurisdictions in which we operate and we must understand and comply with each law and standard in each of these jurisdictions while ensuring the data is secure. For example, proposed regulations restricting the use of biometric security technology could impact the products and solutions offered by our security business. Government enforcement actions can be costly and interrupt the regular operation of our business, and violations of data privacy laws can result in fines, reputational damage and civil lawsuits, any of which may adversely affect our business, reputation and financial statements. Some of our contracts do not contain limitations of liability, and even where they do, there can be no assurance that limitations of liability in our contracts are sufficient to protect us from liabilities, damages, or claims related to our data privacy and security obligations. While we maintain general liability insurance coverage and coverage for errors or omissions, such coverage might not be adequate or otherwise protect us from liabilities or damages with respect to claims alleging compromises of customer data, that such coverage will continue to be available to us on acceptable terms or at all, or that such coverage will pay future claims. The successful assertion of one or more large claims against us that exceeds our available insurance coverage, or results in changes to our insurance policies (including premium increases or the imposition of large deductible or co-insurance requirements), could have an adverse effect on our business.

We collect, store, have access to and otherwise process certain confidential or sensitive data, including proprietary business information, personal data or other information that is subject to privacy and security laws, regulations and/or customer-imposed controls. Despite our efforts to protect such data, our business and our products may be vulnerable to material security breaches, theft, misplaced or lost data, programming errors, or errors that could potentially lead to compromising such data, improper use of our products, systems, software solutions or networks, unauthorized access, use, disclosure, modification or destruction of information, defective products, production downtimes and operational disruptions. A significant actual or perceived risk of theft, loss, fraudulent use or misuse of customer, employee or other data, whether by us, our suppliers, channel partners, customers or other third parties, as a result of employee error or malfeasance, or as a result of the imaging, software, security and other products we incorporate into our products, as well as non-compliance with applicable industry standards or our contractual or other legal obligations or privacy and information security policies regarding such data, could result in costs, fines, litigation or regulatory actions, or could lead customers to select the products and services of our competitors. Any such event could harm our reputation, cause unfavorable publicity or otherwise adversely affect certain potential customers’ perception of the security and reliability of our services as well as our credibility and reputation, which could result in lost sales. In addition, we operate in an environment in which there are different and potentially conflicting data privacy laws in effect in the various U.S. states and foreign jurisdictions in which we operate and we must understand and comply with each law and standard in each of these jurisdictions while ensuring the data is secure. For example, proposed regulations restricting the use of biometric security technology could impact the products and solutions offered by our security business. Government enforcement actions can be costly and interrupt the regular operation of our business, and violations of data privacy laws can result in fines, reputational damage and civil lawsuits, any of which may adversely affect our business, reputation and financial statements.

Because Johnson Controls International plc is organized under the laws of Ireland, it would generally be classified as a foreign corporation under the general rule that a corporation is considered tax resident in the jurisdiction of its organization or incorporation for U.S. federal income tax purposes. However, Section 7874 of the Code ("Section 7874") provides an exception to this general rule under which a non-U.S. incorporated entity may, in certain circumstances, be treated as a U.S. corporation for U.S. federal tax purposes. The IRS may assert that, as a result of the Merger, Johnson Controls International plc should be treated as a U.S. corporation (and, therefore, a U.S. tax resident) for U.S. federal income tax purposes pursuant to Section 7874 of the Internal Revenue Code. The IRS may also assert that the ability of our U.S. affiliates to utilize U.S. tax attributes, such as net operating losses and certain tax credits, to offset U.S. taxable income resulting from certain transactions may be limited under Section 7874. The application of these rules could result in significant additional U.S. tax liability. In addition, a retroactive change to U.S. tax laws in this area could change the tax classification of Johnson Controls International plc. If it were to be treated as a U.S. corporation for federal tax purposes, we could be subject to substantially greater U.S. tax liability than currently contemplated as a non-U.S. corporation. 23 23 23 Based on the terms of the Merger, we currently expect that Section 7874 does not apply to us or our affiliates as a result of the Merger. However, determining the applicability of Section 7874 is complex and is subject to factual and legal uncertainties. Thus, there can be no assurance that the IRS will agree with the position that Johnson Controls International plc should not be treated as a U.S. corporation for U.S. federal tax purposes or that Section 7874 does not otherwise apply.

Under current U.S. federal tax law, a corporation is generally considered to be a tax resident in the jurisdiction of its organization or incorporation. Because Johnson Controls International plc is an Irish incorporated entity, it would generally be classified as a non-U.S. corporation (and, therefore, a non-U.S. tax resident) under these rules. However, Section 7874 of the Code ("Section 7874") provides an exception to this general rule under which a non-U.S. incorporated entity may, in certain circumstances, be treated as a U.S. corporation for U.S. federal tax purposes. Under Section 7874, if (1) former Johnson Controls, Inc. shareholders owned (within the meaning of Section 7874) 80% or more (by vote or value) of our ordinary shares after the Merger by reason of holding Johnson Controls, Inc. common stock (such ownership percentage the "Section 7874 ownership percentage"), and (2) our "expanded affiliated group" did not have "substantial business activities" in Ireland ("the substantial business activities test"), we will be treated as a U.S. corporation for U.S. federal tax purposes. If the Section 7874 ownership percentage of the former Johnson Controls, Inc. shareholders after the Merger was less than 80% but at least 60%, and the substantial business activities test was not met, we and our U.S. affiliates (including the U.S. affiliates historically owned by Tyco) may, in some circumstances, be subject to certain adverse U.S. federal 21 21 21 income tax rules (which, among other things, could limit their ability to utilize certain U.S. tax attributes to offset U.S. taxable income or gain resulting from certain transactions). The application of these rules could result in significant additional U.S. tax liability and limit our ability to restructure or access cash earned by certain of our non-U.S. subsidiaries, in each case, without incurring substantial U.S. tax liabilities. Based on the terms of the Merger, the rules for determining share ownership under Section 7874 and certain factual assumptions, we believe that former Johnson Controls, Inc. shareholders owned (within the meaning of Section 7874) less than 60% (by both vote and value) of our ordinary shares after the Merger by reason of holding shares of Johnson Controls, Inc. common stock. Therefore, under current law, we believe that we should not be treated as a U.S. corporation for U.S. federal tax purposes and that Section 7874 should otherwise not apply to us or our affiliates as a result of the Merger. However, the determination of the Section 7874 ownership percentage is complex and is subject to factual and legal uncertainties. Thus, there can be no assurance that the IRS will agree with the position that we should not be treated as a U.S. corporation for U.S. federal tax purposes or that Section 7874 does not otherwise apply as a result of the Merger. Regardless of any application of Section 7874, we are treated as an Irish tax resident for Irish tax purposes. Consequently, if we were to be treated as a U.S. corporation for U.S. federal tax purposes under Section 7874, we could be liable for both U.S. and Irish taxes, which could have a material adverse effect on our financial condition and results of operations.

If our operations, particularly at our monitoring facilities and/or manufacturing facilities, were to be disrupted as a result of significant equipment failures, natural disasters, pandemics, climate change, cybersecurity incidents, power outages, fires, explosions, abrupt political change, armed conflict, terrorism, sabotage, adverse weather conditions, public health crises, labor disputes, labor shortages or other reasons, we may be unable to effectively respond to alarm signals, fill customer orders, convert our backlog, collect revenue and otherwise meet obligations to or demand from our customers, which could adversely affect our financial performance. These events may also cause us to experience increased costs and reduced productivity. For example, our recent cybersecurity incident caused disruptions to our operations, adversely affecting our financial performance. For more information on the impact of the cybersecurity incident, see Item 7, Management’s Discussion and Analysis of Financial Condition and Results of Operations. The occurrence or reoccurrence of regional epidemics or a global pandemic, such as COVID-19, may adversely affect our operations, financial condition, and results of operations. The extent to which global pandemics impact our business going forward will depend on factors such as the duration and scope of the pandemic; governmental, business, and individuals' actions in response to the pandemic; and the impact on economic activity, including the possibility of recession or financial market instability. Measures to contain a global pandemic may intensify other risks described in these Risk Factors. Interruptions to production could increase our costs and reduce our sales. Any interruption in production capability could require us to make substantial capital expenditures or purchase alternative material at higher costs to fill customer orders, which could negatively affect our profitability and financial condition. We maintain property damage insurance that we believe to be adequate to provide for reconstruction of facilities and equipment, cybersecurity insurance to mitigate losses resulting from cybersecurity incidents, as well as business interruption insurance to mitigate losses resulting from significant production interruption or shutdown caused by an insured loss. However, any recovery under our insurance policies may not offset the lost sales or increased costs that may be experienced during the disruption of operations, which could adversely affect our business, financial condition, results of operations and cash flows.

If our operations, particularly at our monitoring facilities and/or manufacturing facilities, were to be disrupted as a result of significant equipment failures, natural disasters, climate change, cybersecurity breaches, power outages, fires, explosions, terrorism, sabotage, adverse weather conditions, public health crises (including COVID-19 related shutdowns), labor disputes, labor shortages or other reasons, we may be unable to effectively respond to alarm signals, fill customer orders, convert our backlog and otherwise meet obligations to or demand from our customers, which could adversely affect our financial performance. For example, during the COVID-19 pandemic, we experienced disruptions in certain of our manufacturing facilities resulting from government-mandated shutdowns and labor shortages. The continuation or recurrence of either of these trends could adversely affect our financial performance. Interruptions to production could increase our costs and reduce our sales. Any interruption in production capability could require us to make substantial capital expenditures or purchase alternative material at higher costs to fill customer orders, which could negatively affect our profitability and financial condition. We maintain property damage insurance that we believe to be adequate to provide for reconstruction of facilities and equipment, as well as business interruption insurance to mitigate losses resulting from significant production interruption or shutdown caused by an insured loss. However, any recovery under our insurance policies may not offset the lost sales or increased costs that may be experienced during the disruption of operations, which could adversely affect our business, financial condition, results of operations and cash flows. 16 16 16

Legislative and regulatory action may be taken in the U.S. and other jurisdictions in which we operate, which, if ultimately enacted, could override tax treaties upon which we rely, or broaden the circumstances under which we would be considered a U.S. resident, each of which could materially and adversely affect our effective tax rate. We cannot predict the outcome of any specific legislative or regulatory proposals and such changes could have a prospective or retroactive application. However, if proposals were enacted that had the effect of disregarding our incorporation in Ireland or limiting Johnson Controls International plc’s ability, as an Irish company, to take advantage of tax treaties with the U.S., we could be subject to increased taxation, potentially significant expense, and/or other adverse tax consequences. The U.S. enacted the Inflation Reduction Act of 2022 (“IRA”) in August 2022, which, among other sections, creates a new book minimum tax of at least 15% of consolidated GAAP pre-tax income for corporations with average book income in excess of $1 billion. The book minimum tax will first apply to us in fiscal 2024. We do not expect the IRA to have a material impact on our effective tax rate, however, it is possible that the U.S. Congress could advance other tax legislation proposals in the future that could have a material impact on our tax rate. In addition, in October 2021, the Organization for Economic Co-operation and Development ("OECD")/G20 inclusive framework on Base Erosion and Profit Shifting (the Inclusive Framework) published a statement updating and finalizing the key components of a two-pillar plan on global tax reform which has now been agreed upon by the majority of OECD members. Pillar One allows countries to reallocate a portion of residual profits earned by multinational enterprises ("MNE"), with an annual global revenue exceeding €20 billion and a profit margin over 10%, to other market jurisdictions. The adoption of Pillar One and its potential effective date remain uncertain. Pillar Two requires MNEs with an annual global revenue exceeding €750 million to pay a global minimum tax of 15%. On December 15, 2022, the Council of the EU formally adopted Directive (EU) 2022/2523 (the “Pillar Two Directive”) to achieve a coordinated implementation of Pillar Two in EU Member States consistent with EU law. On October 19, 2023, the Irish Minster of Finance published Irish Finance (No.2) Bill 2023, which includes implementation of the 15% Pillar Two global minimum tax. The bill, subject to amendment during the legislative process, is expected to be signed into law by late December. The Pillar Two legislation is anticipated to be effective for our fiscal year beginning October 1, 2024. We are continuing to evaluate the potential impact on future periods of the Pillar Two Framework, pending legislative adoption by individual countries, as such changes could result in an increase in our effective tax rate.

Legislative and regulatory action may be taken in the U.S. and other jurisdictions in which we operate, which, if ultimately enacted, could override tax treaties upon which we rely, or broaden the circumstances under which we would be considered a U.S. resident, each of which could materially and adversely affect our effective tax rate. We cannot predict the outcome of any specific legislative or regulatory proposals and such changes could have a prospective or retroactive application. However, if proposals were enacted that had the effect of disregarding our incorporation in Ireland or limiting Johnson Controls International plc’s ability, as an Irish company, to take advantage of tax treaties with the U.S., we could be subject to increased taxation, potentially significant expense, and/or other adverse tax consequences. The U.S. enacted the Inflation Reduction Act of 2022 (“IRA”) in August 2022, which, among other sections, creates a new book minimum tax of at least 15% of consolidated GAAP pre-tax income for corporations with average book income in excess of $1 billion. The book minimum tax will first apply to us in fiscal 2024. We do not expect the IRA to have a material impact on our effective tax rate, however, it is possible that the U.S. Congress could advance other tax legislation proposals in the future that could have a material impact on our tax rate. In addition, in October 2021, 136 out of 140 countries in the Organization for Economic Co-operation and Development ("OECD") Inclusive Framework on Base Erosion and Profit Shifting ("IF"), including Ireland, politically committed to potentially fundamental changes to the international corporate tax system, including the potential implementation of a global minimum corporate tax rate. While the details of these pronouncements remain unclear and timing of implementation uncertain, the impact of local country IF adoption could have a material impact on our effective tax rate. It is also possible that jurisdictions in which we do business could react to such IF developments unilaterally by enacting tax legislation that could adversely affect us or our affiliates. There is also general uncertainty regarding the tax policies of the jurisdictions where we operate, and if changes are enacted, there could be a resulting increase in our effective tax rate.