--- ticker: ROK company: Rockwell Automation Inc. filing_type: 10-K year_current: 2024 year_prior: 2023 risks_added: 1 risks_removed: 0 risks_modified: 3 risks_unchanged: 14 source: SEC EDGAR url: https://riskdiff.com/rok/2024-vs-2023/ markdown_url: https://riskdiff.com/rok/2024-vs-2023/index.md generated: 2026-05-10 --- # Rockwell Automation Inc.: 10-K Risk Factor Changes 2024 vs 2023 > Source: U.S. Securities and Exchange Commission (EDGAR) > Generated: 2026-05-10 > All data extracted directly from official filings. No hallucinated content. > **[AI-Generated Summary]** The paragraph below was produced by a language > model and may contain errors. All other content on this page is deterministically > extracted from the original SEC filing. > Rockwell Automation added a new risk disclosure in 2024 focused on cost productivity and margin expansion execution, reflecting heightened management concern about operational efficiency. The company substantively modified three existing risk disclosures covering regulatory changes, intellectual property protection, and cybersecurity threats, indicating these areas received enhanced attention and disclosure depth. The overall risk factor structure remained largely stable with 14 unchanged risks, suggesting the company's core risk landscape remained consistent while specific operational and competitive pressures were elevated. --- ## Summary | Status | Count | |--------|-------| | New risks added | 1 | | Risks removed | 0 | | Risks modified | 3 | | Unchanged | 14 | --- ## New in Current Filing: An inability to successfully execute cost productivity and margin expansion initiatives. Financial results depend on the successful execution of our business operating plans, including current and future cost productivity and margin expansion initiatives. We continuously pursue alignment of costs with business and economic conditions. Productivity projects include savings in the areas of product cost, indirect cost, administrative costs, purchased services, logistics, manufacturing workflows, make or buy decisions in manufacturing, product portfolio and price optimization. Our ongoing productivity initiatives target both cost reduction and improved asset utilization. Charges for workforce reduction and facility rationalization may be required in order to efficiently execute our productivity programs. There is a risk that these initiatives will not result in the projected savings that we anticipate and could negatively impact our business and financial results. --- ## Modified: New legislative and regulatory actions could adversely affect our business. **Key changes:** - Reworded sentence: "In October 2021, the Organization for Economic Cooperation and Development (OECD) and G20 Finance Ministers reached an agreement, known as Base Erosion and Profit Shifting (BEPS) Pillar Two, that, among other things, ensures that income earned in each jurisdiction that qualifying multinational enterprises operate in is subject to a minimum corporate income tax rate of at least 15%." - Reworded sentence: "The growing focus on environmental, social, and governance (ESG) factors by investors and other stakeholders and evolving compliance requirements by regulators may impact our business." - Reworded sentence: "Compliance with privacy and cybersecurity laws and regulations (including the emerging European Union Cyber Resiliency Act) could increase our operating costs in managing product compliance and as part of our efforts to protect and safeguard our sensitive data, personal information, and IT infrastructure." **Prior (2023):** Legislative and regulatory action, including those related to corporate income taxes, the environment, materials, products, certification, and labeling, privacy, cybersecurity, or climate change, may be taken in the jurisdictions where we operate that may affect our business activities or may otherwise increase our costs to do business. In October 2021, the Organization for Economic Cooperation and Development (OECD) and G20 Finance Ministers reached an agreement, known as Base Erosion and Profit Shifting (BEPS) Pillar Two, that, among other things, ensures that income earned in each jurisdiction that a multinational enterprise operates in is subject to a minimum corporate income tax rate of at least 15%. Discussions related to the formal implementation of this agreement, including within the tax law of each member jurisdiction including the United States, are ongoing. Enactment of this regulation in its current form would increase the amount of global corporate income tax paid by the Company. We are increasingly required to comply with various environmental and other material, product, certification, and labeling laws and regulations (including the emerging European Union Eco-design for Sustainable Products Regulation). Our customers may also be required to comply with such legislative and regulatory requirements. These requirements could increase our costs and could potentially have an adverse effect on our ability to do business in certain jurisdictions. Changes in these requirements could impact demand for our hardware and software products, solutions, and services. 9 9 9 9 9 9 Table of Contents Table of Contents Table of Contents The growing focus on environmental, social, and governance (ESG) factors by investors and other stakeholders and evolving compliance requirements by regulators may impact our business. Failure to comply with ESG reporting requirements, including inaccurate or incomplete disclosures, may lead to regulatory penalties, litigation, and reputational damage. While the Company has adopted certain voluntary targets, environmental laws, regulations, or standards may be changed, accelerated, or adopted and impose significant operational restrictions and compliance requirements upon the Company, its products, or customers, which could negatively impact the Company's business, capital expenditures, results of operations, and financial condition. Compliance with privacy and cybersecurity regulations could increase our operating costs as part of our efforts to protect and safeguard our sensitive data, personal information, and IT infrastructure. Failure to maintain information privacy could result in legal liability or reputational harm. **Current (2024):** Legislative and regulatory action, including those related to corporate income taxes, the environment, materials, products, certification, and labeling, privacy, cybersecurity, or climate change, may be taken in the jurisdictions where we operate that may affect our business activities or may otherwise increase our costs to do business. In October 2021, the Organization for Economic Cooperation and Development (OECD) and G20 Finance Ministers reached an agreement, known as Base Erosion and Profit Shifting (BEPS) Pillar Two, that, among other things, ensures that income earned in each jurisdiction that qualifying multinational enterprises operate in is subject to a minimum corporate income tax rate of at least 15%. Discussions related to the formal implementation and enactment of this agreement, including within the tax law of each member jurisdiction including the United States, are ongoing. Certain countries have enacted the Pillar Two framework, including Singapore, which is expected to result in the greatest impact to the Company. Enactment of this regulation in its current form would generally apply to the Company beginning in fiscal year 2026, resulting in an increase in our effective tax rate as well as in the amount of global corporate income tax paid. We are increasingly required to comply with various environmental and other material, product, certification, and labeling laws and regulations (including the emerging European Union Eco-design for Sustainable Products Regulation). Our customers may also be required to comply with such legislative and regulatory requirements. These requirements could increase our costs and could potentially have an adverse effect on our ability to do business in certain jurisdictions. Changes in these requirements could impact demand for our hardware and software products, solutions, and services. The growing focus on environmental, social, and governance (ESG) factors by investors and other stakeholders and evolving compliance requirements by regulators may impact our business. Failure to comply with ESG reporting requirements, including inaccurate or incomplete disclosures, may lead to regulatory penalties, litigation, and reputational damage. While the Company has adopted certain voluntary targets, environmental laws, regulations, or standards may be changed, accelerated, or adopted and impose significant operational restrictions and compliance requirements upon the Company, its products, or customers, which could negatively impact the Company's business, capital expenditures, results of operations, and financial condition. Compliance with privacy and cybersecurity laws and regulations (including the emerging European Union Cyber Resiliency Act) could increase our operating costs in managing product compliance and as part of our efforts to protect and safeguard our sensitive data, personal information, and IT infrastructure. These requirements could potentially have an adverse effect on our ability to do business in certain jurisdictions. Changes in these requirements could impact demand for our hardware and software products, solutions, and services. Failure to maintain information privacy and security could result in legal liability or reputational harm. --- ## Modified: Intellectual property infringement claims of others and the inability to protect our intellectual property rights could harm our business and our customers. **Key changes:** - Reworded sentence: "The inability to secure or enforce our intellectual property rights may have an adverse effect on our results of operations." **Prior (2023):** Others may assert intellectual property infringement claims against us or our customers. We frequently provide a limited intellectual property indemnity in connection with our terms and conditions of sale to our customers and in other types of contracts with third parties. Indemnification payments and legal expenses to defend claims could be costly. In addition, we own the rights to many patents, trademarks, brand names, and trade names that are important to our business. The inability to enforce our intellectual property rights (including as a result of counterfeit products and sales made by unauthorized resellers) may have an adverse effect on our results of operations. Expenses related to enforcing our intellectual property rights could be significant. **Current (2024):** Others may assert intellectual property infringement claims against us or our customers. We frequently provide a limited intellectual property indemnity in connection with our terms and conditions of sale to our customers and in other types of contracts with third parties. Indemnification payments and legal expenses to defend claims could be costly. In addition, we own the rights to many patents, trademarks, brand names, and trade names that are important to our business. The inability to secure or enforce our intellectual property rights may have an adverse effect on our results of operations. Unauthorized resellers and counterfeiters of Company-branded products of inferior quality or that may otherwise be materially different from genuine goods sold by the Company and its authorized distributors may harm the goodwill and reputation of the Company and could adversely affect our results of operations. --- ## Modified: Failures or security breaches of our commercial product offerings (which includes hardware, software, services, and solutions), manufacturing environment, supply chain, or information and operational technology systems could have an adverse effect on our business. **Key changes:** - Reworded sentence: "We rely heavily on technology in our commercial product offerings for use in our customers' manufacturing environment, and in our enterprise infrastructure." - Reworded sentence: "Given our commercial product offerings can be used in critical infrastructure and critical manufacturing, these threats could indicate increased risk for our commercial product offerings, manufacturing, and IT infrastructure." - Reworded sentence: "In addition, both software and hardware supply chains can introduce security vulnerabilities into many technologies across the industry." - Reworded sentence: "In addition, we rely on partners and vendors, including cloud providers, for a wide range of products and outsourced activities as part of our internal IT infrastructure and our commercial product offerings." - Reworded sentence: "In addition, cybersecurity threats may pose a significant risk to our third-party partners and could have a material adverse impact on their businesses, operations, products, and services that we use in our day-to-day operations." **Prior (2023):** We rely heavily on technology in our hardware and software products, solutions, and services for our customers' manufacturing environment, and in our enterprise infrastructure. Despite the implementation of security measures, our systems are vulnerable to unauthorized access by nation states, hackers, cyber-criminals, malicious insiders, and other actors who may engage in fraud, theft of confidential or proprietary information, or sabotage. Our systems could be compromised by malware (including ransomware), cyber-attacks, and other events, ranging from widespread, non-targeted, global cyber threats to targeted advanced persistent threats. Given that our hardware and software products, solutions, and services are used in critical infrastructure, these threats could indicate increased risk for our products, services, solutions, manufacturing, and IT infrastructure. Past global cyber-attacks have also been perpetuated by compromising software updates in widely used software products, increasing the risk that vulnerabilities or malicious content could be inserted into our products. In some cases, malware attacks were spread throughout the supply chain, moving from one company to the next via authorized network connections. Our hardware and software products, solutions, and services are used by our direct and indirect customers in applications that may be subject to information theft, tampering, sabotage, or cyber-attacks. Careless or malicious actors could cause a customer's process to be disrupted or could cause equipment to operate in an improper manner that could result in harm to people or property. While we continue to improve the security attributes of our hardware and software products, solutions, and services, we can reduce risk, not eliminate it. To a significant extent, the security of our customers' systems depends on how those systems are designed, installed, protected, configured, updated, and monitored, and much of this is typically outside our control. In addition, both software and hardware supply chains introduce security vulnerabilities into many products across the industry. Our business uses technology resources on a dispersed, global basis for a wide variety of functions including development, engineering, manufacturing, sales, accounting, and human resources. Our vendors, partners, employees, and customers have access to, and share, information across multiple locations via various digital technologies. In addition, we rely on partners and vendors, including cloud providers, for a wide range of products and outsourced activities as part of our internal IT infrastructure and our commercial offerings. Secure connectivity is important to these ongoing operations. Also, our partners and vendors frequently have access to our confidential information as well as confidential information about our customers, employees, and others. We design our security architecture to reduce the risk that a compromise of our partners' infrastructure, for example a cloud platform, could lead to a compromise of our internal systems or customer networks. In addition, our Third-Party Risk Program manages risk posed by our suppliers that have access to our confidential information, systems, or network, but this risk cannot be eliminated and vulnerabilities at third parties could result in unknown risk exposure to our business and information. In addition, cyber security threats may pose a significant risk to our third-party partners and could have a material adverse impact on their businesses, operations, products, and services that we use in our day-to-day operations. 7 7 7 7 7 7 Table of Contents Table of Contents Table of Contents The current cyber threat environment indicates increased risk for all companies, including those in industrial automation and information technology. Like other global companies, we have experienced cyber threats and incidents, although none have been material or had a material adverse effect on our business or financial condition. Our information security efforts, under the leadership of our Chief Information Security Officer and Chief Product Security Officer, with the support of the entire management team, include major programs designed to address security governance and risk, product security, identification and protection of critical assets, insider risk, third-party risk, security awareness, and cyber defense operations. We believe these measures reduce, but cannot eliminate, the risk of a cybersecurity incident. Any significant security incidents could have an adverse impact on sales, harm our reputation, and cause us to incur legal liability and increased costs to address such events and related security concerns. **Current (2024):** We rely heavily on technology in our commercial product offerings for use in our customers' manufacturing environment, and in our enterprise infrastructure. Despite the implementation of security measures, our systems are vulnerable to unauthorized access by nation states, hackers, cyber-criminals, malicious insiders, and other actors who may engage in fraud, theft of confidential or proprietary information, or sabotage. Our systems could be compromised by malware (including ransomware), cyber-attacks, and other events, ranging from widespread, non-targeted, global cyber threats to targeted advanced persistent threats. Given our commercial product offerings can be used in critical infrastructure and critical manufacturing, these threats could indicate increased risk for our commercial product offerings, manufacturing, and IT infrastructure. The current cyber threat environment indicates increased risk for all companies, including those in industrial automation and information technology. Like other global companies, we have experienced cyber threats and incidents, although none have been material or had a material adverse effect on our business or financial condition. Our information security efforts include programs designed to address security governance, compliance, risk management, secure development and engineering, data protection, insider risk, third-party risk, security awareness, access management, incident response, and security operations in support of enterprise security and product security. We believe these measures reduce, but cannot eliminate, the risk of a cybersecurity incident internally or externally. Any significant security incidents could have an adverse impact on sales, harm our reputation, and cause us to incur legal liability and increased costs to address such events and related security concerns. Product and Services Security Our hardware and software products, services and solutions are used by our direct and indirect customers in applications that may be subject to information theft, tampering, sabotage, or cyber-attacks. Careless or malicious actors could cause a customer's process to be disrupted or could cause equipment to operate in an improper manner, resulting in harm to people or property. To a significant extent, the security of our customers' systems depends on how those systems are designed, installed, protected, configured, updated, and monitored, and much of this is typically outside our control. In addition, both software and hardware supply chains can introduce security vulnerabilities into many technologies across the industry. Past global cyber-attacks have also been perpetuated by compromising software updates in widely used software products, posing the risk that vulnerabilities or malicious content could be inserted into our products. In some cases, it is possible that malware attacks could spread throughout the supply chain, moving from one company to the next via authorized network connections. We have designed a Secure Development Lifecycle Program that incorporates appropriate security activities into the necessary development and support practices for our commercial product offerings. The Secure Development Lifecycle Program is audited annually by third-party firms. Our Third-Party Risk Program manages risk posed by our suppliers used in the development of our commercial product offerings. While we continue to improve the security attributes of our commercial product offerings, we can reduce risk, but not eliminate it. Enterprise Security Our business uses technology resources across a dispersed, global basis for a variety of functions including development, engineering, manufacturing, sales, accounting and financial reporting, and human resources. Our vendors, partners, employees, and customers have access to, and share, information across multiple locations via various digital technologies. In addition, we rely on partners and vendors, including cloud providers, for a wide range of products and outsourced activities as part of our internal IT infrastructure and our commercial product offerings. Secure connectivity is important to these ongoing operations. Also, our partners and vendors frequently have access to our confidential information as well as confidential information about our customers, employees, and others. We design our security architecture to reduce the risk that a compromise of our partners' infrastructure, for example a cloud platform, could lead to a compromise of our internal systems or customer networks. In addition, our Third-Party Risk Program manages risk posed by our suppliers that have access to our confidential information, systems, or network, but this risk cannot be eliminated and vulnerabilities at third parties could result in unknown risk exposure to our business and information. In addition, cybersecurity threats may pose a significant risk to our third-party partners and could have a material adverse impact on their businesses, operations, products, and services that we use in our day-to-day operations. 7 7 7 7 7 7 Table of Contents Table of Contents Table of Contents --- *Data sourced from SEC EDGAR. Last updated 2026-05-10.*