riskdiff

Lululemon Athletica Inc.: 10-K Risk Factor Changes

2024 vs 2023 · SEC EDGAR · 2026-05-10

Other years: 2026 vs 2025 · 2025 vs 2024

⚠ AI-Generated

The summary below was generated by an AI language model and may contain errors or omissions. All other content on this page is deterministically extracted from the original SEC EDGAR filing.

Lululemon expanded its risk factor disclosures by adding four new cybersecurity-related risks in 2024, including dedicated sections on cybersecurity programs, incident response, and third-party risks, reflecting heightened focus on data security vulnerabilities. The company substantively modified two existing risk factors addressing senior management retention and consumer shopping preference shifts, indicating evolving concerns about talent management and distribution channel disruption. These 43 total risk factors represent a net increase of four disclosures while maintaining all previously disclosed risks.

✓ Deterministic extraction — no AI-generated data

Classification is based on semantic text similarity scoring and may include approximations. “No match” means no high-confidence textual match was found — not necessarily that a section was removed.

New Risks

Removed

Modified

Unchanged

🟢 New in Current Filing

Risk Management and Strategy

Read full text

Our business operations and relationships with customers and suppliers are heavily reliant on technology. We operate a cybersecurity program designed to assess our security risks and threats, to manage those risks and protect our technology systems and data, and to detect and respond to cybersecurity incidents. We manage strategic risks, including cybersecurity risk, through our Enterprise Risk Management program which has direct involvement from the board of directors, the audit committee, and senior management. Through this process, we have identified cybersecurity as a risk management priority. Governance Our board of directors provides oversight of cybersecurity risks and has delegated primary responsibility to the audit committee, which is responsible for overseeing our enterprise risk assessments and management policies, procedures, and practices (including regarding those risks related to information security, cybersecurity, and data protection). The audit committee maintains a cybersecurity sub-committee that is comprised of our Chief Information Officer ("CIO"), our Chief Information Security Officer ("CISO"), and representatives from the audit committee and board of directors that have knowledge and experience in cybersecurity matters. The cybersecurity sub-committee reviews our cybersecurity 22 22 22 Table of Contents Table of Contents risk assessments and the steps being taken to monitor, control, and report on those risks as well as discusses regulatory and market developments. They also review our process for identifying and responding to cybersecurity incidents in a timely manner, and details of cybersecurity attacks or incidents which have occurred. Management generally meets with, and provides reports to, the cybersecurity sub-committee on a quarterly basis. Our CIO and CISO also meet with and provide reports to the audit committee at least quarterly. The board of directors receives periodic reports regarding the activities of the cybersecurity sub-committee. These reports and meetings are designed to inform the board of directors and committees about the current state of our information security program including cybersecurity risks, the nature, timing, and extent of cybersecurity incidents, if any, and the resolution of such matters.

🟢 New in Current Filing

Cybersecurity Program and Incident Response

Read full text

Our CISO is responsible for our cybersecurity program, including risk assessments, information security activities, and controls. The CISO is responsible for establishing and maintaining corporate information security policies and overseeing our risk management activities, which prioritize vulnerability management, risk reduction, and prevention. Our CISO also leads our Cyber Defense and Incident Response (“CDIR”) team which identifies, assesses, escalates, and remediates cybersecurity incidents. Our current CISO has over 25 years of experience in information security across different industries in the US, Europe, and South and Central America. Our current CISO is a member of the Information Systems Audit and Control Association and brings extensive experience and knowledge of cybersecurity risk management. The CDIR team identifies, tracks, reviews, assesses, and takes actions over key cybersecurity risks including but not limited to: (i) third parties/vendors, (ii) cloud security, (iii) malicious code, (iv) our digital e-commerce channels and systems, and (v) our store technology. The CDIR team also undertakes enterprise architecture reviews, considers cyber defense and incident response findings, performs vulnerability scans, and assesses threats and performs landscape intelligence analysis. As part of our cybersecurity program, we conduct cybersecurity awareness training including phishing simulations and supplemental campaigns as well as mandatory e-learning for all our employees. Our employees have multiple mechanisms for reporting cybersecurity and data privacy concerns. We work with third-party cybersecurity advisors to undertake assessments of our critical systems and to remediate any high-risk vulnerabilities identified. We also engage third parties to perform penetration testing on our key systems to identify potential weaknesses. As part of our cyber incident response plan, we utilize an established framework to assess the severity of cybersecurity incidents. Under the plan, incidents are escalated to relevant senior management, and the board of directors, as appropriate, based on their severity. Our disclosure committee assesses the materiality of severe incidents including both quantitative and qualitative factors.

🟢 New in Current Filing

Third Parties

Read full text

We utilize third-party service providers as a normal part of our business operations. To address cybersecurity risks arising from our relationships with third-party service providers, we employ a vendor risk program. We monitor risks relating to potential compromises of sensitive information at our third-party service providers and re-evaluate the risks associated with our partners periodically. Prior to exchanging our data with third-party service providers, they are required to go through a vendor risk assessment. We also conduct third-party security reviews and evaluate their network, processes, and systems. In addition, we obtain annual attestation reports related to data security and privacy from certain third-party service providers to further support compliance with industry-standard cybersecurity protocols.

🟢 New in Current Filing

Impact of Cybersecurity Risks on Strategy and Results

Read full text

Based on the information available as of the date of this Annual Report, we have not been materially affected by any previous cybersecurity incidents. However, we continue to experience cyber-attacks, including phishing, and other attempts to break or gain unauthorized access to our systems that could materially affect us in the future. For further information, see “Risks related to information security and technology” included in Item 1A. Risk Factors of this Annual Report. 23 23 23 Table of Contents Table of Contents

🟡 Modified

Our future success is substantially dependent on the service of our senior management and our ability to maintain our culture and to attract, manage, and retain highly qualified individuals.

high match confidence

Sentence-level differences:

Reworded sentence: "If we are unable to successfully maintain and evolve our unique culture, offer competitive compensation and benefits, and a desirable work model, we may be unable to attract and retain highly qualified individuals to support our business and continued growth."
Reworded sentence: "Unionization efforts or other employee organizing activities could lead to higher people costs or reduce our flexibility to manage our employees which may negatively disrupt our operations."

Current (2024):

Read full text

The performance of our senior management team and other key employees may not meet our needs and expectations. Also, the loss of services of any of these key employees, or any negative public perception with respect to these individuals, may be disruptive to, or cause uncertainty in, our business and could have a negative impact on our ability to manage and grow our business effectively. Such disruption could have a material adverse impact on our financial performance, financial condition, and the market price of our stock. If we are unable to successfully maintain and evolve our unique culture, offer competitive compensation and benefits, and a desirable work model, we may be unable to attract and retain highly qualified individuals to support our business and continued growth. Our work model may not meet the needs and expectations of our employees and may not be perceived as favorable compared to other companies. Unionization efforts or other employee organizing activities could lead to higher people costs or reduce our flexibility to manage our employees which may negatively disrupt our operations. We also face risks related to employee engagement and productivity which could result in increased headcount and lead to increased labor costs.

View prior text (2023)

The performance of our senior management team and other key employees may not meet our needs and expectations. Also, the loss of services of any of these key employees, or any negative public perception with respect to these individuals, may be disruptive to, or cause uncertainty in, our business and could have a negative impact on our ability to manage and grow our business effectively. Such disruption could have a material adverse impact on our financial performance, financial condition, and the market price of our stock. 11 11 11 Table of Contents Table of Contents If we are unable to successfully maintain and evolve our unique corporate culture, offer competitive compensation and benefits, and a desirable work model, we may be unable to attract and retain highly qualified individuals to support our business and continued growth. Our work model may not meet the needs and expectations of our employees and may not be perceived as favorable compared to other companies. We also face risks related to employee engagement and productivity.

🟡 Modified

Changes in consumer shopping preferences, and shifts in distribution channels could materially impact our results of operations.

medium match confidence

Sentence-level differences:

Reworded sentence: "We operate an omni-channel retail model and aim to efficiently and effectively serve our guests in the ways most convenient to them."
Reworded sentence: "Our failure to successfully integrate our digital and physical channels and respond to these risks might adversely impact our business and results of operations, as well as damage our reputation and brand."

Current (2024):

Read full text

We operate an omni-channel retail model and aim to efficiently and effectively serve our guests in the ways most convenient to them. We operate a combination of physical retail locations and e-commerce services via our websites, other region-specific websites, digital marketplaces, and mobile apps. Our physical retail locations remain a key part of our growth strategy and we view them as a valuable tool in helping us build our brand and product line as well as enabling our omni-channel capabilities. We plan to continue to expand square footage and open new company-operated stores to support our growth objectives. The diversion of sales from our company-operated stores could adversely impact our return on investment and could lead to impairment charges and store closures, including lease exit costs. We could have difficulty in recreating the in-store experience through direct channels. Our failure to successfully integrate our digital and physical channels and respond to these risks might adversely impact our business and results of operations, as well as damage our reputation and brand.

View prior text (2023)

We sell our products through a variety of channels, with a significant portion through traditional brick-and-mortar retail channels. As strong e-commerce channels emerge and develop, we are evolving towards an omni-channel approach to support the shopping behavior of our guests. This involves country and region-specific websites, social media, product notification emails, mobile apps, including mobile apps on in-store devices that allow demand to be fulfilled via our distribution centers, and online order fulfillment through stores. The diversion of sales from our company-operated stores could adversely impact our return on investment and could lead to impairment charges and store closures, including lease exit costs. We could have difficulty in recreating the in-store experience through direct channels. Our failure to successfully integrate our digital and physical channels and respond to these risks might adversely impact our business and results of operations, as well as damage our reputation and brands.