Risk Factors Dashboard
Once a year, publicly traded companies issue a comprehensive report of their business, called a 10-K. A component mandated in the 10-K is the ‘Risk Factors’ section, where companies disclose any major potential risks that they may face. This dashboard highlights all major changes and additions in new 10K reports, allowing investors to quickly identify new potential risks and opportunities.
View risk factors by ticker
Search filings by term
Risk Factors - IBM
-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing
Item 1A. “Risk Factors” on pages 3 to 9 are cautionary statements that accompany those forward-looking statements. Readers should carefully review such cautionary statements as they identify certain important factors that could cause actual results to differ materially from those in the forward-looking statements and from historical trends. Those cautionary statements are not exclusive and are in addition to other factors discussed elsewhere in this Form 10-K, in the company’s filings with the SEC or in materials incorporated therein by reference.
Cybersecurity is a critical part of risk management at IBM and is integrated with the company’s overall enterprise risk management framework. The Board of Directors and the Audit Committee of the Board are responsible for overseeing management’s execution of cybersecurity risk management and for assessing IBM’s approach to risk management. Senior management is responsible for assessing and managing IBM’s exposure to cybersecurity risks on an ongoing basis.We have a global incident response process, managed by IBM’s Computer Security Incident Response Team (“CSIRT”), that relies primarily on internal expertise to respond to cybersecurity threats and attacks. We utilize a combination of online training, educational tools, videos and other awareness initiatives to foster a culture of security awareness and responsibility among our workforce, including responsibility for reporting suspicious activity. IBM has a third party supplier risk management program to oversee and identify risks from cybersecurity threats associated with its use of third party service providers and vendors. Risks are assessed and prioritized based, among other things, on the type of offering/engagement, supplier assessments, threat intelligence, and industry practices.
The Cybersecurity Advisory Committee (“CAC”) meets regularly and is responsible for overseeing management of the Company’s cybersecurity risk. The CAC is composed of, among others, SVPs from the major business units, the SVP Sponsor, and the CLO. The CAC is responsible for, among other things, setting the Company’s governance structure for managing cybersecurity risk and reviewing noteworthy cybersecurity incidents and strategies to prevent recurrence. IBM management responsible for managing cybersecurity risk reflects a cross-section of functions from across the organization with significant experience in managing such risk as well as the technologies underlying these risks. They also hold leadership positions outside of IBM in the field of cybersecurity, serving on governing and advisory boards of public and private institutions at the forefront of issues related to cybersecurity, including technology development, cybersecurity policy, and national security. The Board of Directors and the Audit Committee oversee the cyber governance process. Leadership from E&TS, including the CISO, make regular presentations to the Audit Committee and the full Board on identification, management, and remediation of cybersecurity risks, both internal and external, as well as threat intelligence, emerging global policies and regulations, cybersecurity technologies, and best practices. In addition, senior management provides briefings as needed to the Audit Committee Chair, the Audit Committee, and, as appropriate, the full Board, on cybersecurity issues and incidents of potential interest.
2
The following information is included in IBM’s 2024 Annual Report to Stockholders and is incorporated herein by reference:
Segment information and revenue by classes of similar products or services—pages 69 to 74.
Financial information regarding environmental activities—pages 94 to 95.
The number of persons employed by the registrant—page 14.
The management discussion overview—pages 8 to 10.
Website information and company reporting—page 123.
Information About Our Executive Officers (at February 25, 2025):
(1) Member of the Board of Directors.
All executive officers are elected by the Board of Directors annually as provided in the Company’s By-laws. Each executive officer named above, with the exception of Anne Robinson and Gary D. Each executive officer named above, with the exception of Gary D. Cohn, has been an executive of IBM or its subsidiaries during the past five years. Ms. Robinson previously served as Managing Director, General Counsel and Corporate Secretary of The Vanguard Group, Inc. and Secretary of the Vanguard funds from August 2016 until June 2024. Mr. Cohn previously served as Assistant to the President for Economic Policy and Director of the National Economic Council from January 2017 until April 2018. Before serving in the White House, Mr. Cohn was President and Chief Operating Officer of The Goldman Sachs Group, Inc. from 2006-2016.
Item 1A. Risk Factors:
Risks Related to Our Business
Downturn in Economic Environment and Client Spending Budgets Could Impact the Company’s Business: If overall demand for IBM’s products and solutions decreases, whether due to general economic conditions, or a shift in client buying patterns, the company’s revenue and profit could be impacted.
Failure of Innovation Initiatives Could Impact the Long-Term Success of the Company: IBM has moved into areas, including those that incorporate or utilize hybrid cloud, AI and generative AI, quantum and other disruptive technologies, in which it can differentiate itself through responsible innovation, by leveraging its investments in R&D and attracting a successful developer ecosystem. If IBM is unable to continue its cutting-edge innovation in a highly competitive and rapidly evolving environment or is unable to commercialize such innovations, expand and scale them with sufficient speed and versatility or is unable to attract a successful developer ecosystem, the company could fail in its ongoing efforts to maintain and increase its market share and its profit margins.
Damage to IBM’s Reputation Could Impact the Company’s Business: IBM has one of the strongest brand names in the world, and its brand and overall reputation could be negatively impacted by many factors, including if the company does not continue to be recognized for its industry leading technology and solutions and as a hybrid cloud and AI leader. IBM’s reputation is potentially susceptible to damage by events such as significant disputes with clients, product defects, internal control deficiencies, delivery failures, cybersecurity incidents, government investigations or legal proceedings or actions of current or former clients, directors, employees, competitors, vendors, alliance partners or joint venture partners. 3 Table of ContentsIBM’s reputation is potentially susceptible to damage by events such as significant disputes with clients, product defects, internal control deficiencies, delivery failures, cybersecurity incidents, government investigations or legal proceedings or actions of current or former clients, directors, employees, competitors, vendors, alliance partners or joint venture partners. If the
3
company’s brand image is tarnished by negative perceptions, its ability to attract and retain customers, talent and ecosystem partners could be impacted.
Risks from Investing in Growth Opportunities Could Impact the Company’s Business: The company continues to invest significantly in key strategic areas, including AI and generative AI, to drive revenue growth and market share gains. Client adoption rates and viable economic models are less certain in the high-value, highly competitive, and rapidly-growing segments. Additionally, emerging business and delivery models may unfavorably impact demand and profitability for our other products or services. If the company does not adequately and timely anticipate and respond to changes in customer and market preferences, competitive actions, disruptive technologies, emerging business models and ecosystems, the client demand for our products or services may decline or IBM’s costs may increase.
IBM’s Intellectual Property Portfolio May Not Prevent Competitive Offerings, and IBM May Not Be Able to Obtain Necessary Licenses: The company’s patents and other intellectual property may not prevent competitors from independently developing products and services similar to or duplicative to the company’s, nor can there be any assurance that the resources invested by the company to protect its intellectual property will be sufficient or that the company’s intellectual property portfolio will adequately deter misappropriation or improper use of the company’s technology. In addition, the company may be the target of aggressive and opportunistic enforcement of patents by third parties, including non-practicing entities. Also, there can be no assurances that IBM will be able to obtain from third parties the licenses it needs in the future. The company’s ability to protect its intellectual property could also be impacted by a lack of effective legal protections as well as changes to existing laws, legal principles and regulations governing intellectual property, including the ownership and protection of patents.
Certain of the company’s offerings incorporate or utilize open source and other third-party software licensed with limited or no warranties, indemnification, or other contractual protections for IBM. Further, if open source code that IBM utilizes is no longer maintained, developed or enhanced by the relevant community of independent open source software programmers, most of whom we do not employ, we may be unable to develop new technologies, adequately enhance our existing technologies or meet customer requirements for innovation, quality and price.
Risks to the Company from Acquisitions, Alliances and Divestitures Include Integration Challenges, Failure to Achieve Objectives, the Assumption or Retention of Liabilities and Higher Debt Levels: The company has made and expects to continue to make acquisitions, alliances and divestitures. Such transactions present significant challenges and risks and there can be no assurances that the company will manage such transactions successfully, that strategic objectives will be achieved or that strategic opportunities will be available to the company on acceptable terms or at all. Such transactions present significant challenges and risks and there can be no assurances that the company will manage such transactions successfully or that strategic opportunities will be available to the company on acceptable terms or at all. With respect to acquisitions and alliances, the related risks include the company failing to achieve anticipated revenue improvements and cost savings, the failure to retain key personnel or strategic relationships of acquired companies, the assumption of liabilities related to litigation or other legal proceedings involving the businesses in such transactions, and delays in obtaining, or the failure to obtain, necessary governmental or regulatory approvals, as well as the failure to close planned transactions. Such transactions may require the company to secure financing and any significant disruption or turmoil in the capital markets could have an adverse effect on IBM’s ability to access the capital markets at favorable terms. From time to time, the company divests or attempts to divest assets that are no longer central to its strategic objectives. From time to time, the company disposes or attempts to dispose of assets that are no longer central to its strategic objectives. Any such transaction is subject to risks, including risks related to the terms and timing of such divestitures, risks related to retained liabilities not subject to the company’s control, and delays in obtaining, or failing to obtain, necessary governmental or regulatory approvals, as well as the failure to close planned transactions.
The Company’s Financial Results for Particular Periods Are Difficult to Predict: IBM’s revenues and profitability are affected by such factors as the introduction of new products and services, the ability to compete effectively in increasingly competitive marketplaces, the length of the sales cycles and the seasonality of technology purchases. In addition, certain of the company’s growth areas involve new products, new customers, new and evolving competitors, and new markets, all of which contribute to the difficulty of predicting the company’s financial results. The company’s financial results may also be impacted by the structure of products and services contracts and the nature of its customers’ businesses; for example, certain of the company’s services contracts with commercial customers in regulated industries are subject to periodic review by regulators with respect to controls and processes. Further, general economic conditions, including sudden shifts in regional or global economic activity may impact the company’s financial results in any particular period. As a result of the above-mentioned factors, the company’s financial results are difficult to predict. Historically, the company has had lower revenue in the first quarter than in the immediately preceding fourth quarter. In addition, the high volume of products typically ordered at the end of each quarter, especially at the end of the fourth quarter, make financial results for a given period difficult to predict.
4
Due to the Company’s Global Presence, Its Business and Operations Could Be Impacted by Local Legal, Economic, Political, Health and Other Conditions: The company is a globally integrated entity, doing business in over 175 countries worldwide and deriving about sixty percent of its revenues from sales outside the United States. Changes in the laws or policies of the countries in which the company operates, or inadequate development or enforcement of such laws or policies, could affect the company’s business and the company’s overall results of operations. Further, the company may be impacted directly or indirectly by the development and enforcement of laws and regulations in the U.S. and globally that are specifically targeted at the technology industry. The company’s results of operations also could be affected by economic and political changes in those countries and by macroeconomic changes, including recessions, inflation, currency fluctuations between the U.S. dollar and non-U.S. currencies, capital controls, and adverse changes in trade relationships amongst those countries. Further, as the company expands its customer base and the scope of its offerings, both within the U.S. and globally, it may be impacted by additional regulatory or other risks, including, compliance with U.S. and foreign data privacy requirements, outbound investment restrictions, AI and cloud regulations, data localization requirements, labor relations laws, enforcement of IP protection laws, laws relating to anti-corruption, anti-competition regulations, and import, export and trade restrictions. Further, international trade disputes could create uncertainty. Tariffs and international trade sanctions resulting from these disputes could affect the company’s ability to move goods and services across borders, or could impose added costs to those activities. Measures taken to date by the company to mitigate these impacts could be made less effective should trade sanctions or tariffs change. In addition, any widespread outbreak of an illness, pandemic or other local or global health issue, natural disasters, climate change impacts, or uncertain political climates, international hostilities, or any terrorist activities, could adversely affect customer demand, the company’s operations and supply chain, and its ability to source and deliver products and services to its customers.
The Company May Not Meet Its Growth and Productivity Objectives: On an ongoing basis, IBM seeks to drive greater agility, productivity, flexibility and cost savings by continuously transforming with the use of automation, AI, agile processes and changes to the ways of working, while also enabling the scaling of resources, offerings and investments through the company’s globally integrated model across both emerging and more established markets. These various initiatives may not yield their intended gains in speed, quality, productivity and enablement of rapid scaling, which may impact the company’s competitiveness and its ability to meet its growth and productivity objectives.
Ineffective Internal Controls Could Impact the Company’s Business and Operating Results: The company’s internal control over financial reporting may not prevent or detect misstatements because of its inherent limitations, including the possibility of human error, failure or interruption of information technology systems, the circumvention or overriding of controls, or fraud. Even effective internal controls can provide only reasonable assurance with respect to the preparation and fair presentation of financial statements. If the company fails to maintain the adequacy of its internal controls, including any failure to implement required new or improved controls, or if the company experiences difficulties in their implementation, the company’s business and operating results could be harmed and the company could fail to meet its financial reporting obligations.
The Company’s Use of Accounting Estimates Involves Judgment and Could Impact the Company’s Financial Results: The application of accounting principles generally accepted in the U.S. (GAAP) requires the company to make estimates and assumptions about certain items and future events that directly affect its reported financial condition. The company’s most critical accounting estimates are described in the Management Discussion in IBM’s 2024 Annual Report to Stockholders, under “Critical Accounting Estimates.” In addition, as discussed in note Q, “Commitments & Contingencies,” in IBM’s 2024 Annual Report to Stockholders, the company makes certain estimates including decisions related to legal proceedings and reserves. These estimates and assumptions involve the use of judgment. As a result, actual financial results may differ.
The Company’s Goodwill or Amortizable Intangible Assets May Become Impaired: The company acquires other companies, including the intangible assets of those companies. The company may not realize all the economic benefit from those acquisitions, which could cause an impairment of goodwill or intangible assets. If our goodwill or net intangible assets become impaired, we may be required to record a charge to the Consolidated Income Statement.
The Company Depends on Skilled Employees and Could Be Impacted by a Shortage of Critical Skills: Much of the future success of the company depends on the continued service, availability and integrity of skilled employees, including technical, marketing and staff resources. Skilled and experienced personnel in the areas where the company competes are in high demand, and competition for their talents is intense. Changing demographics and labor work force trends may result in a shortage of or insufficient knowledge and skills. In addition, as global opportunities and industry demand shifts, realignment, training and scaling of skilled resources may not be sufficiently rapid or successful. Further, many of IBM’s key employees receive a total compensation package that includes equity awards. Any new regulations, volatility in the
5
stock market and other factors could diminish the company’s use or the value of the company’s equity awards, putting the company at a competitive disadvantage.
The Company’s Business Could Be Impacted by Its Relationships with Critical Suppliers: IBM’s business employs a wide variety of components (hardware and software), supplies, services and raw materials from a substantial number of suppliers around the world. Certain of the company’s businesses rely on a single or a limited number of suppliers, including for server processor technology for certain semiconductors. Changes in the business condition (financial or otherwise) of these suppliers could subject the company to losses and affect its ability to bring products to market. Further, the failure of the company’s suppliers to deliver components, supplies, services and raw materials in sufficient quantities, in a timely or secure manner, and in compliance with all applicable laws and regulations could adversely affect the company’s business. In addition, any defective components, supplies or materials, or inadequate services received from suppliers could reduce the reliability of the company’s products and services and harm the company’s reputation.
Product and Service Quality Issues Could Impact the Company’s Business and Operating Results: The company has rigorous quality control standards and governance processes intended to prevent, detect and correct errors, malfunctions and other defects in its products and services. If errors, malfunctions, defects or disruptions in service are experienced by customers or in the company’s operations there could be negative consequences that could impact customers’ business operations and harm the company’s business’s operating results.
The Development and Use of AI and Generative AI, including the Company’s Increased Offerings and Use of AI-based Technologies, Could Impact the Long-Term Success of the Company and its Reputation or Give Rise to Legal or Regulatory Action: IBM is increasingly applying AI-based technologies, including generative AI, to its services and products, to how it delivers offerings to IBM clients, and to its own internal operations. Additionally, IBM is investing in and offering new products and services associated with AI development, deployment and management. As stated more comprehensively and in context of several risk factors throughout this Item 1A., this increasing mix and application of AI-based technologies may impact IBM’s ongoing efforts to maintain and increase its market share and its profit margins or harm IBM’s reputation if the company does not continue to be recognized as an AI leader with strong governance processes. IBM’s drive for greater agility, productivity, flexibility and cost savings by continuously transforming with the use of AI may not yield intended gains in speed, quality, productivity and enablement of rapid scaling, which may impact the company’s competitiveness. The evolving global AI regulatory environment, including the enactment of the EU AI Act, may affect the company’s business and the company’s overall results of operations. Computer hackers and others routinely attack the security of technology products, services, systems and networks using a wide variety of methods, and the increased use of generative AI may introduce novel methods of attack. Computer hackers and others routinely attack the security of technology products, services, systems and networks using a wide variety of methods, including ransomware or other malicious software and attempts to exploit vulnerabilities in hardware, software, and infrastructure. In the event of such actions, the company, its customers and other third parties could be exposed to liability, litigation, and regulatory or other government action, including debarment, as well as the loss of existing or potential customers, damage to brand and reputation, damage to IBM’s competitive position, and other financial loss.
The Company Could Be Impacted by Its Business with Government Clients: The company’s customers include numerous governmental entities within and outside the U.S., including the U.S. Federal Government and state and local entities. Some of the company’s agreements with these customers may be subject to periodic funding approval. Funding reductions, delays or work stoppages could adversely impact public sector demand for our products and services. Funding reductions or delays could adversely impact public sector demand for our products and services. Also, some agreements may contain provisions allowing the customer to terminate without cause and providing for higher liability limits for certain losses. In addition, the company could be suspended or debarred as a governmental contractor and could incur civil and criminal fines and penalties, which could negatively impact the company’s results of operations, financial results and reputation.
The Company’s Reliance on Third-Party Distribution Channels and Ecosystems Could Impact Its Business: The company offers its products directly and through a variety of third-party distributors, resellers, independent software vendors, independent service providers, and other ecosystem partners. Changes in the business condition (financial or otherwise) of these ecosystem partners could subject the company to losses and affect its ability to bring its products to market. As the company moves into new areas, ecosystem partners may be unable to keep up with changes in technology and offerings, and the company may be unable to recruit and enable appropriate partners to achieve anticipated ecosystem growth objectives. In addition, the failure of ecosystem partners to comply with all applicable laws and regulations may prevent the company from working with them and could subject the company to losses and affect its ability to bring products to market.
6
Risks Related to Cybersecurity and Data Privacy
Cybersecurity, Privacy, and AI Considerations Could Impact the Company’s Business: There are numerous and evolving risks to cybersecurity and privacy, including risks originating from intentional acts of individual and groups of criminal hackers, hacktivists, state-sponsored organizations, nation states and competitors; from intentional and unintentional acts or omissions of customers, contractors, business partners, vendors, employees and other third parties; and from errors in processes or technologies, as well as the risks associated with an increase in the number of customers, contractors, business partners, vendors, employees and other third parties working remotely. Computer hackers and others routinely attack the security of technology products, services, systems and networks, like those we offer, using a wide variety of methods, including ransomware or other malicious software and attempts to exploit vulnerabilities in hardware, software, and infrastructure, and the increased use of generative AI may introduce novel methods of attack. Computer hackers and others routinely attack the security of technology products, services, systems and networks using a wide variety of methods, including ransomware or other malicious software and attempts to exploit vulnerabilities in hardware, software, and infrastructure. Attacks also include social engineering and cyber extortion to induce customers, contractors, business partners, vendors, employees and other third parties to disclose information, transfer funds, or unwittingly provide access to systems or data. The company is at risk of security breaches not only of our own products, services, systems and networks, but also those of customers, contractors, business partners, vendors, employees and other third parties, particularly as all parties increasingly digitize their operations. Cyber threats are increasing in number and sophistication, continually evolving, including with the increased use of AI, making it difficult to anticipate and defend against such threats and vulnerabilities that can persist undetected over extended periods of time.
The company’s products, services, systems and networks, including cloud-based systems and systems and technologies that the company maintains on behalf of its customers, are used in critical company, customer or third-party operations, and involve the storage, processing and transmission of sensitive data, including valuable intellectual property, other proprietary or confidential data, regulated data, and personal information of employees, customers and others. These products, services, systems and networks are also used by customers in heavily regulated industries, including those in the financial services, healthcare, critical infrastructure and government sectors.
As is common in our industry and for a company our size, we continue to face and prepare for cybersecurity threats. While the company continues to monitor for, identify, investigate, respond to and remediate a wide range of cybersecurity events, there have not been cybersecurity incidents or vulnerabilities that have had a material adverse effect on the company, though there is no assurance that there will not be cybersecurity incidents or vulnerabilities that will have a material adverse effect in the future.
The company regularly addresses cybersecurity attacks and vulnerabilities. Cybersecurity attacks or other security incidents, including industry-wide incidents such as MOVEit, have or could result in, for example, one or more of the following: unauthorized access to, disclosure, modification, misuse, loss, or destruction of company, customer, or other third-party data or systems; theft or import or export of sensitive, regulated, or confidential data including personal information and intellectual property, including key innovations in AI, quantum, or other disruptive technologies; the loss of access to critical data or systems through ransomware, crypto mining, destructive attacks or other means; and business delays, service or system disruptions or denials of service. Successful cybersecurity attacks or other security incidents could result in, for example, one or more of the following: unauthorized access to, disclosure, modification, misuse, loss, or destruction of company, customer, or other third party data or systems; theft or import or export of sensitive, regulated, or confidential data including personal information and intellectual property, including key innovations in artificial intelligence, quantum, or other disruptive technologies; the loss of access to critical data or systems through ransomware, crypto mining, destructive attacks or other means; and business delays, service or system disruptions or denials of service.
In the event of such actions, the company, its customers and other third parties could be exposed to liability, litigation, and regulatory or other government action, including debarment, as well as the loss of existing or potential customers, damage to brand and reputation, damage to our competitive position, and other financial loss. In addition, the cost and operational consequences of responding to cybersecurity incidents and implementing remediation measures could be significant. In the company’s industry, security vulnerabilities are increasingly discovered, publicized and exploited across a broad range of hardware, software or other infrastructure, including in our own products, services, systems and networks, or third-party data and systems upon which we rely, elevating the risk of attacks and the potential cost of response and remediation for the company and its customers. In the company’s industry, security vulnerabilities are increasingly discovered, publicized and exploited across a broad range of hardware, software or other infrastructure, elevating the risk of attacks and the potential cost of response and remediation for the company and its customers. In addition, the fast-paced, evolving, pervasive, and sophisticated nature of certain cyber threats and vulnerabilities, as well as the scale and complexity of the business and infrastructure, make it possible that certain threats or vulnerabilities will be undetected or unmitigated in time to prevent or minimize the impact of an attack on the company or its customers.
Cybersecurity risk to the company and its customers also depends on factors such as the actions, practices and investments of customers, contractors, business partners, vendors, the open source community and other third parties, including, for example, providing and implementing patches to address vulnerabilities. Cybersecurity attacks or other catastrophic events resulting in disruptions to or failures in power, information technology, communication systems or other critical infrastructure could result in interruptions or delays to company, customer, or other third-party operations or services, financial loss, injury or death to persons or property, potential liability, and damage to brand and reputation.
7
Although the company continuously takes significant steps to mitigate cybersecurity risk across a range of functions, such measures can never eliminate the risk entirely or provide absolute security.
As a global enterprise, the regulatory environment with regard to cybersecurity, privacy, AI and data protection issues is increasingly complex and will continue to impact the company’s business, including through increased risk, increased costs, and expanded or otherwise altered compliance obligations, including with respect to the increased regulatory activity around the security of critical infrastructure, IoT devices, customer industries (e.g., financial services) and various customer and government supply chain security programs., financial services) and 7 Table of Contentsvarious customer and government supply chain security programs. As the reliance on data grows for the company and our clients, the potential impact of regulations on the company’s business, risks, and reputation will grow accordingly. The enactment and expansion of cybersecurity, AI, data protection and privacy laws, regulations and standards around the globe will continue to result in increased compliance costs, including due to an increased focus on international data transfer mechanisms and data location; increased cybersecurity requirements and reporting obligations; the lack of harmonization of such laws and regulations; the increase in associated litigation and enforcement activity by governments and private parties; the potential for damages, fines and penalties and debarment; and the potential regulation of new and emerging technologies. The enactment and expansion of cybersecurity, data protection and privacy laws, regulations and standards around the globe will continue to result in increased compliance costs, including due to an increased focus on international data transfer mechanisms driven by the European Court of Justice decision in the Schrems II matter; increased cybersecurity requirements and reporting obligations; the lack of harmonization of such laws and regulations; the increase in associated litigation and enforcement activity by governments and private parties; the potential for damages, fines and penalties and debarment; and the potential regulation of new and emerging technologies such as artificial intelligence. Any additional costs and penalties associated with increased compliance, enforcement, and risk reduction could make certain offerings less profitable or increase the difficulty of bringing certain offerings to market or maintaining certain offerings.
Risks Related to Laws and Regulations
The Company Could Incur Substantial Costs Related to Climate Change and Other Environmental Matters: IBM, like other companies, is subject to potential climate-related risks and costs such as those resulting from increased severe weather events, prolonged changes in temperature, new regulations affecting hardware products and data centers, carbon taxes, and increased environmental disclosures requested or required by clients, regulators and others. The company is also subject to various federal, state, local and foreign laws and regulations concerning the discharge of materials into the environment or otherwise related to environmental protection, including the U.S. Superfund law. The company could incur substantial costs, including cleanup costs, fines and civil or criminal sanctions, as well as third-party claims for property damage or personal injury, if it were to violate or become liable under environmental laws and regulations. We do not expect climate change or compliance with environmental laws and regulations focused on climate change to have a disproportionate effect on the company or its financial position, results of operations and competitive position.
Tax Matters Could Impact the Company’s Results of Operations and Financial Condition: The company is subject to income taxes in both the United States and numerous foreign jurisdictions. IBM’s provision for income taxes and cash tax liability in the future could be adversely affected by numerous factors including, but not limited to, income before taxes being lower than anticipated in countries with lower statutory tax rates and higher than anticipated in countries with higher statutory tax rates, changes in the valuation of deferred tax assets and liabilities, and changes in tax laws, regulations, accounting principles or interpretations thereof, which could adversely impact the company’s results of operations and financial condition in future periods. The Organization for Economic Cooperation and Development (OECD) has issued model rules for a new global minimum tax. The Organization for Economic Cooperation and Development (OECD) is issuing guidelines that are different, in some respects, than long-standing international tax principles. Local country adoption of these rules may increase tax uncertainty and may adversely impact the company’s income taxes. Furthermore, local country, state, provincial or municipal taxation may also be subject to review and potential override by regional, federal, national or similar forms of government. Local country, state, provincial or municipal taxation may also be subject to review and potential override by regional, federal, national or similar forms of government. In addition, IBM is subject to the continuous examination of its income tax returns by the United States Internal Revenue Service (IRS) and other tax authorities around the world. The company regularly assesses the likelihood of adverse outcomes resulting from these examinations to determine the adequacy of its provision for income taxes. There can be no assurance that the outcomes from these examinations will not have an adverse effect on the company’s provision for income taxes and cash tax liability.
The Company Is Subject to Legal Proceedings and Investigatory Risks: As a company with a substantial employee population and with clients in more than 175 countries, IBM is or may become involved as a party and/or may be subject to a variety of claims, demands, suits, investigations, tax matters and other proceedings that arise from time to time in the ordinary course of its business. The risks associated with such legal proceedings are described in more detail in note Q, “Commitments & Contingencies,” in IBM’s 2024 Annual Report to Stockholders. The company believes it has adopted appropriate risk management and compliance programs. Legal and compliance risks, however, will continue to exist and additional legal proceedings and other contingencies, the outcome of which cannot be predicted with certainty, may arise from time to time.
8
Risks Related to Financing and Capital Markets Activities
The Company’s Results of Operations and Financial Condition Could Be Negatively Impacted by Its U.S. and non-U.S. Pension Plans: Adverse financial market conditions and volatility in the credit markets may have an unfavorable impact on the value of the company’s pension trust assets and its future estimated pension liabilities. As a result, the company’s financial results in any period could be negatively impacted. In addition, in a period of an extended financial market downturn, the company could be required to provide incremental pension plan funding with resulting liquidity risk which could negatively impact the company’s financial flexibility. Further, the company’s results could be negatively impacted by premiums for mandatory pension insolvency insurance coverage outside the United States. Premium increases could be significant due to the level of insolvencies of unrelated companies in the country at issue. IBM’s 2024 Annual Report to Stockholders includes information about potential impacts from pension funding and the use of certain assumptions regarding pension matters.
The Company Is Exposed to Currency and Financing Risks That Could Impact Its Revenue and Business: The company derives a significant percentage of its revenues and costs from its affiliates operating in local currency environments, and those results are affected by changes in the relative values of non-U.S. currencies and the U.S. dollar, as well as sudden shifts in regional or global economic activity. Further, inherent in the company’s financing business are risks related to the concentration of credit, client creditworthiness, interest rate and currency fluctuations on the associated debt and liabilities and the determination of residual values. Further, inherent in the company’s financing business are risks related to the concentration of credit, client creditworthiness, interest rate and currency fluctuations on the associated debt and liabilities, the determination of residual values and the financing of assets other than traditional IT assets. The company employs a number of strategies to manage these risks, including the use of derivative financial instruments, which involve the risk of non-performance by the counterparty. In addition, there can be no assurance that the company’s efforts to manage its currency and financing risks will be successful.
The Company’s Financial Performance Could Be Impacted by Changes in Market Liquidity Conditions and by Customer Credit Risk on Receivables: The company’s financial performance is exposed to a wide variety of industry sector dynamics worldwide, including sudden shifts in regional or global economic activity. The company’s earnings and cash flows, as well as its access to funding, could be negatively impacted by changes in market liquidity conditions. IBM’s 2024 Annual Report to Stockholders includes information about the company’s liquidity position. The company’s client base includes many enterprises worldwide, from small and medium businesses to the world’s largest organizations and governments, with a significant portion of the company’s revenue coming from global clients across many sectors. Most of the company’s sales are on an open credit basis, and the company performs ongoing credit evaluations of its clients’ financial conditions. If the company becomes aware of information related to the creditworthiness of a major customer, or if future actual default rates on receivables in general differ from those currently anticipated, the company may have to adjust its allowance for credit losses, which could affect the company’s consolidated net income in the period the adjustments are made.
Risks Related to Ownership of IBM Securities
Risk Factors Related to IBM Securities: The company and its subsidiaries issue debt securities in the worldwide capital markets from time to time, with a variety of different maturities and in different currencies. The value of the company’s debt securities fluctuates based on many factors, including the methods employed for calculating principal and interest, the maturity of the securities, the aggregate principal amount of securities outstanding, the redemption features for the securities, the level, direction and volatility of interest rates, changes in exchange rates, exchange controls, governmental and stock exchange regulations and other factors over which the company has little or no control. The company’s ability to pay interest and repay the principal for its debt securities is dependent upon its ability to manage its business operations, as well as the other risks described under this Item 1A. entitled “Risk Factors.” There can be no assurance that the company will be able to manage any of these risks successfully.
The company also issues its common stock from time to time in connection with various compensation plans, contributions to its pension plan and certain acquisitions. The market price of IBM common stock is subject to significant volatility, due to other factors described under this Item 1A. entitled “Risk Factors,” as well as economic and geopolitical conditions generally, trading volumes, speculation by the press or investment community about the company’s financial condition, and other factors, many of which are beyond the company’s control. Since the market price of IBM’s common stock fluctuates significantly, stockholders may not be able to sell the company’s stock at attractive prices.
In addition, changes by any rating agency to the company’s outlook or credit ratings can negatively impact the value and liquidity of both the company’s debt and equity securities. The company does not make a market in either its debt or equity securities and cannot provide any assurances with respect to the liquidity or value of such securities.
9
Item 1B. Unresolved Staff Comments:
Not applicable.
Item 1C.Item 1A. Cybersecurity:
Risk Management and Strategy
From an enterprise perspective, we implement a multi-faceted risk management approach based on the National Institute of Standards and Technology Cybersecurity Framework. We have established policies and procedures that provide the foundation upon which IBM’s infrastructure and data are managed. We regularly assess and adjust our technical controls and methods to identify and mitigate emerging cybersecurity risks. We use a layered approach with overlapping controls to defend against cybersecurity attacks and threats on IBM networks, end-user devices, servers, applications, data, and cloud solutions.
We draw heavily on our own commercial security solutions and services to manage and mitigate cybersecurity risks. IBM maintains a Security Operations Center (“SOC”) that monitors for threats to IBM’s networks and systems, utilizing threat intelligence provided by a range of sources, including the IBM Security X-Force Exchange platform, which maintains one of the largest compilations of threat intelligence in the world. We also rely on tools licensed from third party security vendors to monitor and manage cybersecurity risks. We periodically engage third parties to supplement and review our cybersecurity practices and provide relevant certifications.
As discussed in greater detail in Item 1A., "Risk Factors," the company faces numerous and evolving cybersecurity threats, including risks originating from the increased use of AI, intentional acts of individual and groups of criminal hackers, hacktivists, state-sponsored organizations, nation states and competitors; from intentional and unintentional acts or omissions of customers, contractors, business partners, vendors, employees and other third parties; and from errors in processes or technologies, as well as the risks associated with the number of customers, contractors, business partners, vendors, employees and other third parties working remotely. While the company continues to monitor for, identify, investigate, respond to and remediate cybersecurity risks, including incidents and vulnerabilities, there have not been any that have had a material adverse effect on the company, though there is no assurance that there will not be cybersecurity risks that will have a material adverse effect in the future.
Governance
IBM’s Enterprise & Technology Security (“E&TS”) organization has oversight responsibility for the security of both IBM’s internal systems and external offerings and works across all of the organizations within the company to protect IBM, its brand, and its clients against cybersecurity risks. E&TS also addresses cybersecurity risks associated with third party suppliers. For these purposes, E&TS includes a dedicated Chief Information Security Officer (“CISO”) whose team is responsible for leading enterprise-wide information security strategy, policy, standards, architecture, and processes for IBM’s internal systems. The CISO manages the CSIRT. The CISO also manages the Product Security Incident Response Team (“PSIRT”), which focuses on product vulnerabilities potentially affecting the security of offerings sold to customers. IBM also has Business Information Security Officers (“BISO”) who are coordinated by the Office of the CISO on security issues specific to particular business segments.
10
The CSIRT team, together with the Office of the Chief Information Officer (“CIO”), Cyber Legal, Corporate Security, and BISOs, engages in on-going reviews of incidents, threat intelligence, detections, and vulnerabilities, including to assess client and regulatory impact. Events of interest are promptly reported to the Senior Vice President (“SVP”) and Chief Legal Officer ("CLO"), and the SVP overseeing cybersecurity (“SVP Sponsor”).
Incidents are delegated to an appropriate incident response team for assessment, investigation, and remediation. Depending on the nature of the matter, the incident response team may include individuals from E&TS, the Office of the CISO, the Office of the CIO, Cyber Legal, Business Units, the Office of Privacy and Responsible Technology, Human Resources, Procurement, Finance and Operations, and Corporate Security. The incident response teams advise and consult with the CLO and the SVP Sponsor, as appropriate.
Recently Filed
Click on a ticker to see risk factors
| Ticker * | File Date |
|---|---|
| SAFX | 2 days, 21 hours ago |
| RVRC | 2 days, 21 hours ago |
| AIRS | 2 days, 21 hours ago |
| CYCU | 2 days, 21 hours ago |
| CBDY | 2 days, 21 hours ago |
| GEMI | 2 days, 21 hours ago |
| SOLC | 2 days, 21 hours ago |
| ZVSA | 2 days, 21 hours ago |
| LCGMF | 2 days, 21 hours ago |
| TRNR | 2 days, 21 hours ago |
| SLSN | 2 days, 21 hours ago |
| LTUM | 2 days, 21 hours ago |
| SVAQ | 2 days, 21 hours ago |
| INKT | 2 days, 21 hours ago |
| GNLN | 2 days, 21 hours ago |
| NCNO | 2 days, 21 hours ago |
| CEPS | 2 days, 21 hours ago |
| STSS | 2 days, 21 hours ago |
| BDCO | 2 days, 21 hours ago |
| SKAS | 2 days, 21 hours ago |
| TE | 2 days, 21 hours ago |
| JWSMF | 2 days, 21 hours ago |
| AQMS | 2 days, 21 hours ago |
| FCCI | 2 days, 21 hours ago |
| INIS | 2 days, 21 hours ago |
| DUOT | 2 days, 21 hours ago |
| GOCO | 2 days, 21 hours ago |
| PED | 2 days, 21 hours ago |
| BLNK | 2 days, 21 hours ago |
| HTCR | 2 days, 21 hours ago |
| SRG | 2 days, 21 hours ago |
| ADTX | 2 days, 21 hours ago |
| ALTI | 2 days, 21 hours ago |
| SVIX | 2 days, 21 hours ago |
| PLAY | 2 days, 21 hours ago |
| TCRT | 2 days, 21 hours ago |
| ACRG | 2 days, 21 hours ago |
| BNZI | 2 days, 21 hours ago |
| TOGI | 2 days, 21 hours ago |
| RPMT | 2 days, 21 hours ago |
| SKVI | 2 days, 21 hours ago |
| ISRLF | 2 days, 21 hours ago |
| SCWO | 2 days, 21 hours ago |
| CRAQ | 2 days, 21 hours ago |
| BITF | 2 days, 21 hours ago |
| UAVS | 2 days, 21 hours ago |
| CNTA | 2 days, 21 hours ago |
| DSS | 2 days, 21 hours ago |
| FCAP | 2 days, 21 hours ago |
| AMOD | 2 days, 21 hours ago |
