Kimberly-Clark Corporation: 10-K Risk Factor Changes

There is growing concern that carbon dioxide and other greenhouse gases in the atmosphere may have an adverse impact on global temperatures, weather patterns, water availability and quality, and the frequency and severity of extreme weather and natural disasters. We have transition risks related to the transition to a lower-carbon economy and physical risks related to the physical impacts of climate change. Transition risks include increased costs of carbon emission, increased cost to produce products in compliance with future regulations, increased raw materials cost, shifts in customer/consumer values and other legal, regulatory and technological risks. Physical risks include the risk of direct damage to assets or supply chain disruption caused by severe weather events such as floods, storms, wildfires and droughts. In addition, concern over climate change by governments and regulators globally have resulted and may continue to result in new legal and regulatory requirements to reduce or mitigate the effects of climate change on the environment (or conversely, to restrict activities to address or consider climate change and related matters). Compliance with these requirements may increase our costs of doing business, including to the extent these reporting regimes are inconsistent. There is also increased focus, including by governmental and non-governmental organizations, investors and investment managers, customers, suppliers, consumers, our employees and other stakeholders on these and other sustainability matters, including responsible sourcing and deforestation, the use of plastic, energy and water, the recyclability or recoverability of packaging, including single-use and other plastic packaging and ingredient transparency. At the same time, there is growing opposition to initiatives on these matters, and our public reporting on our sustainability initiatives, expectations, and progress, including our ambitions for 2030, may not satisfy the expectations of all stakeholders. These stakeholders may rely on their assessment or perception (or a third-party’s assessment) of our sustainability practices to inform their future engagement with our company, products, and securities. Any failure to achieve our sustainability goals, including those aimed to reduce our impact on, improve or preserve the environment, or the perception (whether or not valid) that we have failed to act responsibly with respect to such matters or to effectively respond to new legal or regulatory requirements regarding climate change, could adversely affect our business and reputation, including the loss of customers or business opportunities and legal or regulatory proceedings.

There is growing concern that carbon dioxide and other greenhouse gases in the atmosphere may have an adverse impact on global temperatures, weather patterns, and the frequency and severity of extreme weather and natural disasters. We have transition risks related to the transition to a lower-carbon economy and physical risks related to the physical impacts of climate change. Transition risks include increased costs of carbon emission, increased cost to produce products in compliance with future regulations, increased raw materials cost, shifts in customer/consumer values and other legal, regulatory and technological risks. Physical risks include the risk of direct damage to assets or supply chain disruption caused by severe weather events such as floods, storms, wildfires and droughts. In addition, concern over climate change may result in new legal and regulatory requirements to reduce or mitigate the effects of climate change on the environment. Despite our sustainability efforts, any failure to achieve our sustainability goals, including those aimed to reduce our impact on, improve or preserve the environment, or the perception (whether or not valid) that we have failed to act responsibly with respect to such matters or to effectively respond to new legal or regulatory requirements regarding climate change, could adversely affect our business and reputation. There is also increased focus, including by governmental and non-governmental organizations, investors, customers, consumers, our employees and other stakeholders on these and other sustainability matters, including responsible sourcing and deforestation, the use of plastic, energy and water, the recyclability or recoverability of packaging, including single-use and other plastic packaging and ingredient transparency. Our reputation could be damaged if we do not (or are perceived not to) act responsibly with respect to sustainability matters, which could adversely affect our business.

To conduct our business, we rely extensively on information and operational technology systems, many of which are managed, hosted, provided and/or used by third parties and their vendors. These systems include, but are not limited to, programs and processes relating to internal communications and communicating with customers, consumers, vendors, investors and other parties; ordering and managing materials from suppliers; converting materials to finished products; receiving and processing purchase orders and shipping products to customers; processing transactions; storing, processing and transmitting data, including personal confidential information and payment card industry data; supporting employee data processing for our global workforce; hosting, processing and sharing confidential and proprietary research, business and financial information; and complying with financial reporting, regulatory, legal and tax requirements. Furthermore, we sell certain products directly to consumers online and through websites, mobile apps and connected devices, and we also engage in online activities, including data collection, promotions, rebates and customer loyalty and other programs, through which we may receive personal information. A breach or other breakdown in our technology, including a cyberattack, privacy incident, data incident or other event involving us or any of our third-party service providers or vendors could adversely affect our financial condition and results of operations. Despite the security measures we have in place, the information and operational technology systems, including those of our customers, vendors, suppliers and other third-party service providers with whom we have contracted, have, in the past, and may, in the future, be vulnerable to cyber-threats such as computer viruses or other malicious codes, ransomware, cyber extortion, security incidents, denial of service attacks, unauthorized access, phishing attacks, social engineering and other disruptions from employee error, unauthorized uses, system failures, including Internet outages, unintentional or malicious actions of employees or contractors or cyberattacks by hackers, criminal groups, nation-states and nation-state-sponsored 5KIMBERLY-CLARK CORPORATION - 2023 Annual Report 5KIMBERLY-CLARK CORPORATION - 2023 Annual Report 5KIMBERLY-CLARK CORPORATION - 2023 Annual Report 5 KIMBERLY-CLARK CORPORATION - 2023 Annual Report organizations and social-activist organizations. We have seen and may continue to see an increase in the number of such attacks, especially as we continue operating under a hybrid working model under which employees can work and access our technology infrastructure remotely. In addition, while we have purchased cybersecurity insurance, costs related to a cyberattack may exceed the amount of insurance coverage or be excluded under the terms of our cybersecurity insurance policy. As cyberattacks increase in frequency and magnitude, we may be unable to obtain cybersecurity insurance in amounts and on terms we view as appropriate for our operations. Our security efforts and the efforts of our third-party providers may not prevent or timely detect future attacks and resulting breaches or breakdowns of our, or third-party service providers’, databases or systems. In addition, if we or our third-party providers are unable to effectively resolve such breaches or breakdowns on a timely basis, we may experience interruptions in our ability to manage or conduct business, as well as reputational harm, governmental fines, penalties, regulatory proceedings, and litigation and remediation expenses. In addition, such incidents could result in unauthorized disclosure and misuse of material confidential information, including personal identifying information. Cyber-threats are becoming more sophisticated, are constantly evolving and are being made by groups and individuals with a wide range of expertise and motives, and this increases the difficulty of detecting and successfully defending against them. We have incurred, and will continue to incur, expenses to comply with privacy and data protection standards and protocols imposed by law, regulation, industry standards and contractual obligations. Increased regulation of data collection, use, and retention practices, including self-regulation and industry standards, changes in existing laws and regulations, including reporting requirements, enactment of new laws and regulations, increased enforcement activity, and changes in interpretation of laws, could increase our cost of compliance and operation, limit our ability to grow our business or otherwise harm our business. In addition, data incidents or theft of personal information collected by us and our third-party service providers as well as data incidents or theft of our information may occur. We are subject to the laws and regulations of various countries where we operate or do business related to solicitation, collection, processing, transferring, storing or use of consumer, customer, vendor or employee information or related data. These laws and regulations change frequently, and new legislation continues to be introduced and may be interpreted and applied differently from jurisdiction to jurisdiction and may create inconsistent or conflicting requirements. The changes introduced by data privacy and protection regulations increase the complexity of regulations enacted to protect business and personal data and they subject us to additional costs. These laws and regulations also may result in us incurring additional expenses and liabilities in the event of unauthorized access to or disclosure of personal data. We are in the process of upgrading our enterprise resource planning system (known as SAP) to enhance operating efficiencies and provide more effective management of our business operations. We also use various other hardware, software and operating systems that may need to be upgraded or replaced in the near future as such systems cease to be supported by third-party service providers, and may be vulnerable to increased risks, including the risk of security breaches, system failures and disruptions. System upgrades take time, require oversight and may be costly, and pose several challenges, including training of personnel, communication of new rules and procedures, migration of data, increased risk of security breaches, and the potential instability of the new system. Moreover, there is no assurance that the new enterprise resource planning system will meet our current and future business needs or that it will operate as designed. Any significant failure or delay in system upgrades could cause an interruption to our business and adversely affect our operations and financial results.

Increased cyber-security threats and computer crime pose a potential risk to the security of our information technology systems, including those of third-party service providers with whom we have contracted, as well as the confidentiality, integrity and availability of the data stored on those systems. Further, data privacy is subject to frequently changing rules and regulations regarding the handling of personal data, such as the GDPR, LGPD, PIPL and CCPA. Any breach in our information technology security systems could result in the disclosure or misuse of confidential or proprietary information, including sensitive customer, supplier, employee or investor information maintained in the ordinary course of our business. Any such event, or any failure to comply with these data privacy requirements or other laws in this area, could cause damage to our reputation, loss of valuable information or loss of revenue and could result in legal liability, or regulatory or other penalties. In addition, we may incur large expenditures to investigate or remediate, to recover data, to repair or replace networks or information systems, or to protect against similar future events. Our information technology systems, some of which are dependent on services provided by third parties, serve an important role in the efficient and effective operation and administration of our business. These systems could be damaged or cease to function properly due to any number of causes, such as catastrophic events, power outages, security breaches, user or system errors, computer viruses or cyber-based attacks. The risk of cyber-based attacks is heightened with many of our employees working and accessing our technology infrastructure remotely. While we have contingency plans in place to prevent or mitigate the impact of these events, if they were to occur and our disaster recovery plans do not effectively address the issues on a timely basis, we could suffer interruptions in our ability to manage our operations, which may adversely affect our business and financial results. We are in the process of upgrading our enterprise resource planning system (known as SAP) to enhance operating efficiencies and provide more effective management of our business operations. The upgrade poses several challenges, including training of personnel, communication of new rules and procedures, migration of data, and the potential instability of the new system. Moreover, there is no assurance that the new system will meet our current and future business needs or that it will operate as 5KIMBERLY-CLARK CORPORATION - 2022 Annual Report 5KIMBERLY-CLARK CORPORATION - 2022 Annual Report 5KIMBERLY-CLARK CORPORATION - 2022 Annual Report 5 KIMBERLY-CLARK CORPORATION - 2022 Annual Report designed. Any significant failure or delay in the system upgrade could cause an interruption to our business and adversely affect our operations and financial results.