Walmart Inc.: 10-K Risk Factor Changes

In addition to our U.S. operations, we operate retail and eCommerce businesses in Africa, Canada, Central America, Chile, China, India and Mexico. During fiscal 2024, our Walmart International operations generated approximately 18% of our consolidated net sales. Walmart International's operations in various countries also source goods and services from other countries. Our future operating results in these countries could be negatively affected by a variety of factors, most of which are beyond our control. These factors include political conditions, including political instability, local and global economic conditions, legal and regulatory constraints, such as regulation of product and service offerings including regulatory restrictions (such as foreign ownership restrictions) on eCommerce and retail operations in international markets, such as India, restrictive governmental actions (such as trade protection measures or nationalization), antitrust and competition law regulatory matters (such as those underway in Canada, Mexico and India (relating to our Flipkart subsidiary)), local product safety and environmental laws, tax regulations, local labor laws, anti-money laundering laws and regulations, trade policies, foreign exchange or currency regulations, laws and regulations regarding consumer and data protection, and other matters in any of the countries or regions in which we operate, now or in the future. Changing our operations in accordance with new or changed restrictions on international trade or newly imposed sanctions can be expensive, time-consuming and disruptive to our operations, and such restrictions can be announced with little or no advance notice and we may not be able to effectively mitigate all adverse impacts from such measures. In addition, tensions between nation-state governments and conflicts of laws may lead to challenges for our operations. If disputes and conflicts further escalate in the future, actions by governments in response could be significantly more severe and restrictive and could adversely affect our business or financial performance and our reputation. Political uncertainty surrounding trade and other international disputes could also have a negative effect on consumer confidence and spending, which could also adversely affect our business or financial performance and our reputation. The economies of some of the countries in which we have operations have in the past suffered from high rates of inflation and currency devaluations, which, if they recur, could adversely affect our financial performance. Other factors which may impact our international operations include foreign trade, monetary and fiscal policies of the U.S. and of other countries, laws, regulations and other activities of foreign governments, agencies and similar organizations, and risks associated with having numerous facilities located in countries that have historically been less stable than the U.S. Additional risks inherent in our international operations generally include, among others, the costs and difficulties of managing international operations, adverse tax consequences and greater difficulty in enforcing intellectual property rights in countries other than the U.S. The various risks inherent in doing business in the U.S. generally also exist when doing business outside of the U.S., and may be exaggerated by the difficulty of doing business in numerous sovereign jurisdictions due to differences in culture, geopolitical tensions or events, laws and regulations. In foreign countries in which we have operations, a risk exists that our associates, contractors or agents could, in contravention of our policies, engage in business practices prohibited by U.S. laws and regulations applicable to us, such as the Foreign Corrupt Practices Act or U.S. sanctions laws and regulations or the laws and regulations of other countries. We maintain global policies which appropriately regulate such business practices and have in place global compliance programs designed to ensure compliance with these laws and regulations. Nevertheless, we remain subject to the risk that one or more of our associates, contractors or agents, including those based in or from countries where practices that violate such U.S. laws and regulations or the laws and regulations of other countries may be customary, will engage in business practices that are appropriately regulated by our policies, circumvent our compliance programs and, by doing so, violate such laws and regulations. Any such violations, even if prohibited by our internal policies, could subject us to fines and penalties and adversely affect our business or financial performance and our reputation. 24 24 24

In addition to our U.S. operations, we operate retail and eCommerce businesses in Africa, Canada, Central America, Chile, China, India and Mexico. During fiscal 2023, our Walmart International operations generated approximately 17% of our consolidated net sales. Walmart International's operations in various countries also source goods and services from other countries. Our future operating results in these countries could be negatively affected by a variety of factors, most of which are beyond our control. These factors include political conditions, including political instability, local and global economic conditions, legal and regulatory constraints (such as regulation of product and service offerings including regulatory restrictions (such as foreign ownership restrictions) on eCommerce and retail operations in international markets, such as India), restrictive governmental actions (such as trade protection measures or nationalization), antitrust and competition law regulatory matters (such as the competition investigations currently underway in Mexico related to our subsidiary Wal-Mart de Mexico, in Canada related to our subsidiary Wal-Mart Canada and competition proceedings in India related to our Flipkart subsidiary), local product safety and environmental laws, tax regulations, local labor laws, anti-money laundering laws and regulations, trade policies, foreign exchange or currency regulations, laws and regulations regarding consumer and data protection, and other matters in any of the countries or regions in which we operate, now or in the future. The economies of some of the countries in which we have operations have in the past suffered from high rates of inflation and currency devaluations, which, if they occurred again, could adversely affect our financial performance. Other factors which may impact our international operations include foreign trade, monetary and fiscal policies of the U.S. and of other countries, laws, regulations and other activities of foreign governments, agencies and similar organizations, and risks associated with having numerous facilities located in countries that have historically been less stable than the U.S. Additional risks inherent in our international operations generally include, among others, the costs and difficulties of managing international operations, adverse tax consequences and greater difficulty in enforcing intellectual property rights in countries other than the U.S. The various risks inherent in doing business in the U.S. generally also exist when doing business outside of the U.S., and may be exaggerated by the difficulty of doing business in numerous sovereign jurisdictions due to differences in culture, geopolitical tensions or events, laws and regulations. In foreign countries in which we have operations, a risk exists that our associates, contractors or agents could, in contravention of our policies, engage in business practices prohibited by U.S. laws and regulations applicable to us, such as the Foreign Corrupt Practices Act or the laws and regulations of other countries. We maintain a global policy prohibiting such business practices and have in place a global anti-corruption compliance program designed to ensure compliance with these laws and regulations. Nevertheless, we remain subject to the risk that one or more of our associates, contractors or agents, including those based in or from countries where practices that violate such U.S. laws and regulations or the laws and regulations of other countries may be customary, will engage in business practices that are prohibited by our policies, circumvent our compliance 23 23 23 programs and, by doing so, violate such laws and regulations. Any such violations, even if prohibited by our internal policies, could adversely affect our business or financial performance and our reputation.

Like most retailers, we process in our information systems personal information and/or payment information about our customers and members, and we also process information concerning our associates and vendors. In addition, our health and wellness business operations, the Walmart Health locations, and third-party service providers who handle information on our behalf, store and maintain personal health information. Some of this information is stored digitally in connection with the digital platforms and technologies that we use to conduct and facilitate our various businesses. We utilize third-party service providers for a variety of reasons, including, without limitation, for digital storage technology, compute capacity, content delivery to customers and members, back-office support and other functions. Such providers may have access to information we hold about our customers, members, associates, business partners or vendors. In addition, our eCommerce operations depend upon the secure transmission of confidential information over public networks, including information permitting cashless payments. Cyber threats are rapidly evolving and those threats and the means for disrupting or obtaining access to information systems or information stored in digital and other storage media are becoming increasingly sophisticated and frequent, and in some cases, they may lead to successful attacks. Unauthorized activities directed against information systems and devices, whether our own or those of our third-party service providers and vendors, have resulted in cybersecurity incidents, including malware, ransomware, denial of service attacks or phishing incidents. We expect that our information systems and those of our third-party service providers, vendors and suppliers will continue to experience such attempted attacks in the future, which could include disruptions to our supply chain system. Cyberattacks and threat actors can be sponsored by particular nation-states, or be the work of sophisticated criminal organizations, insiders (including our associates or contractors) or third parties, each with a wide-range of motives and expertise. We and the businesses with which we interact have experienced and continue to experience incidents and threats to data and information systems. These incidents and threats have included and are likely to continue to include both random and targeted cyberattacks, computer viruses, phishing incidents, worms, bot attacks, ransomware or other destructive or disruptive software and attempts to misappropriate customer information, including credit card and payment information, and cause system failures and disruptions. The increased use of remote work infrastructure in recent years has also increased the possible attack surfaces to be exploited. Our logging capabilities, or the logging capabilities of third parties, are also not always complete or sufficiently detailed, affecting our ability to fully investigate and understand the scope of security events. As noted above, some of our information systems and those of our third-party service providers have experienced cybersecurity incidents or breaches and, although to date they have not had a material adverse effect on our operating results, there can be no assurance of a similar result in the future. Our digital platforms, which are increasingly important to our business and continue to grow in complexity and scope, and the systems on which they run, including those applications and systems used in legacy operations and acquired eCommerce, technology or other businesses, are regularly subject to cyberattacks. Those attacks involve attempts to impede the operations of our system or gain unauthorized access to our eCommerce websites (including marketplace platforms) or mobile commerce applications to obtain and misuse customers' or members' information including personal information and/or payment information and related risks discussed in this Item 1A. Such attacks, if successful, may result in potential data misuse and/or loss and may create denials of service or otherwise disable, degrade or sabotage the information systems that enable or support one or more of our digital platforms or otherwise significantly disrupt our customers' and members' shopping experience, our supply chain integrity and continuity and our ability to efficiently operate our business. If we are unable to maintain the security of the information systems that enable or support our digital platforms and keep them operating within acceptable parameters, we could suffer loss of sales, reductions in transactions, reputational damage and deterioration of our competitive 20 20 20 position and incur liability for any damage to customers, members or others whose personal or confidential information is unlawfully obtained and misused, any of which events could have a material adverse impact on our business and results of operations and impede the execution of our strategy for the growth of our business. Associate error or malfeasance, faulty password management, social engineering or other vulnerabilities and irregularities may also result in a defeat of our security measures or those of our third-party service providers and a compromise or breach of our or their information systems. Moreover, the hardware, software or applications that comprise our information system and networked environment may have vulnerabilities or defects of design, coding, manufacture or operations that could be intentionally exploited or inadvertently used in a manner that could compromise information security. Given the age, size and complexity of these information systems and our networked environment, patches for certain vulnerabilities may not exist and, even where patches or other risk-mitigating activities are available, the deployment of patches or execution of risk-mitigating actions may not occur before an underlying vulnerability is exploited by threat actors or inadvertently results in the compromise of our information systems or data. Any compromise of our information systems or of those of businesses with which we interact, which results in regulated data or confidential information being accessed, obtained, damaged, disclosed, destroyed, modified, lost or used by unauthorized persons could harm our reputation and expose us to regulatory actions (including, with respect to health information, liability under the Health Insurance Portability and Accountability Act of 1996, or "HIPAA"), customer attrition, remediation expenses and claims from customers, members, associates, vendors, financial institutions, payment card networks and other persons, any of which could materially and adversely affect our business operations, financial position and results of operations. Because the techniques used to obtain unauthorized access, disable or degrade service, or sabotage systems or data change frequently and may not immediately produce signs of a compromise, we may be unable to anticipate these techniques or to implement adequate preventative measures, or detect the activities of a threat actor. Even if we detect a cybersecurity incident, the nature and extent of that cybersecurity incident may not be immediately clear. Based on the sophistication of the threat actors and the size and complexity of our information systems and networked environment, among other factors, an investigation into a cybersecurity incident could take a significant amount of time to complete. We may not understand or appreciate that what is detected and treated as multiple individual cybersecurity incidents or events may be associated with the coordinated actions of a single threat actor. In addition, while our investigation of a cybersecurity incident is ongoing, we may not know the full extent of the harm caused by a threat actor, and such harm may spread both internally and to certain customers, vendors, or other third parties. These factors may inhibit our ability to provide rapid, complete and reliable information about the cybersecurity incident to customers, counterparties and regulators, as well as the public. It may also not be clear how best to contain and remediate any harm caused by the cybersecurity incident, and certain errors or actions could be repeated or compounded before they are discovered and remediated. Any or all of these factors could further increase the costs and consequences of a cybersecurity incident on our business operations, financial position and results of operations. To the extent that any cyberattack, ransomware or incursion in our or one of our third-party service provider's information systems results in the loss, damage, misappropriation or other compromise of information, we may be materially adversely affected by claims from customers, members, financial institutions, regulatory authorities, payment card networks and others. Our compliance programs, information technology and enterprise risk management efforts cannot eliminate all systemic risk. Disruptions in our systems caused by associate error or malfeasance, security incidents, breaches or cyberattacks – including attacks on those parties we do business with (such as strategic partners, suppliers, banks or utility companies) – could harm our ability to conduct our operations, which may have a material effect on us, may result in losses that could have a material adverse effect on our financial position or results of operations, or may have a cascading effect that adversely impacts our partners, third-party service providers, customers, members, financial services firms and other third parties that we interact with on a regular basis. Our reputation with our customers and members is important to the success of our enterprise strategy, which combines traditional retail, membership models, marketplaces, financial services, healthcare, and other customer and business services into a series of interconnected assets to make it seamless for customers to interact with us. Security-related events could be widely publicized and could materially adversely affect our reputation with our customers, members, associates, vendors and shareholders, could harm our competitive position particularly with respect to our eCommerce operations, and could result in a material reduction in our net sales in our eCommerce operations, as well as in our stores thereby materially adversely affecting our operations, net sales, growth rates, operating income, results of operations, financial position, cash flows and liquidity. Such events could also result in the release to the public of confidential information about our operations and financial position and performance and could result in litigation or other legal actions against us or the imposition of penalties, fines, fees or liabilities, which may not be covered by our insurance policies. Moreover, a security compromise or operationally impactful malware event, such as ransomware, could require us to devote significant management resources to address the problems created by the issue and to expend significant additional resources to upgrade further the security measures we employ to guard personal and confidential information against cyberattacks and other attempts to access or otherwise compromise such information and could result in a disruption of our operations, particularly our digital operations. 21 21 21 We accept payments using a variety of methods, including cash, checks, credit and debit cards, electronic benefits transfer (EBT) cards, mobile payments and our private label credit cards and gift cards, and we may offer new payment options over time, which may have information security risk implications. As a retailer accepting debit and credit cards for payment, we are subject to various industry data protection standards and protocols, such as payment network security operating guidelines and the Payment Card Industry Data Security Standard. We cannot be certain that the security measures we or our third-party suppliers maintain are able to detect, prevent or contain cyberattacks, cyberterrorism, security incidents, breaches or other compromises from malware, ransomware or other threats that are known or may be developed in the future. In certain circumstances, our contracts with payment card processors and payment card networks (such as Visa, Mastercard, American Express and Discover) generally require us to adhere to payment card network rules which could make us liable to payment card issuers and others if information in connection with payment cards and payment card transactions that we process is compromised, which liabilities could be substantial. Additionally, through various financial service partners and our ONE fintech venture, we offer various services such as money transfers, digital payment platforms, bill payment, money orders, check cashing, prepaid access, co-branded credits cards, installment lending and earned wage access. These products and services require us to comply with legal and regulatory requirements, including those related to privacy, information security, anti-money laundering and sanctions regimes and consumer protection, under both U.S. state and federal laws and regulations, as well as those of certain other countries. Failure to comply with these laws and regulations could result in fines, sanctions, penalties and harm to our reputation. We also have compliance obligations associated with privacy laws enacted to protect and regulate the collection, use, retention, disclosure and transfer of personal information, which include liability for security and privacy breaches. Among other obligations, breaches may trigger obligations under U.S. federal and state laws and those in certain other countries to notify affected individuals, government agencies and the media. Consequently, cybersecurity incidents that result in a data breach could subject us to fines, sanctions and other legal liability and harm our reputation.

Like most retailers, we receive and store in our information systems personal information and/or payment information about our customers and members, and we also receive and store information concerning our associates and vendors. In addition, our health and wellness business operations, the Walmart Health locations, and third-party service providers who handle information on our behalf, store and maintain personal health information. Some of this information is stored digitally in connection with the digital platforms and technologies that we use to conduct and facilitate our various businesses. We utilize third-party service providers for a variety of reasons, including, without limitation, for digital storage technology, content delivery to customers and members, back-office support, and other functions. Such providers may have access to information we hold about our customers, members, associates, business partners or vendors. In addition, our eCommerce operations depend upon the secure transmission of confidential information over public networks, including information permitting cashless payments. Cyber threats are rapidly evolving and those threats and the means for obtaining access to information in digital and other storage media are becoming increasingly sophisticated and frequent. Attacks against information systems and devices, whether our own or those of our third-party service providers, create risk of cybersecurity incidents, including ransomware, malware, or phishing incidents. We expect to continue to experience such attempted attacks in the future. Cyberattacks and threat actors can be sponsored by particular countries or sophisticated criminal organizations or be the work of hackers with a wide range of motives and expertise. We and the businesses with which we interact have experienced and continue to experience threats to data and systems, including by perpetrators of random or targeted malicious cyberattacks, computer viruses, phishing incidents, worms, bot attacks, ransomware or other destructive or disruptive software and attempts to misappropriate customer information, including credit card and payment information, and cause system failures and disruptions. Mitigation and remediation recommendations continue to evolve, and addressing vulnerabilities is a priority for us. The increased use of remote work infrastructure in recent years has also increased the possible attack surfaces. Some of our systems and third-party service providers' systems have experienced security incidents or breaches and although they have not had a material adverse effect on our operating results, there can be no assurance of a similar result in the future. Associate error or malfeasance, faulty password management, social engineering or other vulnerabilities and irregularities may also result in a defeat of our or our third-party service providers' security measures and a compromise or breach of our or their information systems. Moreover, hardware, software or applications we use may have inherent vulnerabilities or defects of design, manufacture or operations or could be inadvertently or intentionally implemented or used in a manner that could compromise information security. Any compromise of our data security systems or of those of businesses with which we interact, which results in confidential information being accessed, obtained, damaged, disclosed, destroyed, modified, lost or used by unauthorized persons could harm our reputation and expose us to regulatory actions (including, with respect to health information, liability under the Health Insurance Portability and Accountability Act of 1996, or "HIPAA"), customer attrition, remediation expenses, and claims from customers, members, associates, vendors, financial institutions, payment card networks and other persons, any of which could materially and adversely affect our business operations, financial position and results of operations. Because the techniques used to obtain unauthorized access, disable or degrade service, or sabotage systems change frequently and may not immediately produce signs of a compromise, we may be unable to anticipate these techniques or to implement adequate preventative measures and we or our third-party service providers may not discover any security event, breach, vulnerability or compromise of information for a significant period of time after the security incident occurs. To the extent that any cyberattack, ransomware or incursion in our or one of our third-party service provider's information systems results in the loss, damage, misappropriation or other compromise of information, we may be materially adversely affected by claims from customers, members, financial institutions, regulatory authorities, payment card networks and others. Our compliance programs, information technology, and enterprise risk management efforts cannot eliminate all systemic risk. Disruptions in our systems caused by security incidents, breaches or cyberattacks – including attacks on those parties we do business with (such as strategic partners, suppliers, banks, or utility companies) – could harm our ability to conduct our operations, which may have a material effect on us, may result in losses that could have a material adverse effect on our financial position or results of operations, or may have a cascading effect that adversely impacts our partners, third-party service providers, customers, members, financial services firms, and other third parties that we interact with on a regular basis. Our reputation with our customers and members is important to the success of our enterprise strategy, which combines traditional retail, membership models, marketplaces, financial services, healthcare, and other customer and business services into a series of interconnected assets to make it seamless for customers to interact with us. Security-related events could be widely publicized and could materially adversely affect our reputation with our customers, members, associates, vendors and shareholders, could harm our competitive position particularly with respect to our eCommerce operations, and could result in a material reduction in our net sales in our eCommerce operations, as well as in our stores thereby materially adversely affecting 20 20 20 our operations, net sales, results of operations, financial position, cash flows and liquidity. Such events could also result in the release to the public of confidential information about our operations and financial position and performance and could result in litigation or other legal actions against us or the imposition of penalties, fines, fees or liabilities, which may not be covered by our insurance policies. Moreover, a security compromise or ransomware event could require us to devote significant management resources to address the problems created by the issue and to expend significant additional resources to upgrade further the security measures we employ to guard personal and confidential information against cyberattacks and other attempts to access or otherwise compromise such information and could result in a disruption of our operations, particularly our digital operations. We accept payments using a variety of methods, including cash, checks, credit and debit cards, electronic benefits transfer (EBT) cards, mobile payments, and our private label credit cards and gift cards, and we may offer new payment options over time, which may have information security risk implications. As a retailer accepting debit and credit cards for payment, we are subject to various industry data protection standards and protocols, such as payment network security operating guidelines and the Payment Card Industry Data Security Standard. We cannot be certain that the security measures we maintain to protect all of our information technology systems are able to prevent, contain or detect cyberattacks, cyberterrorism, security incidents, breaches, or other compromises from known malware or ransomware or other threats that may be developed in the future. In certain circumstances, our contracts with payment card processors and payment card networks (such as Visa, Mastercard, American Express and Discover) generally require us to adhere to payment card network rules which could make us liable to payment card issuers and others if information in connection with payment cards and payment card transactions that we process is compromised, which liabilities could be substantial. Additionally, through various financial service partners and our ONE fintech joint venture, we offer various services such as money transfers, digital payment platforms, bill payment, money orders, check cashing, prepaid access, co-branded credits cards, installment lending, and earned wage access. These products and services require us to comply with legal and regulatory requirements, including privacy, authentication and tokenization, global anti-money laundering and sanctions laws and regulations as well as international, federal and state consumer financial laws and regulations. Failure to comply with these laws and regulations could result in fines, sanctions, penalties and harm to our reputation. The Company also has compliance obligations associated with privacy laws enacted to protect and regulate the collection, use, retention, disclosure and transfer of personal information, which include liability for security and privacy breaches. Among other obligations, breaches may trigger obligations under international, federal and state laws to notify affected individuals, government agencies and the media. Consequently, cybersecurity attacks that cause a data breach could subject us to fines, sanctions and other legal liability and harm our reputation.

Increasingly, customers are using computers, tablets and smart phones to shop with us and with our competitors and to do comparison shopping. We use social media, online advertising and email to interact with our customers and as a means to enhance their shopping experience. As a part of our omni-channel sales strategy, we offer various pickup, delivery and shipping programs including options where many products available for purchase online can be picked up by the customer or member at a local Walmart store or Sam's Club, which provides additional customer traffic at such stores and clubs. Omni- 19 19 19 channel retailing is a rapidly evolving part of the retail industry and of our operations around the world, and we continue to make investments in supply chain automation to support our omni-channel strategy. We must anticipate and meet our customers' changing expectations while adjusting for technology investments and developments in our competitors' operations through focusing on the building and delivery of a seamless shopping experience across all channels by each operating segment. Moreover, some of the various technology systems and services on which we rely are provided and managed by third-party service providers. To the extent either our or such other third-party systems and services do not perform or function as anticipated, whether because of an inherent flaw in the technology, a faulty implementation or a cybersecurity incident, such failure can significantly interfere with our ability to meet our customers' changing expectations. Any disruption or failure on our part to provide attractive, user-friendly and secure digital platforms that offer a wide assortment of merchandise and services at competitive prices and with low cost and rapid delivery options and that continually meet the changing expectations of online shoppers and developments in online and digital platform merchandising and related technology in a cost-efficient manner could place us at a competitive disadvantage, result in the loss of eCommerce and other sales, harm our reputation with customers, have a material adverse impact on the growth of our eCommerce business globally and have a material adverse impact on our business and results of operations.

Increasingly, customers are using computers, tablets, and smart phones to shop with us and with our competitors and to do comparison shopping. We use social media, online advertising, and email to interact with our customers and as a means to enhance their shopping experience. As a part of our omni-channel sales strategy, we offer various pickup, delivery and shipping programs including options where many products available for purchase online can be picked up by the customer or member at a local Walmart store or Sam's Club, which provides additional customer traffic at such stores and clubs. Omni-channel retailing is a rapidly evolving part of the retail industry and of our operations around the world, and we continue to make investments in supply chain automation to support our omni-channel strategy. We must anticipate and meet our customers' changing expectations while adjusting for technology investments and developments in our competitors' operations through focusing on the building and delivery of a seamless shopping experience across all channels by each operating segment. Moreover, some of the various technology systems and services on which we rely are provided and managed by third-party service providers. To the extent either our or such other third-party systems and services do not perform or function as anticipated, whether because of an inherent flaw in the technology or a faulty implementation, such failure can significantly interfere with our ability to meet our customers' changing expectations. Any disruption or failure on our part to provide attractive, user-friendly, and secure digital platforms that offer a wide assortment of merchandise and services at competitive prices and with low cost and rapid delivery options and that continually meet the changing expectations of online shoppers and developments in online and digital platform merchandising and related technology in a cost-efficient manner could place us at a competitive disadvantage, result in the loss of eCommerce and other sales, harm our reputation with customers, have a material adverse impact on the growth of our eCommerce business globally and have a material adverse impact on our business and results of operations. Our digital platforms, which are increasingly important to our business and continue to grow in complexity and scope, and the systems on which they run, including those applications and systems used in our acquired eCommerce, technology or other businesses, are regularly subject to cyberattacks. Those attacks involve attempts to gain unauthorized access to our eCommerce websites (including marketplace platforms) or mobile commerce applications to obtain and misuse customers' or members' information including personal information and/or payment information and related risks discussed in this Item 1A. Such attacks, if successful, in addition to potential data misuse and/or loss, may also create denials of service or otherwise disable, degrade or sabotage one or more of our digital platforms or otherwise significantly disrupt our customers' and members' shopping experience, our supply chain integrity and continuity, and our ability to efficiently operate our business. If we are unable to maintain the security of our digital platforms and keep them operating within acceptable parameters, we could suffer loss of sales, reductions in transactions, reputational damage and deterioration of our competitive position and incur liability for any damage to customers, members or others whose personal or confidential information is unlawfully obtained and misused, any of which events could have a material adverse impact on our business and results of operations and impede the execution of our strategy for the growth of our business. 19 19 19

We operate in a highly regulated and litigious environment. We are involved in legal proceedings, including litigation, arbitration and other claims, and investigations, inspections, audits, claims, inquiries and similar actions by pharmacy, healthcare, tax, environmental and other governmental authorities. We may also have indemnification obligations for legal commitments of certain businesses we have divested. Legal proceedings, in general, and securities, derivative action and class action and multi-district litigation, in particular, can be expensive and disruptive. Some of these suits may purport or may be determined to be class actions and/or involve parties seeking large and/or indeterminate amounts, including punitive or exemplary damages, and may remain unresolved for several years. For example, we are currently a defendant in a number of cases containing class or collective-action allegations, or both, in which the plaintiffs have brought claims under federal and state wage and hour laws, as well as a number of cases containing class-action allegations in which the plaintiffs have brought claims under federal and state consumer laws. We have been responding to subpoenas, information requests and investigations from governmental entities related to nationwide controlled substance dispensing and distribution practices involving opioids. We are also a defendant in numerous litigation proceedings related to opioids, including the consolidated multidistrict litigation entitled In re National Prescription Opiate Litigation (MDL No. 2804) currently pending in the U.S. District Court for the Northern District of Ohio and a lawsuit filed against us by the United States Department of Justice in the District of Delaware in 2020. Similar cases that name us also have been filed in state courts by state, local and tribal governments, healthcare providers and other plaintiffs. Plaintiffs in these cases are seeking compensatory and punitive damages, as well as injunctive relief including abatement. We have entered into a settlement framework to resolve certain of these matters and accrued a liability for approximately $3.3 billion, almost all of which was paid in fiscal 2024. We cannot predict the ultimate number of opioids-related claims that may be filed or their outcomes and cannot reasonably estimate any loss or range of loss that may arise from opioids-related matters. In addition, in July 2021, the Directorate of Enforcement in India issued a show cause notice to Flipkart and other parties requesting the recipients show cause as to why further proceedings under India's Foreign Direct Investment rules and regulations should not be initiated against them based on alleged violations that related to a period prior to our acquisition of a majority stake in Flipkart in 2018. Also, in October 2023, the main Mexican operating subsidiary of Wal-Mart de México was notified of the initiation of a quasi-judicial administrative process against it for alleged relative monopolistic practices in connection with the supply and wholesale distribution of certain consumer goods, retail marketing practices of such consumer 27 27 27 goods and related services. Because this process is at an early stage, we cannot provide any assurance as to the scope and outcome of this matter, and cannot reasonably estimate any loss or range of loss that may arise from this matter. We can provide no assurance as to the scope or outcome of any proceeding that might result from the notice, the amount of proceeds we may receive in indemnification, and can provide no assurance as to whether there will be a material adverse effect to our business or Consolidated Financial Statements. We are also a defendant in litigation with the Federal Trade Commission regarding our money transfer agent services and is also cooperating with and responding to subpoenas issued by the U.S. Attorney's Office for the Middle District of Pennsylvania on behalf of the U.S. Department of Justice regarding our consumer fraud prevention program and anti-money laundering compliance related to our money transfer services, where we are an agent. We are unable to predict the outcome of the litigation or investigations or any other related actions by governmental entities regarding these matters and can provide no assurance as to the scope and outcome of these matters and whether our business, financial position, results of operations or cash flows will not be materially adversely affected. We discuss in more detail these cases and other litigation to which we are party below under the caption "Item 3. Legal Proceedings" and in Note 10 in the "Notes to our Consolidated Financial Statements," which are part of this Annual Report on Form 10-K.

We operate in a highly regulated and litigious environment. We are involved in legal proceedings, including litigation, arbitration and other claims, and investigations, inspections, audits, claims, inquiries and similar actions by pharmacy, healthcare, tax, environmental and other governmental authorities. We may also have indemnification obligations for legal commitments of certain businesses we have divested. Legal proceedings, in general, and securities, derivative action and class action and multi-district litigation, in particular, can be expensive and disruptive. Some of these suits may purport or may be determined to be class actions and/or involve parties seeking large and/or indeterminate amounts, including punitive or exemplary damages, and may remain unresolved for several years. For example, we are currently a defendant in a number of cases containing class or collective-action allegations, or both, in which the plaintiffs have brought claims under federal and state wage and hour laws, as well as a number of cases containing class-action allegations in which the plaintiffs have brought claims under federal and state consumer laws. The Company has been responding to subpoenas, information requests and investigations from governmental entities related to nationwide controlled substance dispensing and distribution practices involving opioids and also is a defendant in numerous litigation proceedings related to opioids, including the consolidated multidistrict litigation entitled In re National Prescription Opiate Litigation (MDL No. 2804) currently pending in the U.S. District Court for the Northern District of Ohio. Similar cases that name the Company also have been filed in state courts by state, local and tribal governments, healthcare providers and other plaintiffs. Plaintiffs are seeking compensatory and punitive damages, as well as injunctive relief including abatement. The Company cannot predict the number of such claims that may be filed, and cannot reasonably estimate any loss or range of loss that may arise from such claims and the related opioid matters. In addition, in July 2021, the Directorate of Enforcement in India issued a show cause notice to Flipkart and other parties requesting the recipients show cause as to why further proceedings under India's Foreign Direct Investment rules and regulations should not be initiated against them based on alleged violations that related to a period prior to the Company's acquisition of a majority stake in Flipkart in 2018. The Company can provide no assurance as to the scope or outcome of any proceeding that might result from the notice, the amount of proceeds the Company may receive in indemnification, and can provide no assurance as to whether there will be a material adverse effect to its business or its consolidated financial statements. The Company is also a defendant in litigation with the Federal Trade Commission regarding the Company's money transfer agent services and is also cooperating with and responding to subpoenas issued by the U.S Attorney's Office for the Middle District of Pennsylvania on behalf of the U.S. Department of Justice regarding the Company's consumer fraud prevention program and anti-money laundering compliance related to the Company's money transfer services, where Walmart is an agent. The Company is unable to predict the outcome of the litigation or investigations or any other related actions by governmental entities regarding these matters and can provide no assurance as to the scope and outcome of these matters and whether its business, financial position, results of operations or cash flows will not be materially adversely affected. We discuss in more detail these cases and other litigation to which we are party below under the caption "Item 3. Legal Proceedings" and in Note 10 in the "Notes to our Consolidated Financial Statements," which are part of this Annual Report on Form 10-K. 26 26 26

We strive to deliver shared value through our business and our diverse stakeholders expect us to make significant progress in certain ESG priority issue areas. Stakeholder expectations regarding ESG matters continue to evolve and are not uniform. We have established, and may continue to establish, various goals and initiatives on these matters, including with respect to climate change initiatives. We cannot guarantee that we will achieve these goals and initiatives. Any failure, or perceived failure, by us to achieve these goals and initiatives or to otherwise meet evolving and varied stakeholder expectations could adversely affect our reputation. We periodically publish information about our ESG priorities, strategies and progress on our corporate website and update our ESG reporting from time to time. Achievement of these aspirations and goals is subject to risks and uncertainties, many of which are outside of our control, and it is possible that we may fail, or be perceived to have failed, in the achievement of our ESG goals or that certain of our customers, associates, shareholders, investors, suppliers, business partners, government agencies and non-governmental organizations might not be satisfied with our goals or our efforts toward achieving those goals. Certain challenges we face in the achievement of our ESG objectives are also captured within our ESG reporting, which is not incorporated by reference into and does not form any part of this Annual Report on Form 10-K. A failure or perceived failure to meet our goals could adversely affect public perception of our business, associate morale or customer or shareholder support.

We strive to deliver shared value through our business and our diverse stakeholders expect us to make significant progress in certain ESG priority issue areas. From time to time, we announce certain aspirations and goals relevant to our priority ESG issues. We periodically publish information about our ESG priorities, strategies, and progress on our corporate website and update our ESG reporting from time to time. Achievement of these aspirations and goals is subject to risks and uncertainties, many of which are outside of our control, and it is possible that we may fail, or be perceived to have failed, in the achievement of our ESG goals or that certain of our customers, associates, shareholders, investors, suppliers, business partners, government agencies, and non-governmental organizations might not be satisfied with our goals or our efforts toward achieving those goals. Certain challenges we face in the achievement of our ESG objectives are also captured within our ESG reporting, which is not incorporated by reference into and does not form any part of this Annual Report on Form 10-K. A failure or perceived failure to meet our goals could adversely affect public perception of our business, associate morale or customer or shareholder support.

The emergence, severity, magnitude and duration of global or regional pandemics, epidemics or other health crises are uncertain and difficult to predict. A pandemic, such as COVID-19, or other epidemic or contagious disease outbreak could impact our business operations, demand for our products and services, in-stock positions, costs of doing business, access to inventory, supply chain operations, the extent and duration of measures to try to contain the spread of a virus or other disease (such as travel bans and restrictions, quarantines, shelter-in-place orders, limitations on large gatherings, business and government shutdowns and other restrictions on retailers), our ability to predict future performance, exposure to litigation and our financial performance, among other things. In the event of any global or regional health crisis, customer demand for certain products may fluctuate, customer behaviors may change and consumer disposable income could be negatively impacted, which may challenge our ability to anticipate and/or adjust inventory levels to meet that demand. Other factors and uncertainties may include, but are not limited to: the severity and duration of pandemics, epidemics or other health crises, including disease outbreaks in areas in which we and our suppliers operate; increased operational costs; evolving macroeconomic factors, including general economic uncertainty, unemployment rates and recessionary pressures; unknown consequences on our business performance and initiatives stemming from the substantial investment of time, capital and other resources to a pandemic or other health crisis response; the effectiveness and extent of administration of vaccinations and medical treatments; the pace of recovery when any such pandemic or other health crisis subsides; and the long-term impact of a pandemic or other health crisis on our business, including consumer behaviors. These risks and their impacts are difficult to predict and could otherwise disrupt and adversely affect our operations and our financial performance. To the extent that a future pandemic or epidemic occurs, such events may also heighten other risks described in this section, including but not limited to those related to consumer behavior and expectations, competition, our reputation, implementation of strategic initiatives, cybersecurity threats, payment-related risks, technology systems disruption, supply chain disruptions, labor availability and cost, litigation and regulatory requirements.

The emergence, severity, magnitude and duration of global or regional pandemics or epidemics are uncertain and difficult to predict. A pandemic, such as COVID-19, or other epidemic could impact our business operations, demand for our products and services, in-stock positions, costs of doing business, access to inventory, supply chain operations, the extent and duration of measures to try to contain the spread of a virus or other disease (such as travel bans and restrictions, quarantines, shelter-in-place orders, business and government shutdowns, and other restrictions on retailers), our ability to predict future performance, exposure to litigation, and our financial performance, among other things. Customer behaviors changed rapidly during the course of the COVID-19 pandemic. In the event of a resurgence of infections or future mutations, variants or related strains of the virus become prevalent, customer demand for certain products may fluctuate and customer behaviors may change, which may challenge our ability to anticipate and/or adjust inventory levels to meet that demand. These factors may result in higher demand for certain products and less demand for others, as well as out-of-stock positions in certain products, along with delays in delivering those products (due to supply chain and transportation issues) and could impact inventory levels in the future. Other factors and uncertainties may include, but are not limited to: the severity and duration of the pandemic, including whether there are additional outbreaks or spikes in the number of cases, future mutations or related strains of the virus in areas in which we and our suppliers operate; further increased operational costs; evolving macroeconomic factors, including general economic uncertainty, unemployment rates, and recessionary pressures; unknown consequences on our business performance and initiatives stemming from the substantial investment of time, capital and other resources to the pandemic response; the effectiveness and extent of administration of vaccinations and medical treatments, including for any variants; the pace of recovery when the pandemic subsides; and the long-term impact of the pandemic or epidemic on our business, including consumer behaviors. These risks and their impacts are difficult to predict and could otherwise disrupt and adversely affect our operations and our financial performance. To the extent that the COVID-19 pandemic continues to adversely affect the U.S. and the global economy, or a future pandemic or epidemic occurs, such events may also heighten other risks described in this section, including but not limited to those related to consumer behavior and expectations, competition, our reputation, implementation of strategic initiatives, cybersecurity threats, payment-related risks, technology systems disruption, supply chain disruptions, labor availability and cost, litigation, and regulatory requirements.

It is difficult to predict consistently and successfully the products and services our customers will demand and changes in their shopping patterns, tastes and preferences. The success of our business depends in part on how accurately we predict consumer demand, availability of merchandise, the related impact on the demand for existing products and services and the competitive environment. Our business is dependent on our ability to make critical decisions and predictions with respect to merchandise categories that quickly respond to changing consumer spending patterns, tastes and preferences, any incorrect calculations by us may result in lower sales, spoilage and inventory markdowns, which could adversely impact our results of operations. Our ability to predict and adapt to changing tastes and preferences depends on many factors, including obtaining accurate and 15 15 15 relevant data on customer preferences, emphasizing relevant merchandise categories, effectively managing our inventory levels, and implementing competitive and effective pricing and promotion strategies. Price transparency, assortment of products, customer experience, convenience, ease and the speed and cost of shipping are of primary importance to customers and continue to increase in importance, particularly as a result of digital tools and social media available to consumers and the choices available to consumers for purchasing products. We must continue to preserve our reputation, which is impacted based on public perceptions. It may be difficult to address negative publicity across media channels, regardless of whether it is accurate. Negative incidents involving us, our workforce (including the loss of merchandise as a result of shrink or theft) or others with whom we do business could quickly erode trust and confidence in our business and could result in consumer boycotts, workforce unrest and government investigations. Negative reputational incidents or negative perceptions of us could adversely impact our business and results of operations, including through lower sales, the termination of business relationships and associate retention and recruiting efforts. Moreover, failure to adequately predict customer demand and consumer spending patterns or otherwise optimize and operate our distribution and fulfillment centers could result in excess or insufficient inventory, service interruptions and increased costs, any of which could significantly harm our business. As we continue to add new fulfillment centers, our fulfillment and technology networks become increasingly complex and operating them becomes more challenging. There can be no assurance that we will be able to operate our networks effectively.

It is difficult to predict consistently and successfully the products and services our customers will demand and changes in their shopping patterns. The success of our business depends in part on how accurately we predict consumer demand, availability of merchandise, the related impact on the demand for existing products and services and the competitive environment. Price transparency, assortment of products, customer experience, convenience, ease and the speed and cost of shipping are of primary importance to customers and continue to increase in importance, particularly as a result of digital tools and social media available to consumers and the choices available to consumers for purchasing products. Our failure to adequately or effectively respond to changing consumer tastes, preferences (including those related to ESG issues) and shopping patterns, or any other failure on our part to timely identify or effectively respond to changing consumer tastes, preferences and shopping patterns could negatively affect our reputation and relationship with our customers, the demand for the products we sell or services we offer, our market share and the growth of our business.

Our customers count on us to provide them with quality products at an affordable price. Occasionally, the quality of products that we source from our suppliers fails to meet customer expectations. In many cases, these products are subject to regulatory action or recall. For general merchandise, this could be because the product fails to meet safety standards. For food products, it could be because the product is a source of foodborne illness. For health and wellness products, it could be because the product does not produce the expected result for the customer or harms the customer. Any of these factors could cause customers to avoid purchasing certain products from us, or to choose to buy products from a different retailer, even if the quality issue is 18 18 18 outside of our control. Any lost confidence on the part of our customers would be difficult and costly to reestablish. When a product we sell does not meet quality or safety standards, there is an increased risk of liability for harm the product may cause our customers. While we rely on our suppliers to meet our safety and quality expectations, and to indemnify us if their products do not, certain suppliers may not have the financial capacity or ability to fulfill their indemnification obligations. In that case, we are exposed to the full cost of liability claims. Any issue regarding the quality or safety of products we sell, regardless of the cause, could adversely affect our brand, reputation and financial performance.

Our customers count on us to provide them with safe products. Concerns regarding the safety of food and non-food products that we source from our suppliers or that we prepare and then sell could cause customers to avoid purchasing certain products from us, or to seek alternative sources of supply for all of their food and non-food needs, even if the basis for the concern is outside of our control. Any lost confidence on the part of our customers would be difficult and costly to reestablish and such products also expose us to product liability or food safety claims. As such, any issue regarding the safety of any food or non-food items we sell, regardless of the cause, could adversely affect our brand, reputation and financial performance. In addition, third-parties sell goods on some of our digital platforms, which we refer to as marketplace transactions. Whether laws related to these marketplace transactions, including, but not limited to, intellectual property and products liability laws, apply to us is currently unsettled and any unfavorable changes or interpretations could expose us to liability, loss of sales, reduction in transactions and deterioration of our competitive position. In addition, we may face reputational, financial and other risks, including liability, for third-party sales of goods that are controversial, counterfeit, pirated, or stolen, or otherwise fail to comply with applicable law or the proprietary rights of others. Although we have marketplace compliance controls and impose contractual terms on sellers to prohibit sales of certain type of products, we may not be able to detect certain prohibited items, enforce such terms, or collect sufficient damages for breaches. Any of these events could have a material adverse impact on our business and results of operations and impede the execution of our eCommerce growth and enterprise strategy. 18 18 18