--- ticker: URI company: URI filing_type: 10-K year_current: 2025 year_prior: 2024 risks_added: 5 risks_removed: 2 risks_modified: 4 risks_unchanged: 31 source: SEC EDGAR url: https://riskdiff.com/uri/2025-vs-2024/ markdown_url: https://riskdiff.com/uri/2025-vs-2024/index.md generated: 2026-06-01 --- # URI: 10-K Risk Factor Changes 2025 vs 2024 > Source: U.S. Securities and Exchange Commission (EDGAR) > Generated: 2026-06-01 > All data extracted directly from official filings. No hallucinated content. ## Summary | Status | Count | |--------|-------| | New risks added | 5 | | Risks removed | 2 | | Risks modified | 4 | | Unchanged | 31 | --- ## New in Current Filing: Disruptions in our or our third-party vendors' information technology systems could adversely affect our operating results by limiting our ability to effectively monitor and control our operations, adjust to changing market conditions, implement strategic initiatives or support our online ordering system. We rely on the continuous and uninterrupted performance of our and our third-party vendors' information technology systems to be able to monitor and control our operations, adjust to changing market conditions, implement strategic initiatives and support our online ordering system. These systems may be subject to interruptions due to technological errors, bugs, defects or vulnerabilities, system capacity constraints, human errors, computer or communications failures, power loss, disruptions during upgrades or replacements of software or hardware or integrations of acquired businesses systems, adverse acts of nature and other unexpected events. Disruptions to our customers' information technology systems could also adversely impact us. Any disruptions in these systems or the failure of these systems to operate as expected have in the past adversely affected, and could in the future adversely affect, our ability to access and use certain applications and could, depending on the nature and magnitude of the problem, adversely affect our operating results by limiting our ability to effectively monitor and control our operations, adjust to changing market conditions, implement strategic initiatives and service online orders. Although such disruptions and failures have not been material to date, we cannot guarantee that they will not be material in the future. --- ## New in Current Filing: Failure to comply with data privacy and protection laws and regulations could subject us to legal liability and adversely affect our reputation and our financial performance. We collect, use, process, and store proprietary information and personal, sensitive, or confidential data relating to our business, customers, and employees. Privacy laws and similar regulations in many jurisdictions where we do business require that we take significant steps to safeguard that information, and these laws and regulations continue to evolve. New laws may add a broad array of requirements on how we handle or use information, increase our compliance obligations and impose new and greater monetary fines for privacy violations. For example, the European Union's ("EU") General Data Protection Regulation (Regulation (EU) 2016/679) (the "GDPR") has stringent data protection requirements and provides for significant penalties. Non-compliance could lead to lower revenues, increased costs (including fines, which could be significant) and other material adverse effects on our results of operations. Countries such as the United Kingdom (the "UK") have implemented the GDPR through their own legislation and other countries in which we operate have proposed or adopted their own data protection legislation. In addition, in the United States, a growing number of states have enacted different laws regarding personal information and privacy that impose significant new requirements on consumer personal information. Although we monitor and assess the impact of these laws and regulations, and regularly update our systems to protect our data and comply with these laws, their interpretation and enforcement are uncertain and subject to change, and may require substantial costs to monitor and implement. Failure to comply with data privacy and protection laws and regulations could also result in government enforcement actions (which could include substantial civil and/or criminal penalties) and private litigation, which could adversely affect our reputation and financial performance. These laws and regulations are broad in scope, complex, and subject to evolving interpretations and increasing enforcement, and we have incurred costs to monitor compliance and have altered our practices, and may have to do so again in the future. Moreover, certain new and existing data privacy laws and regulations diverge and conflict with each other in certain respects, which makes compliance increasingly difficult. Complying with new regulatory requirements has in the past required, and could in the future require, us to incur substantial expenses or require us to change our business practices, either of which could harm our business. As regulators have become increasingly focused on information security, data collection and use and privacy, we may be required to devote significant additional resources to modify and enhance our information security controls and to identify and remediate vulnerabilities, which could adversely impact our results of operations and profitability. --- ## New in Current Filing: Severe weather events or other natural occurrences may materially adversely impact our operations and markets. As severe weather events and other natural occurrences become increasingly common, our or our customers' operations may be disrupted, which could result in increased operational costs or reduced demand for our products and services, and the increased incidence of severe weather and other natural occurrences may also reduce the availability or increase the cost of insurance for such events. In addition, severe weather events and other natural occurrences may impact the global economy, including as a result of disruptions to supply chains. While we have invested in the administration of programs and physical loss prevention improvements to mitigate the risk of natural disasters causing disruption to our ability to serve our customers and communities in times of need, extended periods of disruptions could have an adverse effect on our results of operations. We anticipate that these risks will increase over time. --- ## New in Current Filing: Regulators' and stakeholders' requirements and expectations on environmental, social and sustainability-related topics continue to evolve and diverge, and our ability to meet these requirements and expectations may have a material adverse impact on our results of operations. Environmental and social topics, such as climate change and diversity, as well as companies' actions and initiatives on such issues, have received significant attention from a wide range of stakeholders. The U.S. federal government, U.S. states and certain other countries and regions have adopted or are considering legislation, regulation or policies on these topics, including the imposition of caps or taxes on greenhouse gas emissions from certain sectors or facility categories, disclosure of corporate greenhouse gas emissions, and limitations on diversity, equity and inclusion programs. Compliance with such laws, regulations or policies, including any that may be adopted in the future, could, among other things, increase the costs of operating our businesses, reduce the demand for our products and services and impact the prices we charge our customers, any or all of which could adversely affect our results of operations. In addition, policymakers in some jurisdictions have adopted or proposed laws, regulations and policies that diverge from, or potentially conflict with, those in other jurisdictions. Failure to comply with any legislation, regulation or policy, including as a result of making good faith interpretations that may differ from those taken by enforcement authorities in relevant jurisdictions, could potentially result in substantial fines, criminal sanctions, reputational harm or operational changes. Moreover, our customers, stockholders, employees and other stakeholders have diverse expectations, demands and perspectives on these topics, which are continuing to evolve. We may not be able to meet the diverse expectations and demands of all of our stakeholders, which could result in adverse publicity, harm our reputation, lead to claims against us and affect our relationships with our customers and employees, and subject us to legal and operational risks, any of which could have a material adverse effect on our business. 19 19 19 Table of Contents Table of Contents --- ## New in Current Filing: Changes to income tax laws or regulations in the U.S. and other jurisdictions where we operate could increase our tax liability and adversely impact our financial results. We are subject to income taxes in the U.S. and other jurisdictions where we operate. Changes to income tax laws and regulations in any of the jurisdictions where we operate could adversely affect our overall tax liability and adversely impact our financial results. In addition, we are subject to tax audits in the various jurisdictions in which we operate. Given the complexity of the current and changing tax laws and regulations, tax authorities may disagree with certain positions we have taken, or may in the future take, and assess additional taxes, which could have a material impact on our effective tax rate and adversely impact our financial results and cash flows. --- ## No Match in Current: Disruptions in our supply chain could result in adverse effects on our results of operations and financial performance. *This section from the 2024 filing does not have a high-confidence textual match in 2025. It may have been removed, merged, or substantially reworded.* Supply chain disruptions could impact our ability to obtain equipment and other supplies for our business from our key suppliers on acceptable terms or at all. To date, our supply chain disruptions have been limited, but we may experience more severe supply chain disruptions in the future or supplier inability to manufacture or deliver equipment or parts. Any suspension or delay in our suppliers' ability to provide us adequate equipment or supplies, or in our ability to procure equipment or supplies from other sources in a timely manner or at all, could impair our ability to meet customer demand and therefore could have a material adverse effect on our business, financial condition or results of operations. 17 17 17 Table of Contents Table of Contents --- ## No Match in Current: Climate change, climate change regulations and greenhouse effects may materially adversely impact our operations and markets. *This section from the 2024 filing does not have a high-confidence textual match in 2025. It may have been removed, merged, or substantially reworded.* Climate change and its association with greenhouse gas emissions is receiving increased attention from the scientific and political communities. The U.S. federal government, certain U.S. states and certain other countries and regions have adopted or are considering legislation or regulation imposing overall caps or taxes on greenhouse gas emissions from certain sectors or facility categories. Such new laws or regulations, or stricter enforcement of existing laws and regulations, could increase the costs of operating our businesses, reduce the demand for our products and services and impact the prices we charge our customers, any or all of which could adversely affect our results of operations. Failure to comply with any legislation or regulation could potentially result in substantial fines, criminal sanctions or operational changes. Moreover, even without such legislation or regulation, the perspectives of our customers, stockholders, employees and other stakeholders regarding climate change are continuing to evolve, and increased awareness of, or any adverse publicity regarding, the effects of greenhouse gases could harm our reputation or reduce customer demand for our products and services. Additionally, as severe weather events become increasingly common, our or our customers' operations may be disrupted, which could result in increased operational costs or reduced demand for our products and services, and climate change may also reduce the availability or increase the cost of insurance for weather-related events. In addition, climate change may impact the global economy, including as a result of disruptions to supply chains. While we have invested in the administration of programs and physical loss prevention improvements to mitigate the risk of natural disasters causing disruption to our ability to serve our customers and communities in times of need, extended periods of disruptions could have an adverse effect on our results of operations. We anticipate that climate change-related risks will increase over time. --- ## Modified: We cannot guarantee that we will repurchase our common stock pursuant to our share repurchase program or that our share repurchase program will enhance long-term stockholder value. Share repurchases could also increase the volatility of the price of our common stock and could diminish our cash reserves. **Key changes:** - Reworded sentence: "In January 2024, our Board of Directors authorized a share repurchase program, under which we are authorized to repurchase shares of common stock for an aggregate purchase price not to exceed $1.5 billion, excluding fees, commissions and other ancillary expenses." - Reworded sentence: "The repurchase program may be limited, suspended or discontinued at any time without prior notice." - Reworded sentence: "Additionally, our share repurchase program could diminish our cash reserves, which may impact our ability to finance future growth, to continue to pay a dividend and to pursue possible future strategic opportunities and acquisitions." - Reworded sentence: "Although our share repurchase program is intended to enhance long-term stockholder value, there is no assurance that it will do so and short-term stock price fluctuations could reduce the program's effectiveness." **Prior (2024):** In October 2022, our Board of Directors authorized a share repurchase program. Under the program, we are authorized to repurchase shares of common stock for an aggregate purchase price not to exceed $1.25 billion, excluding fees, commissions and other ancillary expenses. We have completed $1.0 billion of repurchases under the program as of December 31, 2023, and expect to complete the program in the first quarter of 2024. On January 24, 2024, our Board of Directors authorized a new $1.5 billion share repurchase program. We plan to begin repurchases under the new program following the planned completion of the existing $1.25 billion share repurchase program in the first quarter of 2024, and intend to purchase $1.25 billion under the new program in 2024 and then complete the program by the end of the first quarter of 2025. Although the Board of Directors has authorized the share repurchase programs, the share repurchase programs do not obligate the Company to repurchase any specific dollar amount or to acquire any specific number of shares. The timing and amount of repurchases, if any, will depend upon several factors, including market and business conditions, the trading price of the Company's common stock and the nature of other investment opportunities. In August 2022, Congress passed the Inflation Reduction Act, which imposes a one percent tax on stock repurchases, subject to certain adjustments, after December 31, 2022 by publicly traded U.S. companies, including us, which may also impact our decision to engage in share repurchases. Also, our ability to repurchase shares of stock may be limited by restrictive covenants in our debt agreements. The repurchase programs may be limited, suspended or discontinued at any time without prior notice. In addition, repurchases of our common stock pursuant to our share repurchase programs could affect our stock price and increase its volatility. The existence of a share repurchase program could cause our stock price to be higher than it would be in the absence of such a program and could potentially reduce the market liquidity for our stock. Additionally, our share repurchase programs could diminish our cash reserves, which may impact our ability to finance future growth, to continue to pay a dividend and to pursue possible future strategic opportunities and acquisitions. There can be no assurance that any share repurchases will enhance stockholder value because the market price of our common stock may decline below the levels at which we repurchased shares of stock. Although our share repurchase programs are intended to enhance long-term stockholder value, there is no assurance that they will do so and short-term stock price fluctuations could reduce the program's effectiveness. **Current (2025):** In January 2024, our Board of Directors authorized a share repurchase program, under which we are authorized to repurchase shares of common stock for an aggregate purchase price not to exceed $1.5 billion, excluding fees, commissions and other ancillary expenses. We have completed $1.25 billion of repurchases under the program as of December 31, 2024. We have paused repurchases under the program due to our pending acquisition of H&E. As discussed in note 19 to the consolidated financial statements, on January 13, 2025, we entered into a definitive merger agreement to acquire H&E, which is expected to close in the first quarter of 2025. We currently intend to complete the share repurchase program; however, we will re-evaluate the timing over which we expect to do so as we integrate H&E and assess other potential uses of capital, including paying down debt. Although the Board of Directors has authorized the share repurchase program, the share repurchase program does not obligate us to repurchase any specific dollar amount or to acquire any specific number of shares. The timing and amount of repurchases, if any, will depend upon several factors, including market and legislative conditions, the trading price of the Company's common stock and the nature of other investment opportunities. For example, the Inflation Reduction Act imposes a one percent tax on stock repurchases, subject to certain adjustments, by publicly traded U.S. companies, including us, and may impact our decision to engage in share repurchases. Also, our ability to repurchase shares of stock may be limited by restrictive covenants in our debt agreements. The repurchase program may be limited, suspended or discontinued at any time without prior notice. In addition, repurchases of our common stock pursuant to our share repurchase program could affect our stock price and increase its volatility. The existence of a share repurchase program could cause our stock price to be higher than it would be in the absence of such a program and could potentially reduce the market liquidity for our stock. Additionally, our share repurchase program could diminish our cash reserves, which may impact our ability to finance future growth, to continue to pay a dividend and to pursue possible future strategic opportunities and acquisitions. There can be no assurance that any share repurchases will enhance stockholder value because the market price of our common stock may decline below the levels at which we repurchased shares of stock. Although our share repurchase program is intended to enhance long-term stockholder value, there is no assurance that it will do so and short-term stock price fluctuations could reduce the program's effectiveness. --- ## Modified: The amount of borrowings permitted under our ABL facility and the accounts receivable securitization facility may fluctuate significantly, which may adversely affect our liquidity, results of operations and financial position. **Key changes:** - Reworded sentence: "The amount of borrowings permitted at any time under our ABL facility and the accounts receivable securitization facility is limited to a periodic borrowing base valuation of the collateral thereunder." **Prior (2024):** The amount of borrowings permitted at any time under our ABL facility is limited to a periodic borrowing base valuation of the collateral thereunder. As a result, our access to credit under our ABL facility is potentially subject to significant fluctuations depending on the value of the borrowing base of eligible assets as of any measurement date, as well as certain discretionary rights of the agent in respect of the calculation of such borrowing base value. The inability to borrow under our ABL facility, or limitations on the amounts we can borrow under our ABL facility, may adversely affect our liquidity, results of operations and financial position. **Current (2025):** The amount of borrowings permitted at any time under our ABL facility and the accounts receivable securitization facility is limited to a periodic borrowing base valuation of the collateral thereunder. As a result, our access to credit under our ABL facility and the accounts receivable securitization facility is potentially subject to significant fluctuations depending on the value of the borrowing base of eligible assets as of any measurement date, and, in the case of the ABL facility, certain discretionary rights of the agent in respect of the calculation of such borrowing base value. The inability to borrow under our ABL facility and/or the accounts receivable securitization facility, or limitations on the amounts we can borrow under our ABL facility and/or the accounts receivable securitization facility, may adversely affect our liquidity, results of operations and financial position. --- ## Modified: We are subject to risks related to our ability to meet our aspirational sustainability and safety goals, including our greenhouse gas intensity reduction goal, which, if not achieved, could damage our reputation and have an adverse effect on our financial performance. **Key changes:** - Reworded sentence: "Although we have announced aspirational sustainability and safety goals, including our greenhouse gas intensity reduction goal, our efforts to provide more low- and zero-emissions equipment to our customers and our efforts to provide customers with tools to monitor and manage their environmental impacts, there can be no assurance that our shareholders and other stakeholders will agree with our goals and strategies or be satisfied with our efforts to attain such goals." **Prior (2024):** Although we have announced environmental and social goals, including our greenhouse gas intensity reduction goal, our efforts to provide more low- and zero-emissions equipment to our customers and our efforts to provide customers with tools to monitor and manage their environmental impacts, there can be no assurance that our shareholders and other stakeholders will agree with our goals and strategies or be satisfied with our efforts to attain such goals. Moreover, any perception, whether or not valid, that we have failed to act responsibly with respect to such matters, failed to achieve our goals or failed to effectively respond to new or additional legal or regulatory requirements regarding climate change, could adversely affect our business and reputation. Execution of our environmental and social goals is subject to numerous risks and uncertainties, many of which are outside of our control, including, but not limited to, our ability to achieve our goals within the expected timeframes and the currently projected cost ranges; the availability and cost of renewable energy; the availability and cost of low- and zero-emissions equipment and vehicles for our rental fleet; the availability and cost of low- and zero-emissions vehicles for our sales, service and delivery non-rental fleet; compliance with global and regional regulations, taxes, charges, mandates or requirements relating to greenhouse gas emissions, carbon costs or climate-related goals; adapting products to customer preferences and customer acceptance of low- and zero-emissions equipment; the accuracy of the assumptions used to estimate customers' emissions in our emissions tracking tool in Total ControlĀ®; and the actions of competitors and competitive pressures. As a result, there is no assurance that we will be able to successfully achieve our environmental and social goals, which could damage our reputation and customer and other stakeholder relationships and have an adverse effect on our business, results of operations and financial condition. 19 19 19 Table of Contents Table of Contents **Current (2025):** Although we have announced aspirational sustainability and safety goals, including our greenhouse gas intensity reduction goal, our efforts to provide more low- and zero-emissions equipment to our customers and our efforts to provide customers with tools to monitor and manage their environmental impacts, there can be no assurance that our shareholders and other stakeholders will agree with our goals and strategies or be satisfied with our efforts to attain such goals. Moreover, any perception, whether or not valid, that we have failed to act responsibly with respect to such matters, failed (or may fail) to achieve our goals or to effectively respond to new or additional legal or regulatory requirements, could adversely affect our business, reputation and exposure to legal risks. Our ability to execute on our aspirational sustainability and safety goals is subject to numerous risks and uncertainties, many of which are outside of our control, including, but not limited to, our ability to achieve our goals within the expected timeframes and the currently projected cost ranges; the availability and cost of renewable energy; the availability and cost of low- and zero-emissions equipment and vehicles for our rental fleet; the availability and cost of low- and zero-emissions vehicles for our sales, service and delivery non-rental fleet; compliance with global and regional regulations, taxes, charges, mandates or requirements relating to greenhouse gas emissions, carbon costs or climate-related goals; adapting products to customer preferences and customer acceptance of low- and zero-emissions equipment; the accuracy of the assumptions used to estimate customers' emissions in our emissions tracking tool in Total ControlĀ®; and the actions of competitors and competitive pressures. As a result, there is no assurance that we will be able to successfully achieve our aspirational sustainability and safety goals, which could damage our reputation and customer and other stakeholder relationships and have an adverse effect on our business, results of operations and financial condition. --- ## Modified: Our financial performance and our reputation could be adversely affected, and we could be subject to legal liability or regulatory enforcement actions, if we are unable to protect against, or effectively respond to, cyberattacks or other cyber incidents. **Key changes:** - Reworded sentence: "We depend on the security of our and our third-party vendors' information technology systems to support numerous business processes and activities, including our online ordering system." - Reworded sentence: "However, we may not anticipate or combat all types of future attacks until after they have been launched, and there is no guarantee that the measures we take will be adequate to safeguard against all threats." - Reworded sentence: "Certain of our software applications are also hosted by third parties who provide outsourced administrative functions, which may increase the risk of a cybersecurity incident." - Removed sentence: "Certain of our software applications are also utilized by third parties who provide outsourced administrative functions, which may increase the risk of a cybersecurity incident." - Added sentence: "18 18 18 Table of Contents Table of Contents" **Prior (2024):** We rely on our information technology systems to be able to monitor and control our operations, adjust to changing market conditions, implement strategic initiatives and support our online ordering system. Any disruptions in these systems or the failure of these systems to operate as expected have in the past adversely affected, and could in the future adversely affect, our ability to access and use certain applications and could, depending on the nature and magnitude of the problem, adversely affect our operating results by limiting our ability to effectively monitor and control our operations, adjust to changing market conditions, implement strategic initiatives and service online orders. Although such disruptions and failures have not been material to date, we cannot guarantee that they will not be material in the future. In addition, the security measures we employ to protect our systems have in the past not detected or prevented, and may in the future not detect or prevent, all attempts to hack our systems, denial-of-service attacks, viruses, malicious software (malware), employee error or malfeasance, phishing attacks, security breaches, disruptions during the process of upgrading or replacing computer software or hardware or integrating systems of acquired businesses or assets or other attacks and similar disruptions that may jeopardize the security of information stored in or transmitted by the sites, networks and systems that we otherwise maintain, which include cloud-based networks and data center storage. We have, from time to time, experienced threats to and breaches of our data and systems, including malware and computer virus attacks. We are continuously developing and enhancing our controls, processes and practices designed to protect our systems, computers, software, data and networks from attack, damage, or unauthorized access. This continued development and enhancement requires us to expend significant resources. However, we may not anticipate or combat all types of future attacks until after they have been launched. If any of these breaches of security occur or are anticipated in the future, we could be required to expend additional capital and other resources, including costs to deploy additional personnel and protection technologies, train employees and engage third-party experts and consultants. Our response to attacks, and our investments in our technology and our controls, processes and practices, may not be sufficient to shield us from significant losses or liability. Further, given the increasing sophistication of bad actors and complexity of the techniques used to obtain unauthorized access or disable systems, a breach or attack could potentially persist for an extended period of time before being detected. As a result, we may not be able to anticipate the attack or respond adequately or timely, and the extent of a particular incident, and the steps that we may need to take to investigate the incident, may not be immediately clear. It could take a significant amount of time before an investigation can be completed and full, reliable information about the incident becomes known. During an investigation, it is possible we may not necessarily know the extent of the harm or how to remediate it, which could further adversely impact us, and new regulations could result in us being required to disclose information about a material cybersecurity incident before it has been mitigated or resolved, or even fully investigated. We also face cybersecurity risks due to our reliance on internet technology and hybrid work arrangements, which could strain our technology resources or create additional opportunities for cybercriminals to exploit vulnerabilities. In addition, because our systems sometimes contain information about individuals and businesses, our failure to appropriately maintain the security of the data we hold, whether as a result of our own error or the malfeasance or errors of others, have led, and could in the future lead, to disruptions in our online ordering system or other data systems, and could lead to unauthorized release of confidential or otherwise protected information or corruption of data. Our failure to appropriately maintain the security of the data we hold could also violate applicable privacy, data security and other laws and subject us to lawsuits, fines and other means of regulatory enforcement. Regulators have been imposing new data privacy and security requirements, including new and greater monetary fines for privacy violations. For example, the European Union's ("EU") General Data Protection Regulation (Regulation (EU) 2016/679) (the "GDPR") has stringent data protection requirements and provides for significant penalties. Non-compliance with the GDPR could lead to lower revenues, increased costs (including fines, which could be significant) and other material adverse effects on our results of operations. In addition, countries such as 18 18 18 Table of Contents Table of Contents the United Kingdom (the "UK") have implemented the GDPR through their own legislation. Other countries, including the U.S., have proposed or adopted their own data protection legislation. These laws and regulations are broad in scope and subject to evolving interpretations and increasing enforcement, and we have incurred costs to monitor compliance and have altered our practices, and may have to do so again in the future. Moreover, certain new and existing data privacy laws and regulations could diverge and conflict with each other in certain respects, which makes compliance increasingly difficult. Complying with new regulatory requirements has in the past required, and could in the future require, us to incur substantial expenses or require us to change our business practices, either of which could harm our business. As regulators have become increasingly focused on information security, data collection and use and privacy, we may be required to devote significant additional resources to modify and enhance our information security controls and to identify and remediate vulnerabilities, which could adversely impact our results of operations and profitability. Any compromise or breach of our systems could result in adverse publicity, harm our reputation, lead to claims against us and affect our relationships with our customers and employees, any of which could have a material adverse effect on our business. Certain of our software applications are also utilized by third parties who provide outsourced administrative functions, which may increase the risk of a cybersecurity incident. Although we maintain insurance coverage for various cybersecurity risks, there can be no guarantee that all costs or losses incurred will be fully insured. **Current (2025):** We depend on the security of our and our third-party vendors' information technology systems to support numerous business processes and activities, including our online ordering system. There are numerous cybersecurity risks to these systems, including individual and group criminal hackers, industrial espionage, man-in-the-middle and denial of service attacks, viruses, malicious software (malware), employee error or malfeasance and phishing attacks. We also face cybersecurity risks due to our reliance on internet technology and hybrid work arrangements, which could strain our technology resources or create additional opportunities for cybercriminals to exploit vulnerabilities. Cyber threats are constantly evolving, especially given the advances in, and the rise of the use of, artificial intelligence, thereby increasing the difficulty of preventing, detecting and successfully defending against them. Successful breaches could, among other things, disrupt our operations, jeopardize the security of information stored in or transmitted by the sites, networks and systems, which include cloud-based networks and data center storage, or result in the unauthorized disclosure, theft and misuse of company, customer, and employee sensitive and confidential information. If this were to occur, we could be in violation of applicable privacy, data security and other laws, subjected to regulatory enforcement actions and private litigation, and our reputation and financial performance may be adversely affected. Although we employ security measures to protect our data and systems, and, to our knowledge, so do our third-party vendors, these measures have in the past not detected or prevented, and may in the future not detect or prevent, all attempts to infiltrate our systems. We have, from time to time, experienced threats to and breaches of our data and systems, including malware and computer virus attacks, which have led, and could in the future lead to, disruptions in our online ordering or other systems, or the unauthorized release of confidential or otherwise protected information or corruption of data. We continuously develop and enhance our controls, processes and practices to protect our systems, computers, software, data and networks from attack, damage, vulnerabilities or unauthorized access. This continued development and enhancement requires us to expend significant resources. However, we may not anticipate or combat all types of future attacks until after they have been launched, and there is no guarantee that the measures we take will be adequate to safeguard against all threats. If any of these breaches of security occur or are anticipated in the future, we could be required to expend additional capital and other resources, including costs to deploy additional personnel and protection technologies, train employees and engage third-party experts and consultants. Our response to attacks, and our investments in our technology and our controls, processes and practices, may not be sufficient to shield us from significant losses or liability. Further, given the increasing sophistication of bad actors and complexity of the techniques used to obtain unauthorized access or disable systems, a breach or attack could potentially persist for an extended period of time before being detected. As a result, we may not be able to anticipate the attack or respond adequately or timely, and the extent of a particular incident, and the steps that we may need to take to investigate the incident, may not be immediately clear. It could take a significant amount of time before an investigation can be completed and full, reliable information about the incident becomes known. During an investigation, it is possible we may not necessarily know the extent of the harm or how to remediate it, which could further adversely impact us, and new regulations could result in us being required to disclose information about a material cybersecurity incident before it has been mitigated or resolved, or even fully investigated. Certain of our software applications are also hosted by third parties who provide outsourced administrative functions, which may increase the risk of a cybersecurity incident. Any compromise or breach of our systems could result in adverse publicity, harm our reputation, lead to claims against us and affect our relationships with our customers and employees, any of which could have a material adverse effect on our business. Although we maintain insurance coverage for various cybersecurity risks, there can be no guarantee that all costs or losses incurred will be fully insured. 18 18 18 Table of Contents Table of Contents --- *Data sourced from SEC EDGAR. Last updated 2026-06-01.*