Lululemon Athletica Inc.: 10-K Risk Factor Changes

Our CISO is responsible for our cybersecurity program, including risk assessments, information security activities, and controls. The CISO is responsible for establishing and maintaining corporate information security policies and overseeing our risk management activities, which prioritize vulnerability management, risk reduction, and prevention. Our CISO also leads our Cyber Defense and Incident Response (“CDIR”) team which identifies, assesses, escalates, and remediates cybersecurity incidents. Our CISO has over 30 years of experience in the field of cybersecurity, bringing an extensive understanding of cybersecurity threats, regulatory compliance, and industry best practices. The CDIR team monitors and manages key cybersecurity risks, including threats related to third parties, cloud security, malicious code, e-commerce systems, and store technology. It also conducts security reviews, assesses vulnerabilities, and analyzes threat intelligence to strengthen our cyber defenses and incident response efforts. As part of our cybersecurity program, we conduct cybersecurity awareness training including phishing simulations and supplemental campaigns as well as mandatory e-learning for all our employees. Our employees have multiple mechanisms for reporting cybersecurity and data privacy concerns. We work with third-party cybersecurity advisors to undertake assessments of our critical systems and to remediate any high-risk vulnerabilities identified. We also engage third parties to perform penetration testing on our key systems to identify potential weaknesses. As part of our cyber incident response plan, we utilize an established framework to assess the severity of cybersecurity incidents. Under the plan, incidents are escalated to relevant senior management, and the board of directors, as appropriate, based on their severity. Our disclosure committee assesses the materiality of severe incidents including both quantitative and qualitative factors. 22 22 22 Table of Contents Table of Contents

Our CISO is responsible for our cybersecurity program, including risk assessments, information security activities, and controls. The CISO is responsible for establishing and maintaining corporate information security policies and overseeing our risk management activities, which prioritize vulnerability management, risk reduction, and prevention. Our CISO also leads our Cyber Defense and Incident Response (“CDIR”) team which identifies, assesses, escalates, and remediates cybersecurity incidents. Our current CISO has over 25 years of experience in information security across different industries in the US, Europe, and South and Central America. Our current CISO is a member of the Information Systems Audit and Control Association and brings extensive experience and knowledge of cybersecurity risk management. The CDIR team identifies, tracks, reviews, assesses, and takes actions over key cybersecurity risks including but not limited to: (i) third parties/vendors, (ii) cloud security, (iii) malicious code, (iv) our digital e-commerce channels and systems, and (v) our store technology. The CDIR team also undertakes enterprise architecture reviews, considers cyber defense and incident response findings, performs vulnerability scans, and assesses threats and performs landscape intelligence analysis. As part of our cybersecurity program, we conduct cybersecurity awareness training including phishing simulations and supplemental campaigns as well as mandatory e-learning for all our employees. Our employees have multiple mechanisms for reporting cybersecurity and data privacy concerns. We work with third-party cybersecurity advisors to undertake assessments of our critical systems and to remediate any high-risk vulnerabilities identified. We also engage third parties to perform penetration testing on our key systems to identify potential weaknesses. As part of our cyber incident response plan, we utilize an established framework to assess the severity of cybersecurity incidents. Under the plan, incidents are escalated to relevant senior management, and the board of directors, as appropriate, based on their severity. Our disclosure committee assesses the materiality of severe incidents including both quantitative and qualitative factors.

We may be unable to achieve our growth objectives if we do not have the right level of efficiency and scalability in our processes and operations. We may experience difficulties in obtaining sufficient raw materials and manufacturing capacity to produce our products, as well as delays in production and shipments, as our products are subject to risks associated with overseas sourcing and manufacturing. We could be required to continue to expand our sales and marketing, product development and distribution functions, to upgrade our management information systems and other processes and technology, and to obtain more space for our expanding workforce. This expansion could increase the strain on our resources, and we could experience operating difficulties, including difficulties in hiring, training, and managing an increasing number of employees. These difficulties could result in the erosion of our brand image which could have a material adverse effect on our financial condition.

If our operations continue to grow at a rapid pace, we may experience difficulties in obtaining sufficient raw materials and manufacturing capacity to produce our products, as well as delays in production and shipments, as our products are subject to risks associated with overseas sourcing and manufacturing. We could be required to continue to expand our sales and marketing, product development and distribution functions, to upgrade our management information systems and other processes and technology, and to obtain more space for our expanding workforce. This expansion could increase the strain on our resources, and we could experience operating difficulties, including difficulties in hiring, training, and managing an increasing number of employees. These difficulties could result in the erosion of our brand image which could have a material adverse effect on our financial condition. 12 12 12 Table of Contents Table of Contents

We may be subject to actions or proposals from stockholders, political or consumer activists, or others that may not align with our business strategies or the interests of our other stockholders. Activism could include geopolitical conflict between the PRC and other countries. Responding to such actions can be costly and time-consuming, disrupt our business and operations, and divert the attention of our board of directors, management, and employees from the pursuit of our business strategies. Such activities could interfere with our ability to execute our strategic plan. Stockholders, political or consumer activists, or others may create perceived uncertainties as to the future direction of our business or strategy which may be exploited by our competitors and may make it more difficult to attract and retain qualified personnel and potential guests, and may affect our relationships with current guests, vendors, investors, and other third parties. In addition, a proxy contest for the election of directors at our annual meeting would require us to incur significant legal fees and proxy solicitation expenses and require significant time and attention by management and our board of directors. The perceived uncertainties as to our future direction also could affect the market price and volatility of our securities.

We may be subject to actions or proposals from stockholders or others that may not align with our business strategies or the interests of our other stockholders. Responding to such actions can be costly and time-consuming, disrupt our business 21 21 21 Table of Contents Table of Contents and operations, and divert the attention of our board of directors, management, and employees from the pursuit of our business strategies. Such activities could interfere with our ability to execute our strategic plan. Activist stockholders or others may create perceived uncertainties as to the future direction of our business or strategy which may be exploited by our competitors and may make it more difficult to attract and retain qualified personnel and potential guests, and may affect our relationships with current guests, vendors, investors, and other third parties. In addition, a proxy contest for the election of directors at our annual meeting would require us to incur significant legal fees and proxy solicitation expenses and require significant time and attention by management and our board of directors. The perceived uncertainties as to our future direction also could affect the market price and volatility of our securities.

As of the date of this annual report, we are not aware of any cybersecurity incidents that have had a material impact on our business. However, like many companies, we continue to face ongoing cyber threats, including phishing and other unauthorized access attempts, which if successful could have a material impact in the future. For more information, see “Risks related to information security and technology” included in Item 1A. Risk Factors of this annual report.

Based on the information available as of the date of this Annual Report, we have not been materially affected by any previous cybersecurity incidents. However, we continue to experience cyber-attacks, including phishing, and other attempts to break or gain unauthorized access to our systems that could materially affect us in the future. For further information, see “Risks related to information security and technology” included in Item 1A. Risk Factors of this Annual Report. 23 23 23 Table of Contents Table of Contents