--- ticker: MSFT company: Microsoft Corporation filing_type: 10-K year_current: 2024 year_prior: 2023 risks_added: 1 risks_removed: 0 risks_modified: 2 risks_unchanged: 6 source: SEC EDGAR url: https://riskdiff.com/msft/2024-vs-2023/ markdown_url: https://riskdiff.com/msft/2024-vs-2023/index.md generated: 2026-05-10 --- # Microsoft Corporation: 10-K Risk Factor Changes 2024 vs 2023 > Source: U.S. Securities and Exchange Commission (EDGAR) > Generated: 2026-05-10 > All data extracted directly from official filings. No hallucinated content. > **[AI-Generated Summary]** The paragraph below was produced by a language > model and may contain errors. All other content on this page is deterministically > extracted from the original SEC filing. > Microsoft added one new risk factor titled "Position with the Company" in the 2024 10-K. Two existing risks - "Competition in the technology sector" and "Security of our information technology" - underwent substantive modifications, while six risk factors remained unchanged from the prior year filing. --- ## Summary | Status | Count | |--------|-------| | New risks added | 1 | | Risks removed | 0 | | Risks modified | 2 | | Unchanged | 6 | --- ## New in Current Filing: Position with the Company Satya Nadella 56 Chairman and Chief Executive Officer Judson B. Althoff 51 Executive Vice President and Chief Commercial Officer Kathleen T. Hogan 58 Executive Vice President and Chief Human Resources Officer Amy E. Hood 52 Executive Vice President and Chief Financial Officer Takeshi Numoto 53 Executive Vice President and Chief Marketing Officer Bradford L. Smith 65 Vice Chair and President Christopher D. Young 52 Executive Vice President, Business Development, Strategy, and Ventures Mr. Nadella was appointed Chairman of the Board in June 2021 and Chief Executive Officer in February 2014. He served as Executive Vice President, Cloud and Enterprise from July 2013 until that time. From 2011 to 2013, Mr. Nadella served as President, Server and Tools. From 2009 to 2011, he was Senior Vice President, Online Services Division. From 2008 to 2009, he was Senior Vice President, Search, Portal, and Advertising. Since joining Microsoft in 1992, Mr. Nadella's roles also included Vice President of the Business Division. Mr. Althoff was appointed Executive Vice President and Chief Commercial Officer in July 2021. He served as Executive Vice President, Worldwide Commercial Business from July 2017 until that time. Prior to that, Mr. Althoff served as the President of Microsoft North America. Mr. Althoff joined Microsoft in March 2013 as President of Microsoft North America. Mr. Althoff also serves on the Board of Directors of Ecolab Inc. Ms. Hogan was appointed Executive Vice President and Chief Human Resources Officer in June 2023. Ms. Hogan had been Executive Vice President, Human Resources since November 2014. Prior to that Ms. Hogan was Corporate Vice President of Microsoft Services. She also served as Corporate Vice President of Customer Service and Support. Ms. Hogan joined Microsoft in 2003. Ms. Hogan also serves on the Board of Directors of Alaska Air Group, Inc. 18 18 18 18 18 18 PART IItem 1 PART I Item 1 PART I Item 1 Ms. Hood was appointed Executive Vice President and Chief Financial Officer in July 2013, subsequent to her appointment as Chief Financial Officer in May 2013. From 2010 to 2013, Ms. Hood was Chief Financial Officer of the Microsoft Business Division. Since joining Microsoft in 2002, Ms. Hood has also held finance-related positions in the Server and Tools Business and the corporate finance organization. Ms. Hood also serves on the Board of Directors of 3M Corporation. Mr. Numoto was appointed Executive Vice President and Chief Marketing Officer in October 2023. He served as Executive Vice President and Commercial Chief Marketing Officer from March 2020. Mr. Numoto served as a Corporate Vice President, Cloud Marketing from January 2012. Prior to that, Mr. Numoto served as a Corporate Vice President for Office 365 Marketing from 2004, where he led the transformation from traditional on-premises packaged software to the introduction of Office 365. Since joining Microsoft in 1997, Mr. Numoto has held multiple roles in Windows Program Management and Office Marketing. Mr. Smith was appointed Vice Chair and President in September 2021. Prior to that, he served as President and Chief Legal Officer since September 2015. He served as Executive Vice President, General Counsel, and Secretary from 2011 to 2015, and served as Senior Vice President, General Counsel, and Secretary from 2001 to 2011. Mr. Smith was also named Chief Compliance Officer in 2002. Since joining Microsoft in 1993, he was Deputy General Counsel for Worldwide Sales and previously was responsible for managing the European Law and Corporate Affairs Group, based in Paris. Mr. Smith also serves on the Board of Directors of Netflix, Inc. Mr. Young has served as Executive Vice President, Business Development, Strategy, and Ventures since joining Microsoft in November 2020. Prior to Microsoft, he served as the Chief Executive Officer of McAfee, LLC from 2017 to 2020, and served as a Senior Vice President and General Manager of Intel Security Group from 2014 until 2017, when he led the initiative to spin out McAfee into a standalone company. Mr. Young also serves on the Board of Directors of American Express Company. AVAILABLE INFORMATION Our Internet address is www.microsoft.com. At our Investor Relations website, www.microsoft.com/investor, we make available free of charge a variety of information for investors. Our goal is to maintain the Investor Relations website as a portal through which investors can easily find or navigate to pertinent information about us, including: •Our annual report on Form 10-K, quarterly reports on Form 10-Q, current reports on Form 8-K, and any amendments to those reports, as soon as reasonably practicable after we electronically file that material with or furnish it to the Securities and Exchange Commission ("SEC") at www.sec.gov. Our annual report on Form 10-K, quarterly reports on Form 10-Q, current reports on Form 8-K, and any amendments to those reports, as soon as reasonably practicable after we electronically file that material with or furnish it to the Securities and Exchange Commission ("SEC") at www.sec.gov. Our annual report on Form 10-K, quarterly reports on Form 10-Q, current reports on Form 8-K, and any amendments to those reports, as soon as reasonably practicable after we electronically file that material with or furnish it to the Securities and Exchange Commission ("SEC") at www.sec.gov. •Information on our business strategies, financial results, and metrics for investors. Information on our business strategies, financial results, and metrics for investors. Information on our business strategies, financial results, and metrics for investors. •Announcements of investor conferences, speeches, and events at which our executives talk about our product, service, and competitive strategies. Archives of these events are also available. Announcements of investor conferences, speeches, and events at which our executives talk about our product, service, and competitive strategies. Archives of these events are also available. Announcements of investor conferences, speeches, and events at which our executives talk about our product, service, and competitive strategies. Archives of these events are also available. •Press releases on quarterly earnings, product and service announcements, legal developments, and international news. Press releases on quarterly earnings, product and service announcements, legal developments, and international news. Press releases on quarterly earnings, product and service announcements, legal developments, and international news. •Corporate governance information including our articles of incorporation, bylaws, governance guidelines, committee charters, codes of conduct and ethics, global corporate social responsibility initiatives, and other governance-related policies. Corporate governance information including our articles of incorporation, bylaws, governance guidelines, committee charters, codes of conduct and ethics, global corporate social responsibility initiatives, and other governance-related policies. Corporate governance information including our articles of incorporation, bylaws, governance guidelines, committee charters, codes of conduct and ethics, global corporate social responsibility initiatives, and other governance-related policies. •Other news and announcements that we may post from time to time that investors might find useful or interesting. Other news and announcements that we may post from time to time that investors might find useful or interesting. Other news and announcements that we may post from time to time that investors might find useful or interesting. •Opportunities to sign up for email alerts to have information pushed in real time. Opportunities to sign up for email alerts to have information pushed in real time. Opportunities to sign up for email alerts to have information pushed in real time. We publish a variety of reports and resources related to our Corporate Social Responsibility programs and progress on our Reports Hub website, www.microsoft.com/corporate-responsibility/reports-hub, including reports on sustainability, responsible sourcing, accessibility, digital trust, and public policy engagement. The information found on these websites is not part of, or incorporated by reference into, this or any other report we file with, or furnish to, the SEC. In addition to these channels, we use social media to communicate to the public. It is possible that the information we post on social media could be deemed to be material to investors. We encourage investors, the media, and others interested in Microsoft to review the information we post on the social media channels listed on our Investor Relations website. 19 19 19 19 19 19 PART IItem 1A PART I Item 1A PART I Item 1A --- ## Modified: Competition in the technology sector **Key changes:** - Reworded sentence: "If we do not continue to innovate and provide products, devices, and services that appeal to businesses and consumers, we may not remain competitive, which may adversely affect our business, financial condition, and results of operations." **Prior (2023):** Our competitors range in size from diversified global companies with significant research and development resources to small, specialized firms whose narrower product lines may let them be more effective in deploying technical, marketing, and financial resources. Barriers to entry in many of our businesses are low and many of the areas in which we compete evolve rapidly with changing and disruptive technologies, shifting user needs, and frequent introductions of new products and services. Our ability to remain competitive depends on our success in making innovative products, devices, and services that appeal to businesses and consumers. **Current (2024):** Our competitors range in size from diversified global companies with significant research and development resources to small, specialized firms whose narrower product lines may let them be more effective in deploying technical, marketing, and financial resources. Barriers to entry in many of our businesses are low and many of the areas in which we compete evolve rapidly with changing and disruptive technologies, shifting user needs, and frequent introductions of new products and services. If we do not continue to innovate and provide products, devices, and services that appeal to businesses and consumers, we may not remain competitive, which may adversely affect our business, financial condition, and results of operations. --- ## Modified: Security of our information technology **Key changes:** - Reworded sentence: "Individual and groups of hackers and sophisticated organizations, including state-sponsored organizations or nation-states, continuously undertake attacks that pose threats to our customers and our IT, and we have experienced cybersecurity incidents in which such actors have gained unauthorized access to our IT systems and data, including customer systems and data." - Added sentence: "Threat actors may also utilize emerging technologies, such as AI and machine learning." - Reworded sentence: "It may be difficult to determine the best way to investigate, mitigate, contain, and remediate the harm caused by a cyber incident." - Reworded sentence: "Our business policies and internal security controls may not keep pace with these changes as new threats emerge or the emerging cybersecurity regulations in jurisdictions worldwide." **Prior (2023):** Threats to IT security can take a variety of forms. Individual and groups of hackers and sophisticated organizations, including state-sponsored organizations or nation-states, continuously undertake attacks that pose threats to our customers and our IT. These actors may use a wide variety of methods, which may include developing and deploying malicious software or exploiting vulnerabilities or intentionally designed processes in hardware, software, or other infrastructure in order to attack our products and services or gain access to our networks and datacenters, using social engineering techniques to induce our employees, users, partners, or customers to disclose passwords or other sensitive information or take other actions to gain access to our data or our users' or customers' data, or acting in a coordinated manner to launch distributed denial of service or other coordinated attacks. Nation-state and state-sponsored actors can deploy significant resources to plan and carry out attacks. Nation-state attacks against us, our customers, or our partners may intensify during periods of intense diplomatic or armed conflict, such as the ongoing conflict in Ukraine. Inadequate account security or organizational security practices may also result in unauthorized access to confidential data. For example, system administrators may fail to timely remove employee account access when no longer appropriate. Employees or third parties may intentionally compromise our or our users' security or systems or reveal confidential information. Malicious actors may employ the IT supply chain to introduce malware through software updates or compromised supplier accounts or hardware. Cyberthreats are constantly evolving and becoming increasingly sophisticated and complex, increasing the difficulty of detecting and successfully defending against them. We may have no current capability to detect certain vulnerabilities or new attack methods, which may allow them to persist in the environment over long periods of time. Cyberthreats can have cascading impacts that unfold with increasing speed across our internal networks and systems and those of our partners and customers. Breaches of our facilities, network, or data security could disrupt the security of our systems and business applications, impair our ability to provide services to our customers and protect the privacy of their data, result in product development delays, compromise confidential or technical business information harming our reputation or competitive position, result in theft or misuse of our intellectual property or other assets, subject us to ransomware attacks, require us to allocate more resources to improve technologies or remediate the impacts of attacks, or otherwise adversely affect our business. We are also subject to supply chain cyberattacks where malware can be introduced to a software provider's customers, including us, through software updates. In addition, our internal IT environment continues to evolve. Often, we are early adopters of new devices and technologies. We embrace new ways of sharing data and communicating internally and with partners and customers using methods such as social networking and other consumer-oriented technologies. Increasing use of generative AI models in our internal systems may create new attack methods for adversaries. Our business policies and internal security controls may not keep pace with these changes as new threats emerge, or emerging cybersecurity regulations in jurisdictions worldwide. 26 PART I Item 1A **Current (2024):** Threats to IT security can take a variety of forms. Individual and groups of hackers and sophisticated organizations, including state-sponsored organizations or nation-states, continuously undertake attacks that pose threats to our customers and our IT, and we have experienced cybersecurity incidents in which such actors have gained unauthorized access to our IT systems and data, including customer systems and data. These actors use a wide variety of methods, which include developing and deploying malicious software; exploiting known and potential vulnerabilities or intentionally designed processes in hardware, software, or other infrastructure to attack our products and services or gain access to our networks and datacenters; using social engineering techniques to induce our employees, users, partners, or customers to disclose sensitive information, such as passwords, or take other actions to gain access to our data or our users' or customers' data; or acting in a coordinated manner or conducting coordinated attacks. For example, as previously disclosed in our Form 8-K filed with the Securities and Exchange Commission on January 19, 2024 and amended on March 8, 2024, beginning in late November 2023, a nation-state associated threat actor used a password spray attack to compromise a legacy test account and, in turn, gain access to Microsoft email accounts. The threat actor used and may continue to use information it obtained to gain, or attempt to gain, unauthorized access to some of our source code repositories and internal systems, and the threat actor may utilize this information to otherwise adversely affect our business and results of operations. This incident has and may continue to result in harm to our reputation and customer relationships. Additionally, we may discover additional impacts of this or other incidents as part of our ongoing examination of this incident. Nation-state and state-sponsored actors can sustain malicious activities for extended periods and deploy significant resources to plan and carry out attacks. Nation-state attacks against us, our customers, or our partners have and may continue to intensify during periods of intense diplomatic or armed conflict, such as the ongoing conflict in Ukraine. Cyber incidents and attacks, individually or in the aggregate, could adversely affect our financial condition, results of operations, competitive position, and reputation, or expose us to legal or regulatory risk. Inadequate account security or organizational security practices, including those of companies we have acquired or those of the third parties we utilize, have resulted and may result in unauthorized access to our IT systems and data, including customer systems and data, in the future. For example, system administrators may fail to timely remove employee account access when no longer appropriate. Employees or third parties may intentionally compromise our or our users' security or systems or reveal confidential information. Malicious actors may employ the IT supply chain to introduce malware through software updates or compromised supplier accounts or hardware. Cyberthreats are constantly evolving and becoming increasingly sophisticated and complex, increasing the difficulty of detecting and successfully defending against them. Threat actors may also utilize emerging technologies, such as AI and machine learning. We may have no current capability to detect certain vulnerabilities or new attack methods, which may allow them to persist in the environment over long periods of time. It may be difficult to determine the best way to investigate, mitigate, contain, and remediate the harm caused by a cyber incident. Such efforts may not be successful, and we may make errors or fail to take necessary actions. It is possible that threat actors may gain undetected access to other networks and systems after establishing a foothold on an internal system. Cyber incidents and attacks can have cascading impacts that unfold with increasing speed across our internal networks and systems, as well as those of our partners and customers. In addition, it may take considerable time for us to investigate and evaluate the full impact of incidents, particularly for sophisticated attacks. These factors may inhibit our ability to provide prompt, full, and reliable information about the incident to our customers, partners, regulators, and the public. Breaches of our facilities, network, or data security can disrupt the security of our systems and business applications, impair our ability to provide services to our customers and protect the privacy of their data, result in product development delays, compromise confidential or technical business information, result in theft or misuse of our intellectual property or other assets, subject us to ransomware attacks, require us to allocate more resources to improve technologies or remediate the impacts of attacks, or otherwise adversely affect our business. In addition, actions taken to remediate an incident could result in outages, data losses, and disruptions of our services. 23 23 23 23 23 23 PART IItem 1A PART I Item 1A PART I Item 1A Our internal IT environment continues to evolve. Often, we are early adopters of new devices and technologies. We embrace new ways of sharing data and communicating internally and with partners and customers using methods such as social networking and other consumer-oriented technologies. Increasing use of generative AI models in our internal systems may create new attack methods for adversaries. Our business policies and internal security controls may not keep pace with these changes as new threats emerge or the emerging cybersecurity regulations in jurisdictions worldwide. --- *Data sourced from SEC EDGAR. Last updated 2026-05-10.*