Risk Factors Dashboard

Once a year, publicly traded companies issue a comprehensive report of their business, called a 10-K. A component mandated in the 10-K is the ‘Risk Factors’ section, where companies disclose any major potential risks that they may face. This dashboard highlights all major changes and additions in new 10K reports, allowing investors to quickly identify new potential risks and opportunities.

Risk Factors - IRM

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

$IRM Risk Factor changes from 00/02/24/22/2022 to 00/02/22/24/2024

Item 1A. Risk Factors" included in this Annual Report.SUSTAINABILITYAt Iron Mountain, we are using our influence and expertise to drive innovations that will not only protect and elevate the power of our customers’ work, but make a lasting, positive impact on people, planet, and performance. Our four focus areas, where we can deliver uniquely through owned operations and customers' enablement, are safeguarding our customers’ information, empowering employees, serving our communities, and protecting the environment.Iron Mountain is committed to sustainable growth, and this is highlighted through initiatives and targets within the company. We have successfully achieved seven of the ambitious sustainability goals we set in 2021 to address our environmental footprint, corporate philanthropy, volunteerism and DEI practices. We are committed to reach net zero greenhouse gas emissions by 2040. As an employer, we are committed to the safety and well-being of our employees and strive to cultivate a culture of inclusion that values diverse perspectives across our global workforce. We are committed to the safety and well-being of our employees and strive to cultivate a culture of inclusion that values diverse perspectives across our global workforce. Iron Mountain and its employees also make a social impact in the communities in which we operate through charitable giving and volunteerism.Our work continues to receive recognition. In 2023, Iron Mountain received the Low Carbon Hero Award recognizing our efforts to implement social and technical practices to reduce our carbon footprint. Also in 2023, Iron Mountain joined EV100 and is committed to electrifying 100% of our company cars and 50% of our vans by 2030. With operations in 60 countries, Iron Mountain was recognized as the most international committed fleet in the 2023 EV100 Annual Report.IRON MOUNTAIN 2023 FORM 10-K7Table of ContentsPart IIron Mountain is committed to transparent reporting on our sustainability efforts and we leverage widely adopted reporting frameworks to report annually on our results. Our annual sustainability report, aligned with the Global Reporting Initiative framework, highlights our progress against key measures of success for our community, environment and people. In addition, we continue to work to further align our reporting with the recommendations of the Financial Stability Board’s Task Force on Climate-related Financial Disclosures to disclose climate-related financial risks and opportunities, and in 2022 we completed our first climate scenario analysis. In addition, we continue to work to further align our reporting with the recommendations of the Financial Stability Board’s Task Force on Climate-related Financial Disclosures to disclose climate-related financial risks and opportunities. The process brought together our most senior leaders from across all business units and functions to explore the potential impacts of climate change related to several different warming scenarios. The analysis resulted in the identification of seven strategic themes where Iron Mountain should focus its future discussions regarding climate resilience, which include physical impacts, business strategy and innovation, and reputational and societal risks.We are a member of the FTSE4Good Index, MSCI World ESG Index, MSCI World Climate Change Index and MSCI USA ESG Select Index, each of which include companies that meet globally recognized corporate responsibility standards. We are a member of the FTSE4 Good Index, MSCI World ESG Index, MSCI World Climate Change Index and MSCI USA ESG Select Index, each of which include companies that meet globally recognized corporate responsibility standards. A copy of our sustainability responsibility report is available on the "Who we are" section of our website, www. A copy of our corporate responsibility report is available on the “About Us” section of our website, www. ironmountain.com, under the heading "Sustainability".com, under the heading “Corporate Social Responsibility. We are not including the information contained on or available through our website as part of, or incorporating such information by reference into, this Annual Report.INTERNET WEBSITEOur Internet address is www.ironmountain.com.

Under the "Investors" section on our website, we make available, free of charge, our Annual Reports on Form 10-K, our Quarterly Reports on Form 10-Q, our Current Reports on Form 8-K and amendments to those reports filed or furnished pursuant to Section 13(a) or 15(d) of the Securities Exchange Act of 1934 (the "Exchange Act") as soon as reasonably practicable after such forms are filed with or furnished to the SEC. We are not including the information contained on or available through our website as a part of, or incorporating such information by reference into, this Annual Report. Copies of our corporate governance guidelines, code of ethics and the charters of our audit, compensation, finance, nominating and governance, risk and safety, and technology committees are available on the "Investors" section of our website, www.ironmountain.com, under the heading "Corporate Governance".8IRON MOUNTAIN 2023 FORM 10-KTable of Contents Part IITEM 1A. RISK FACTORS.We face many risks. We face many risks. If any of the events or circumstances described below actually occur, we and our businesses, financial condition or results of operations could suffer, and the trading price of our debt or equity securities could decline. Our current and potential investors should consider the following risks and the information contained under the heading "Cautionary Note Regarding Forward-Looking Statements" before deciding to invest in our securities.BUSINESS RISKSFailure to execute our strategic growth plan may adversely impact our financial condition and results of operations.As part of our strategic growth plan, including Project Matterhorn, we expect to invest in our existing businesses, including records and information management storage and services businesses in our higher-growth markets, data centers, ALM business and other complementary businesses, and in new businesses, business strategies, products, services, technologies and geographies. These initiatives may involve significant risks and uncertainties, including:•our inability to maintain relationships with key customers and suppliers or to execute on our plan to incorporate the digitization of our customers’ records and new digital information technologies into our offerings;•failure to achieve satisfactory returns on new product offerings, acquired companies, joint ventures, growth initiatives, or other investments, particularly in markets where we do not currently operate or have a substantial presence;•our inability to identify suitable companies to acquire, invest in or partner with;•our inability to complete acquisitions or investments on satisfactory terms;•our inability to structure acquisitions or investments in a manner that complies with our debt covenants and is consistent with our leverage ratio goals;•challenges in managing costs to offset the impact of inflationary pressure;•increased demands on our management, operating systems, internal controls and financial and physical resources and, if necessary, our inability to successfully expand our infrastructure; •incurring additional debt necessary to acquire suitable companies or make other growth investments if we are unable to pay the purchase price or make the investment out of working capital or the issuance of our common stock or other equity securities;•our inability to manage the budgeting, forecasting and other process control issues presented by future growth, particularly with respect to new lines of business;•insufficient revenues to offset expenses and liabilities associated with new investments; and•our inability to attract, develop and retain skilled employees to lead and support our strategic growth plan, particularly in new businesses, technologies, products or offerings outside our core competencies. These initiatives may involve significant risks and uncertainties, including:•our inability to maintain relationships with key customers and suppliers or to execute on our plan to incorporate the digitization of our customers’ records and new digital information technologies into our offerings;•failure to achieve satisfactory returns on new product offerings, acquired companies, joint ventures, growth initiatives, or other investments, particularly in markets where we do not currently operate or have a substantial presence;•our inability to identify suitable companies to acquire, invest in or partner with;•our inability to complete acquisitions or investments on satisfactory terms;•our inability to structure acquisitions or investments in a manner that complies with our debt covenants and is consistent with our leverage ratio goals;•challenges in managing costs to offset the impact of inflationary pressure;•increased demands on our management, operating systems, internal controls and financial and physical resources and, if necessary, our inability to successfully expand our infrastructure; •incurring additional debt necessary to acquire suitable companies or make other growth investments if we are unable to pay the purchase price or make the investment out of working capital or the issuance of our common stock or other equity securities;•our inability to manage the budgeting, forecasting and other process control issues presented by future growth, particularly with respect to operations in countries outside of the United States or in new lines of business;•insufficient revenues to offset expenses and liabilities associated with new investments; •our inability to attract, develop and retain skilled employees to lead and support our strategic growth plan, particularly in new businesses, technologies, products or offerings outside our core competencies; and •challenges in executing on our strategic growth plan within the constraints of our REIT structure, as well as remaining REIT compliant. Our new ventures are inherently risky and we can provide no assurance that such strategies and offerings will be successful in achieving the desired returns within a reasonable timeframe, if at all, and that they will not adversely affect our business, reputation, financial condition, and operating results. If stored records and tapes become less active our service revenue growth and profits from related services may decline. As stored records and tapes become less active our service revenue growth and profits from related services may decline. Our Records Management and Data Management service revenue growth is being negatively impacted by declining activity rates as stored records and tapes are becoming less active and more archival.Our Records Management and Data Management service revenue growth is being negatively impacted by declining activity rates as stored records and tapes are becoming less active and more archival, and these activity levels were further negatively impacted by the COVID-19 pandemic. The amount of information available to customers digitally or in their own information systems has been steadily increasing in recent years, and we believe this trend will continue. As a result, our customers are less likely than they have been in the past to retrieve records and rotate tapes, thereby reducing their activity levels. At the same time, many of our costs related to records and tape related services remain relatively fixed. In addition, our reputation for providing secure information storage is critical to our success, and actions to manage cost structure, such as outsourcing certain transportation, security or other functions, could negatively impact our reputation and adversely affect our business, and, if we are unable to appropriately align our cost structure with decreased levels of service activity, our operating results could be adversely affected. In addition, our reputation for providing secure information storage is critical to our success, and actions to manage cost structure, such as outsourcing certain transportation, security or other functions, could negatively impact our reputation and adversely affect our business. IRON MOUNTAIN 2023 FORM 10-K9Table of ContentsPart IOur customers may shift from paper and tape storage to alternative technologies that may shift our revenue mix away from storage revenue.We derive substantial revenues from rental fees for the storage of physical records and computer backup media and from storage related services. Storage volume and/or demand for our traditional storage related services may decline as our customers adopt alternative storage technologies or as retention requirements evolve, which may require significantly less space than traditional physical records and tape storage. While volumes in our Global RIM Business segment were relatively steady in 2023 and we expect them to remain relatively consistent in the near term, we can provide no assurance that our customers will continue to store most or a portion of their records as paper documents or as tapes, or that the paper documents or tapes they do store with us will require our storage related services at the same levels as they have in the past. A significant shift by our customers to storage of data through non-paper or non-tape-based technologies, whether now existing or developed in the future, could adversely affect our businesses. In addition, the digitization of records may shift our revenue mix from the more predictable storage revenue to service revenue, which is inherently more volatile.We and our customers are subject to laws and governmental regulations relating to data privacy and cybersecurity, and our customers’ demands in this area are increasing. This may cause us to incur significant expenses and non-compliance with such regulations and demands could harm our business.We and our customers are subject to numerous laws and regulations relating to data privacy and cybersecurity. These regulations are complex, change frequently and have tended to become more stringent over time. In addition, a growing number of regulatory bodies have adopted data breach notification requirements and increased enforcement of regulations regarding the use, access, accuracy and security of personal information. Finally, as a result of the continued emphasis on information security and instances in which personal information has been compromised, our customers are requesting that we take increasingly sophisticated measures to enhance security and comply with data privacy regulations, and that we assume higher liability under our contracts. In addition, as a result of the continued emphasis on information security and instances in which personal information has been compromised, our customers are requesting that we take increasingly sophisticated measures to enhance security and comply with data privacy regulations, and that we assume higher liability under our contracts. We have an established privacy compliance framework and devote substantial resources, and may in the future have to devote significant additional resources, to facilitate compliance with global laws and regulations, our customers’ data privacy, data residency and security demands, and to investigate, defend or remedy actual or alleged violations or breaches. Any failure by us to comply with, or remedy any violations or breaches of, laws and regulations or customer requirements could negatively impact our operations, result in the imposition of fines and penalties, contractual liability and litigation, significant costs and expenses and reputational harm. Any failure by us to comply with, or remedy any violations or breaches of, laws and regulations or customer requirements could result in the curtailment of certain of our operations, the imposition of fines and penalties, liability resulting from litigation, restrictions on our ability to carry on or expand our operations, significant costs and expenses and reputational harm. Expansion into Digital and ALM services means that our privacy and security risk profile is increasing. In particular, we are hosting increasing volumes of customer digital data, including sensitive and confidential data, and disposing of customer data-bearing devices. This may result in increased regulatory exposure, contractual liability and security expectations from customers. Finally, emerging artificial intelligence ("AI") regulations, increasing use of AI and generative AI tools and their integration into our businesses may require additional resources and create additional compliance and cybersecurity risks. Attacks on our internal IT systems could damage our reputation, cause us to lose revenues, and adversely affect our business, financial condition and results of operations.Our reputation for providing secure information storage to customers is critical to the success of our business. Our reputation or brand, and specifically, the trust our customers place in us, could be negatively impacted in the event of perceived or actual failures by us to store information securely. Although we seek to prevent and detect attempts by unauthorized users to gain access to our IT systems, and incur significant costs to do so, our IT and network infrastructure has in the past been and may in the future be vulnerable to attacks by hackers, including state-sponsored organizations with significant financial and technological resources, breaches due to employee error, fraud or malice or other disruptions (including, but not limited to, computer viruses and other malware, denial of service, and ransomware), which may involve a breach requiring us to notify regulators, clients or employees and enlist identity theft protection. Moreover, until we have migrated businesses we acquire onto our IT systems or ensured compliance with our information technology security standards, we have in the past and may in the future face additional risks because of the continued use of predecessor IT systems. We utilize remote work arrangements and outsource certain support services, including cloud storage systems and cloud computing services, to third parties, which has in the past and may in the future subject our IT and other sensitive information to additional risk. We have outsourced, and expect to continue to outsource, certain support services, including cloud storage systems and cloud computing services, to third parties, which has in the past and may in the future subject our IT and other sensitive information to additional risk. A successful breach of the security of our IT systems could lead to theft or misuse of our customers’ proprietary or confidential information or our employees’ personal information and result in third party claims against us, regulatory penalties, and reputational harm. Although we maintain insurance coverage for various cybersecurity risks, there is no guarantee that all costs or losses incurred will be fully insured. Damage to our reputation could make us less competitive, which could negatively impact our business, financial condition and results of operations.Failure to successfully integrate acquired businesses could negatively impact our balance sheet and results of operations.Strategic acquisitions are an important element of our growth strategy and the success of any acquisition we make depends in part on our ability to integrate the acquired business and realize anticipated synergies. The process of integrating acquired businesses, particularly in new markets or for new offerings, may involve unforeseen difficulties and may require a disproportionate amount of our management’s attention and our financial and other resources.10IRON MOUNTAIN 2023 FORM 10-KTable of Contents Part IFor example, the success of our significant acquisitions depends, in large part, on our ability to realize the anticipated benefits, including cost savings or revenue acceleration from combining the acquired businesses with ours.10IRON MOUNTAIN 2021 FORM 10-KTable of Contents Part IAttacks on our internal IT systems could damage our reputation, cause us to lose revenues, and adversely affect our business, financial condition and results of operations. To realize these anticipated benefits, we must be able to successfully integrate our business and the acquired businesses, and this integration is complex and time-consuming. We may encounter challenges in the integration process including the following:•challenges and difficulties associated with managing our larger, more complex, company;•conforming standards, controls, procedures and policies, business cultures and compensation and benefits structures between the two businesses;•consolidating corporate and administrative infrastructures;•coordinating geographically dispersed organizations;•retaining critical acquired talent;•potential unknown liabilities and unforeseen expenses or delays associated with an acquisition; and•our ability to deliver on our strategy going forward.Further, our acquisitions subject us to liabilities (including tax liabilities) that may exist at an acquired company, some of which may be unknown. Although we and our advisors conduct due diligence on the businesses we acquire, there can be no guarantee that we are aware of all liabilities of an acquired company. These liabilities, and any additional risks and uncertainties related to an acquired company not known to us or that we may deem immaterial or unlikely to occur at the time of the acquisition, could negatively impact our future business, financial condition and results of operations.We can give no assurance that we will ultimately be able to effectively integrate and manage the operations of any acquired business or realize anticipated synergies. The failure to successfully integrate the cultures, operating systems, procedures and information technologies of an acquired business could have a material adverse effect on our financial condition and results of operations.Our future growth depends in part upon our ability to continue to effectively manage and execute on revenue management.Over the past several years, our organic revenue growth has been positively impacted by our ability to effectively introduce, expand and monitor revenue management.Over the past several years, our organic revenue growth has been positively impacted by our ability to effectively introduce, expand and monitor revenue management initially in our more established markets, and subsequently in our higher-growth markets. If we are not able to continue and effectively manage pricing, our results of operations could be adversely affected and we may not be able to execute on our strategic growth plan.Our customer contracts may not always limit our liability and may sometimes contain terms that could subject us to significant liability or lead to disputes in contract interpretation.Our customer contracts may not always limit our liability and may sometimes contain terms that could lead to disputes in contract interpretation. Our customer contracts typically contain standardized provisions limiting our liability regarding the services we perform and the loss or destruction of, or damage to, records, information, or other items stored with us; however, some of our contracts with large customers and some of the contracts assumed in our acquisitions contain no such limits or contain non-standard limits. We can provide no assurance that our limitation of liability provisions will be enforceable in all instances or, if enforceable, that they would otherwise protect us from liability. In the past, we have had relatively few disputes with our customers regarding the terms of their customer contracts, and most disputes to date have not been material, but we can provide no assurance that we will not have material disputes in the future. Moreover, as we expand our operations into new businesses, including digital solutions, ALM, and the storage of valuable items, and respond to customer demands for higher limitation of liability, our exposure to contracts with higher or no limitations of liability and disputes with customers over contract interpretation may increase. Moreover, as we expand our operations in digital solutions and the storage of valuable items and respond to customer demands for higher limitation of liability, our exposure to contracts with higher or no limitations of liability and disputes with customers over contract interpretation may increase. Although we maintain a comprehensive insurance program, we can provide no assurance that we will be able to maintain insurance policies on acceptable terms or with high enough coverage amounts to cover losses to us in connection with customer contract disputes.IRON MOUNTAIN 2023 FORM 10-K11Table of ContentsPart IAs a global company, we are subject to the unique risks of operating in many countries.As of December 31, 2023, we operated in 60 countries.As of December 31, 2021, we operated in over 60 countries outside the United States. The global nature of our business and our growth strategy, which includes continued acquisitions and investments in countries where we do not currently operate, is subject to numerous risks, including:•fluctuations of currency exchange rates in the markets in which we operate;•the impact of laws and regulations that apply to us in countries in which we operate or have made investments; in particular, we are subject to sanctions and anti-corruption laws, such as the Foreign Corrupt Practices Act and the United Kingdom Bribery Act, and, although we have implemented internal controls, policies and procedures and training to deter prohibited practices, our employees, partners, contractors or agents may violate or circumvent such policies and the law; •costs and difficulties associated with managing global operations, including cross-border sales;•the volatility of certain economies in which we operate;•political uncertainties and changes in the global political climate or other global events, such as trade wars or global pandemics, which may create additional risk in relation to our global operations, which may become more pronounced as we consolidate operations across countries and need to move data across borders; •the risk that business partners upon whom we depend for technical assistance or management and acquisition expertise in some markets will not perform as expected;•difficulties attracting and retaining local management and key employees to operate our business in certain countries; and•cultural differences and differences in business practices and operating standards, as well as risks and challenges in expanding into countries where we have no prior operational experience.If we fail to meet our commitment to transition to more renewable and sustainable sources of energy, it may negatively impact our ability to attract and retain customers, employees and investors who focus on this commitment. Furthermore, changes to environmental laws and standards may increase the cost to operate some of our businesses. This could impact our results of operations, our competitiveness and the trading value of our stock. This could impact our results of operations and the trading of our stock. We have made a commitment to prioritize sustainable energy practices, reduce our carbon footprint and transition to more renewable and sustainable sources of energy, particularly in our Global Data Center Business. We have made progress towards reducing our carbon footprint, but if we are not successful in continuing this reduction or if our customers, employees and investors are not satisfied with our sustainability efforts, it may negatively impact our ability to attract and retain customers, employees and investors who focus on this commitment. This could negatively impact our results of operations and the trading of our stock.Furthermore, changes in environmental laws in any jurisdiction in which we operate could increase compliance costs or impose limitations on our operations. For example, our emergency generators at our data centers are subject to regulations and permit requirements governing air pollutants, and the heating, ventilation and air conditioning and fire suppression systems at some of our data centers and data management locations may include ozone-depleting substances that are subject to regulation. While environmental regulations do not normally impose material costs upon operations at our facilities, unexpected events, equipment malfunctions, human error and changes in law or regulations, among other factors, could result in unexpected costs, which could be material.Our use of joint ventures or other co-investment vehicles could expose us to additional risks and liabilities, including our reliance on joint venture or other co-investment vehicles partners who may have economic and business interests that are inconsistent with our business interests and our lack of sole decision-making authority.Our use of joint ventures could expose us to additional risks and liabilities, including our reliance on joint venture partners who may have economic and business interests that are inconsistent with our business interests, our lack of sole decision-making authority, and disputes between us and our joint venture partners. As part of our growth strategy, particularly in connection with our international and data center expansion, we currently, and may in the future, co-invest with third parties using joint ventures or other co-investment vehicles. These ventures can result in our holding non-controlling interests in, or having responsibility for managing the affairs of, a property or portfolio of properties, business, partnership, joint venture or other entity. These joint ventures can result in our holding non-controlling interests in, or having shared responsibility for managing the affairs of, a property or portfolio of properties, business, partnership, joint venture or other entity. In connection with our pursuit or entrance into any such venture, we may be subject to additional risks, including:•our ability to sell our interests in the venture may be limited by the venture agreement; •we may not have the right to exercise sole decision-making authority regarding the properties, business, partnership, venture or other entity;•we may be liable for the venture's failure to comply with applicable law despite only having a non-controlling interest in the venture;•if our partners become bankrupt or fail to fund their share of required capital contributions, we may choose or be required to contribute unplanned capital; and•our partners may have economic, tax or other interests or goals that are inconsistent with our interests or goals, and that could affect our ability to negotiate satisfactory venture terms, to operate the property or business or maintain our qualification for taxation as a REIT.Each of these factors may result in returns on these investments being less than we expect or in losses, and our financial and operating results may be adversely affected. 12IRON MOUNTAIN 2023 FORM 10-KTable of Contents Part ISignificant costs or disruptions at our data centers could adversely affect our business, financial condition and results of operations.14IRON MOUNTAIN 2021 FORM 10-KTable of Contents Part IWe may be subject to certain costs and potential liabilities associated with the real estate required for our business. Our Global Data Center Business depends on providing customers with highly reliable facilities, power infrastructure and operations solutions, and we will need to retain and hire qualified personnel to manage our data centers. Service interruptions or significant equipment damage could result in difficulty maintaining service-level commitment obligations that we owe to certain of our customers. Service interruptions or significant equipment damage could result in difficulty maintaining service level commitment obligations that we owe to certain of our customers. Service interruptions or equipment damage may occur at one or more of our data centers because of numerous factors, including: human error; equipment failure; physical, electronic and cyber security breaches; fire, hurricane, flood, earthquake and other natural disasters; water damage; fiber cuts; extreme temperatures; power loss or telecommunications failure; war, terrorism and any related conflicts or similar events worldwide; and sabotage and vandalism. We purchase significant amounts of electricity and water for cooling from suppliers that are subject to environmental laws, regulations and permit requirements. We also purchase significant amounts of electricity from generating facilities and utility companies that are subject to environmental laws, regulations and permit requirements. These environmental requirements are subject to material change, which could result in increases in our suppliers’ compliance costs that may be passed through to us or otherwise constrain the availability of such resources. These environmental requirements are subject to material change, which could result in increases in our electricity suppliers’ compliance costs that may be passed through to us. In addition, climate change may increase the likelihood that our data centers are affected by some of these factors.While these risks could impact our overall business, they could have a more significant impact on our Global Data Center Business, where we have service-level commitment obligations to certain of our customers. As a result, service interruptions or significant equipment damage at our data centers could result in difficulty maintaining service-level commitments to these customers and potential claims related to such failures. As a result, service interruptions or significant equipment damage at our data centers could result in difficulty maintaining service level commitments to these customers and potential claims related to such failures. Because our data centers are critical to many of our customers’ businesses, service interruptions or significant equipment damage at our data centers could also result in lost profits or other indirect or consequential damages to our customers, which could in turn result in contractual liability to our customers or impair our ability to obtain and retain customers, which would adversely affect both our ability to generate revenue and our results of operations. Because our data centers are critical to many of our customers’ businesses, service interruptions or significant equipment damage at our data centers could also result in lost profits or other indirect or consequential damages to our customers. We also rely on third party telecommunications carriers to provide internet connectivity to our customers. We also rely on third party telecommunications carriers to provide internet connectivity to our customers. These carriers may elect not to offer or to restrict their services within our data centers or may elect to discontinue such services. Furthermore, carriers may face business difficulties, which could affect their ability to provide telecommunications services or the quality of such services. If connectivity is interrupted or terminated, our financial condition and results of operations may be adversely affected. Events such as these may also impact our reputation as a data center provider which could adversely affect our results of operations.Our Global Data Center Business is susceptible to regional costs of power, power shortages, planned or unplanned power outages and limitations on the availability of adequate power resources. We rely on third parties to provide power to our data centers. We are therefore subject to an inherent risk that such third parties may fail to deliver such power in adequate quantities or on a consistent basis. If the power delivered to our data centers is insufficient or interrupted, we would be required to provide power through the operation of our on-site generators, generally at a significantly higher operating cost. Additionally, global fluctuations in the price of power can increase the cost of energy, and we may be limited in our ability to, or may not always choose to, pass these increased costs on to our customers. We face additional risks in expanding our Global Data Center Business, including the significant amount of capital required.We face additional risks in expanding our Global Data Center Business, including the significant amount of capital required. Expanding our Global Data Center Business requires significant capital commitments. In addition, we may be required to commit significant operational and financial resources in connection with the organic growth of our Global Data Center Business, generally 12 to 24 months in advance of securing customer contracts, and we may not have enough customer demand to support these data centers when they are built.We are currently experiencing rising construction costs which reflect the increase in cost of labor and raw materials, as well as supply chain and logistical challenges. Additional or unexpected disruptions to our supply chain, continued inflationary pressures or high interest rates, or changes in customer requirements could significantly affect the cost or timing of our planned expansion projects and interfere with our ability to meet commitments to customers who have contracted for space in new data centers under construction. All construction-related data center projects require us to carefully select, manage, and rely on the experience of one or more design firms, general contractors, and associated subcontractors during the design and construction process, and to obtain critical government permits and authorizations. Should a design firm, general contractor, significant subcontractor, or key supplier experience financial or operational problems during the design or construction process or fail to perform properly, or should we be unable to obtain, or experience delays in obtaining, all necessary zoning, land-use, building, occupancy and other governmental permits and authorizations, we could experience significant delays, increased costs to complete the project, penalties under customer preleases and other negative impacts to the expected return on our committed capital. There can be no assurance we will have sufficient customer demand to support the data centers we have acquired, or that we will not be adversely affected by the risks noted above under "Significant costs or disruptions at our data centers could adversely affect our business, financial condition and results of operations", which could make it difficult for us to realize expected returns on our investments, if any.IRON MOUNTAIN 2023 FORM 10-K13Table of ContentsPart IOur ALM business may be subject to additional risks, including those related to its client and geographic concentration, government trade policies, and macroeconomic conditions.IRON MOUNTAIN 2021 FORM 10-K11Table of ContentsPart IFurthermore, changes in environmental laws in any jurisdiction in which we operate could increase compliance costs or impose limitations on our operations. A significant portion of the revenue from our ALM business is derived from a limited number of clients and tied to cyclical projects involving the decommissioning and destruction of IT assets and the disposition of components of such assets to purchasers in concentrated geographies. Though we generally enter into long-term contracts with such clients, the volume of work we perform for specific clients may vary over the life of each contract due to various factors including changes in client behavior or macroeconomic conditions impacting the availability of new IT assets in the marketplace. There can be no assurance that we will be able to retain our current volumes, existing clients or that, if we were to lose one or more of our significant clients, we would be able to replace such clients with clients that generate a comparable amount of revenue. Further, many of the purchasers of the decommissioned IT asset components are geographically concentrated, particularly within mainland China. If governments enact trade policies that restrict the export of IT assets into China or other markets in which we sell decommissioned IT asset components, or increase the enforcement of such policies, then the revenue from the sale of these assets may be negatively impacted. Additionally, uncertain macroeconomic conditions, particularly within mainland China, may reduce our purchasers’ demand for the IT asset components that we sell, thereby reducing our revenues and earnings.Failure to comply with certain regulatory and contractual requirements under our United States Government contracts could adversely affect our revenues, operating results and financial position and reputation. Failure to comply with certain regulatory and contractual requirements under our United States Government contracts could adversely affect our revenues, operating results and financial position and reputation. Having the United States Government as a customer subjects us to certain regulatory and contractual requirements. Failure to comply with these requirements could subject us to investigations, price reductions, up to treble damages, and civil penalties. Noncompliance with certain regulatory and contractual requirements could also result in us being suspended or debarred from future United States Government contracting. We may also face private derivative securities claims because of adverse government actions. Any of these outcomes could have a material adverse effect on our revenues, operating results, financial position and reputation.We may be subject to certain costs and potential liabilities associated with the real estate required for our business.As of December 31, 2023, we operated approximately 1,400 facilities worldwide, including approximately 600 in the United States, and face special risks attributable to the real estate we own or lease. Such risks include:•acquisition and occupancy costs that make it difficult to meet anticipated margins and difficulty locating suitable facilities due to a relatively small number of available buildings having the desired characteristics in some real estate markets; •increases in rent expense and property taxes as a result of the increasing demand for industrial real estate;•uninsured losses or damage to our facilities due to an inability to obtain full coverage on a cost-effective basis for some casualties, such as fires, hurricanes and earthquakes, or any coverage for certain losses, such as losses from riots or terrorist activities;•inability to use our real estate holdings effectively and costs associated with vacating or consolidating facilities if the demand for physical storage were to diminish;•liability under environmental laws for the costs of investigation and cleanup of contaminated real estate owned or leased by us, whether or not (i) we know of, or were responsible for, the contamination, or (ii) the contamination occurred while we owned or leased the property; and•costs of complying with fire protection and safety standards. Such risks include:•acquisition and occupancy costs that make it difficult to meet anticipated margins and difficulty locating suitable facilities due to a relatively small number of available buildings having the desired characteristics in some real estate markets; •increases in rent expense and property tax as a result of the increasing demand for industrial real estate;•uninsured losses or damage to our storage facilities due to an inability to obtain full coverage on a cost-effective basis for some casualties, such as fires, hurricanes and earthquakes, or any coverage for certain losses, such as losses from riots or terrorist activities;•inability to use our real estate holdings effectively and costs associated with vacating or consolidating facilities if the demand for physical storage were to diminish; and•liability under environmental laws for the costs of investigation and cleanup of contaminated real estate owned or leased by us, whether or not (i) we know of, or were responsible for, the contamination, or (ii) the contamination occurred while we owned or leased the property. Some of our current and formerly owned or leased properties were previously used by entities other than us for industrial or other purposes, or were affected by waste generated from nearby properties, that involved the use, storage, generation and/or disposal of hazardous substances and wastes, including petroleum products. In some instances, this prior use involved the operation of underground storage tanks or the presence of asbestos-containing materials. Where we are aware of environmental conditions that require remediation, we undertake appropriate activity, in accordance with all legal requirements. Although we have from time to time conducted limited environmental investigations and remedial activities at some of our former and current facilities, we have not undertaken an environmental review of all of our properties, including those we have acquired. We therefore may be potentially liable for environmental costs like those discussed above and may be unable to sell, rent, mortgage or use contaminated real estate owned or leased by us. Environmental conditions for which we might be liable may also exist at properties that we may acquire in the future. In addition, future regulatory action and environmental laws may impose costs for environmental compliance that do not exist today.14IRON MOUNTAIN 2023 FORM 10-KTable of Contents Part IUnexpected events, including those resulting from climate change or geopolitical events, could disrupt our operations and adversely affect our reputation and results of operations.10IRON MOUNTAIN 2021 FORM 10-KTable of Contents Part IAttacks on our internal IT systems could damage our reputation, cause us to lose revenues, and adversely affect our business, financial condition and results of operations. Unexpected events, including fires or explosions at our facilities, war or other military conflict, terrorist activities, natural disasters such as earthquakes and wildfires, unplanned power outages, supply disruptions, failure of equipment or systems, and severe weather events, such as droughts, heat waves, hurricanes, and flooding, could adversely affect our reputation and results of operations through physical damage to our facilities and equipment and through physical damage to, or disruption of, local infrastructure.Unexpected events, including fires or explosions at our facilities, war or other military conflict, including an escalation of the conflict between Russia and Ukraine, or terrorist activities, natural disasters such as earthquakes and wildfires, unplanned power outages, supply disruptions, failure of equipment or systems, and severe weather events, such as droughts, heat waves, hurricanes, and flooding, could adversely affect our reputation and results of operations through physical damage to our facilities and equipment and through physical damage to, or disruption of, local infrastructure. During the past several years, we have seen an increase in the frequency and intensity of severe weather events and we expect this trend to continue due to climate change. Some of our key facilities worldwide are vulnerable to severe weather events, and global weather pattern changes may also pose long-term risks of physical impacts to our business. Our customers rely on us to securely store and timely retrieve their critical information, and, while we maintain disaster recovery and business continuity plans that would be implemented in these situations, these unexpected events could result in customer service disruption, physical damage to one or more key operating facilities and the information stored in those facilities, the closure of one or more key operating facilities or the disruption of information systems, each of which could negatively impact our reputation and results of operations. Our customers rely on us to securely store and timely retrieve their critical information, and, while we maintain disaster recovery and business continuity plans that would be implemented in these situations, these unexpected events could result in customer service disruption, physical damage to one or more key operating facilities and the information stored in those facilities, the temporary closure of one or more key operating facilities or the temporary disruption of information systems, each of which could negatively impact our reputation and results of operations. In addition, these unexpected events could negatively impact our reputation if such events result in adverse publicity, governmental investigations or litigation or if customers do not otherwise perceive our response to be adequate. Fluctuations in commodity prices may affect our operating revenues and results of operations.Our operating revenues and results of operations are impacted by significant changes in commodity prices. In particular, our secure shredding operations generate revenue from the sale of shredded paper for recycling. Further, significant declines in the cost of paper may continue to negatively impact our revenues and results of operations, and increases in other commodity prices, including steel, may negatively impact our results of operations.Failure to manage and adequately implement our new IT systems could negatively affect our business.We rely on IT infrastructure, including hardware, networks, software, people and processes, to provide information to support assessments and conclusions about our operating performance. We are in the process of upgrading a number of our IT systems, including consolidating our existing finance operations platforms, and we face risks relating to these transitions. For example, we may incur greater costs than we anticipate training our personnel on the new systems, we may experience service disruptions or errors in accurately capturing data or retaining our records, and we may be delayed in meeting our various reporting obligations. There can be no assurance that we will manage our IT systems and implement these new systems as planned or that we will do so without disruptions to our operations, which could have an adverse effect on our business, financial condition, results of operations and cash flows.RISKS RELATED TO OUR INDEBTEDNESSOur indebtedness could adversely affect our financial health and prevent us from fulfilling our obligations under our various debt instruments.As of December 31, 2023, our total long-term debt was approximately $12,034. As of December 31, 2021, our total long-term debt was approximately $9. 6 million, stockholders equity was approximately $211.6 million and we had cash and cash equivalents of approximately $222.8 million. Our indebtedness could have important consequences to our current and potential investors. Our substantial indebtedness could have important consequences to our current and potential investors. These risks include:•inability to satisfy our obligations with respect to our various debt instruments;•inability to make borrowings to fund future working capital, capital expenditures and strategic growth opportunities, including acquisitions, further organic development of, and investment into, our Global Data Center Business, ALM and Fine Arts businesses and other service offerings, and other general corporate requirements, including possible required repurchases, redemptions or prepayments of our various indebtedness;•limits on our distributions to stockholders; in this regard if these limits prevented us from satisfying our REIT distribution requirements, we could fail to remain qualified for taxation as a REIT or, if these limits do not jeopardize our qualification for taxation as a REIT but do nevertheless prevent us from distributing 100% of our REIT taxable income, we will be subject to federal corporate income tax, and potentially a nondeductible excise tax, on the retained amounts;•limits on future borrowings under our existing or future credit arrangements, which could affect our ability to pay our indebtedness or to fund our other liquidity needs;•inability to generate sufficient funds to cover required interest payments;•restrictions on our ability to refinance our indebtedness on commercially reasonable terms;•limits on our flexibility in planning for, or reacting to, changes in our business and the information management services industry; and•inability to adjust to adverse economic conditions that could place us at a disadvantage to our competitors with less debt and who, therefore, may be able to take advantage of opportunities that our indebtedness prevents us from pursuing. These risks include:•inability to satisfy our obligations with respect to our various debt instruments;•inability to make borrowings to fund future working capital, capital expenditures and strategic growth opportunities, including acquisitions, further organic development of our Global Data Center Business and expansions into adjacent businesses and other service offerings, and other general corporate requirements, including possible required repurchases, redemptions or prepayments of our various indebtedness;•limits on our distributions to stockholders; in this regard if these limits prevented us from satisfying our REIT distribution requirements, we could fail to remain qualified for taxation as a REIT or, if these limits do not jeopardize our qualification for taxation as a REIT but do nevertheless prevent us from distributing 100% of our REIT taxable income, we will be subject to federal corporate income tax, and potentially a nondeductible excise tax, on the retained amounts;•limits on future borrowings under our existing or future credit arrangements, which could affect our ability to pay our indebtedness or to fund our other liquidity needs;•inability to generate sufficient funds to cover required interest payments;•restrictions on our ability to refinance our indebtedness on commercially reasonable terms;•limits on our flexibility in planning for, or reacting to, changes in our business and the information management services industry; and•inability to adjust to adverse economic conditions that could place us at a disadvantage to our competitors with less debt and who, therefore, may be able to take advantage of opportunities that our indebtedness prevents us from pursuing. Certain of our indebtedness, including indebtedness under our credit agreement, is paid at floating interest rates, and as a result, our interest expense or the cost of our debt may increase due to rising interest rates or changes to benchmark rates.IRON MOUNTAIN 2023 FORM 10-K15Table of ContentsPart IRestrictive debt covenants may limit our ability to pursue our growth strategy.Our Credit Agreement and our indentures contain covenants restricting or limiting our ability to, among other things:•incur additional indebtedness;•pay dividends or make other restricted payments;•make asset dispositions;•create or permit liens;•sell, transfer or exchange assets;•guarantee certain indebtedness;•make acquisitions and other investments; and•enter into partnerships, joint ventures and co-investment vehicles.These restrictions and our long-term commitment to maintain our leverage ratio may adversely affect our ability to pursue our acquisition and other growth strategies, including our strategic growth plan.These restrictions and our long-term commitment to reduce our leverage ratio may adversely affect our ability to pursue our acquisition and other growth strategies, including our strategic growth plan. We may not have the ability to raise the funds necessary to finance the repurchase of outstanding senior notes upon a change of control event as required by our indentures.Upon the occurrence of a "change of control", as defined in our indentures, we will be required to offer to repurchase all of our outstanding senior notes. However, it is possible that we will not have sufficient funds at the time of a change of control to make the required repurchase of any outstanding notes or that restrictions in our Credit Agreement will not allow such repurchases. Certain important corporate events, however, such as leveraged recapitalizations that would increase the level of our indebtedness, would not constitute a "change of control" under our indentures.IMI is a holding company, and, therefore, its ability to make payments on its various debt obligations depends in large part on the operations of its subsidiaries.IMI is a holding company; substantially all of its assets consist of the equity in its subsidiaries, and substantially all of its operations are conducted by its direct and indirect consolidated subsidiaries. As a result, its ability to make payments on its debt obligations will be dependent upon the receipt of sufficient funds from its subsidiaries, whose ability to distribute funds may be limited by local capital requirements, joint venture and co-investment vehicle structures and other applicable restrictions. As a result, its ability to make payments on its debt obligations will be dependent upon the receipt of sufficient funds from its subsidiaries, whose ability to distribute funds may be limited by local capital requirements, joint venture structures and other applicable restrictions. However, our various debt obligations are guaranteed, on a joint and several and full and unconditional basis, by IMI’s U.S. subsidiaries that represent the substantial majority of its U.S. operations.RISKS RELATED TO OUR TAXATION AS A REITIf we fail to remain qualified for taxation as a REIT, we will be subject to tax at corporate income tax rates and will not be able to deduct distributions to stockholders when computing our taxable income.We have elected to be taxed as a REIT for federal income tax purposes beginning with our 2014 taxable year. We believe that our organization and method of operation comply with the rules and regulations promulgated under the Internal Revenue Code of 1986, as amended (the "Code"), such that we will continue to qualify for taxation as a REIT. However, we can provide no assurance that we will remain qualified for taxation as a REIT. We also have invested in a subsidiary that has elected to be taxed as a REIT and therefore must independently satisfy all REIT qualification requirements, and we may in the future invest in other such subsidiaries. If such subsidiary REIT were to fail to qualify as a REIT, it may cause us to fail to remain qualified for taxation as a REIT. If we fail to remain qualified for taxation as a REIT, including as a result of a cascading failure of any subsidiary REIT to remain qualified as a REIT, we will be subject to federal income taxation at corporate income tax rates unless certain relief provisions apply.Qualification for taxation as a REIT involves the application of highly technical and complex provisions of the Code to our operations, as well as various factual determinations concerning matters and circumstances not entirely within our control. There are limited judicial or administrative interpretations of applicable REIT provisions of the Code.If, in any taxable year, we fail to remain qualified for taxation as a REIT and are not entitled to relief under the Code:•we will not be allowed a deduction for distributions to stockholders in computing our taxable income;•we will be subject to federal and state income tax on our taxable income at regular corporate income tax rates; and•we would not be eligible to elect REIT status again until the fifth taxable year that begins after the first year for which we failed to qualify for taxation as a REIT.Any such corporate tax liability could be substantial and would reduce the amount of cash available for other purposes. If we fail to remain qualified for taxation as a REIT, we may need to borrow additional funds or liquidate some investments to pay any additional tax liability. Accordingly, funds available for investment and distributions to stockholders could be reduced.16IRON MOUNTAIN 2023 FORM 10-KTable of Contents Part IAs a REIT, failure to make required distributions would subject us to federal corporate income tax.14IRON MOUNTAIN 2021 FORM 10-KTable of Contents Part IWe may be subject to certain costs and potential liabilities associated with the real estate required for our business. We expect to continue paying regular quarterly distributions; however, the amount, timing and form of our regular quarterly distributions will be determined, and will be subject to adjustment, by our board of directors. To remain qualified for taxation as a REIT, we are generally required to distribute at least 90% of our REIT taxable income (determined without regard to the dividends paid deduction and excluding net capital gain) each year, or in limited circumstances, the following year, to our stockholders. Generally, we expect to distribute all or substantially all of our REIT taxable income. If our cash available for distribution falls short of our estimates, we may be unable to maintain distributions that approximate our REIT taxable income and may fail to remain qualified for taxation as a REIT. In addition, our cash flows from operations may be insufficient to fund required distributions as a result of nondeductible expenditures or as a result of differences in timing between the actual receipt of income and the payment of expenses and the recognition of income and expenses for federal income tax purposes. In addition, our cash flows from operations may be insufficient to fund required distributions as a result of differences in timing between the actual receipt of income and the payment of expenses and the recognition of income and expenses for federal income tax purposes, or the effect of nondeductible expenditures. To the extent that we satisfy the 90% distribution requirement but distribute less than 100% of our REIT taxable income, we will be subject to federal corporate income tax on our undistributed taxable income. In addition, we will be subject to a 4% nondeductible excise tax on our undistributed taxable income if the actual amount that we distribute to our stockholders for a calendar year is less than the minimum amount specified under the Code.We may be required to borrow funds, sell assets or raise equity to satisfy our REIT distribution requirements, to comply with asset ownership tests or to fund capital expenditures, future growth and expansion initiatives.In order to satisfy our REIT distribution requirements and maintain our qualification and taxation as a REIT, or to fund capital expenditures, future growth and expansion initiatives, we may need to borrow funds, sell assets or raise equity, even if our financial condition or the then-prevailing market conditions are not favorable for these borrowings, sales or offerings. Furthermore, the REIT distribution requirements and our commitment to investors on dividend growth may result in increasing our financing needs to fund capital expenditures, future growth and expansion initiatives, which would increase our indebtedness. An increase in our outstanding debt could lead to a downgrade of our credit ratings, which could negatively impact our ability to access credit markets. Further, certain of our current debt instruments limit the amount of indebtedness we and our subsidiaries may incur. Additional financing, therefore, may be unavailable, more expensive or restricted by the terms of our outstanding indebtedness. For a discussion of risks related to our substantial level of indebtedness, see "Risks Related to Our Indebtedness".Complying with REIT requirements may limit our flexibility, cause us to forgo otherwise attractive opportunities that we would otherwise pursue to execute our strategic growth plan, or otherwise reduce our income and amounts available for distribution to our stockholders.”IRON MOUNTAIN 2021 FORM 10-K17Table of ContentsPart IComplying with REIT requirements may limit our flexibility, cause us to forgo otherwise attractive opportunities that we would otherwise pursue to execute our strategic growth plan, or otherwise reduce our income and amounts available for distribution to our stockholders. To remain qualified for taxation as a REIT, we must satisfy tests concerning, among other things, the sources of our income, the nature and diversification of our assets and the amounts we distribute to our stockholders. Thus, compliance with these tests may require us to refrain from certain activities and may hinder our ability to make certain attractive investments, including the purchase of non-REIT qualifying operations or assets, the expansion of non-real estate activities, and investments in the businesses to be conducted by our taxable REIT subsidiaries ("TRSs"), and, to that extent, limit our opportunities and our flexibility to change our business strategy and execute on our strategic growth plan. Thus, compliance with these tests may require us to refrain from certain activities and may hinder our ability to make certain attractive investments, including the purchase of non-REIT qualifying operations or assets, the expansion of non-real estate activities, and investments in the businesses to be conducted by our TRSs, and, to that extent, limit our opportunities and our flexibility to change our business strategy and execute on our strategic growth plan. This may restrict our ability to acquire certain businesses, enter into joint ventures or co-investment vehicles, or acquire minority interests of companies. This may restrict our ability to acquire certain businesses, enter into joint ventures or acquire minority interests of companies. Furthermore, acquisition opportunities in domestic and international markets may be adversely affected if we need or require the target company to comply with some REIT requirements prior to closing.We conduct a significant portion of our business activities, including our information management services businesses and several of our international operations, through domestic and foreign TRSs. Under the Code, no more than 20% of the value of the assets of a REIT may be represented by securities of one or more TRSs. Similar rules apply to other nonqualifying assets. These limitations may affect our ability to make additional investments in non-REIT qualifying operations or assets or in international operations through TRSs.If we fail to comply with specified asset ownership tests applicable to REITs as measured at the end of any calendar quarter, we generally must correct such failure within 30 days after the end of the applicable calendar quarter or qualify for statutory relief provisions to avoid losing our qualification for taxation as a REIT. As a result, we may be required to liquidate assets or to forgo our pursuit of otherwise attractive investments or executing on portions of our strategic growth plan. These actions may reduce our income and amounts available for distribution to our stockholders.As a REIT, we are limited in our ability to fund distribution payments using cash generated through our TRSs.Our ability to receive distributions from our TRSs is limited by the rules with which we must comply to maintain our qualification for taxation as a REIT. In particular, at least 75% of our gross income for each taxable year as a REIT must be derived from real estate, which generally includes gross income from providing customers with secure storage space or colocation or wholesale data center space. Consequently, no more than 25% of our gross income may consist of dividend income from our TRSs and other nonqualifying types of income. Thus, our ability to receive distributions from our TRSs may be limited, which may impact our ability to fund distributions to our stockholders using cash flows from our TRSs. Specifically, if our TRSs become highly profitable, we might become limited in our ability to receive net income from our TRSs in an amount required to fund distributions to our stockholders commensurate with that profitability.IRON MOUNTAIN 2023 FORM 10-K17Table of ContentsPart IIn addition, a significant amount of our income and cash flows from our TRSs is generated from our international operations. In many cases, there are local withholding taxes and currency controls that may impact our ability or willingness to repatriate funds to the United States to help satisfy REIT distribution requirements.Our extensive use of TRSs, including for certain of our international operations, may cause us to fail to remain qualified for taxation as a REIT.Our operations include an extensive use of TRSs. The net income of our TRSs is not required to be distributed to us, and income that is not distributed to us generally is not subject to the REIT income distribution requirement. However, there may be limitations on our ability to accumulate earnings in our TRSs and the accumulation or reinvestment of significant earnings in our TRSs could result in adverse tax treatment. In particular, if the accumulation of cash in our TRSs causes (i) the fair market value of our securities in our TRSs to exceed 20% of the fair market value of our assets or (ii) the fair market value of our securities in our TRSs and other nonqualifying assets to exceed 25% of the fair market value of our assets, then we will fail to remain qualified for taxation as a REIT. In particular, if the accumulation of cash in our TRSs causes (1) the fair market value of our securities in our TRSs to exceed 20% of the fair market value of our assets or (2) the fair market value of our securities in our TRSs and other nonqualifying assets to exceed 25% of the fair market value of our assets, then we will fail to remain qualified for taxation as a REIT. Further, a substantial portion of our operations are conducted overseas, and a material change in foreign currency rates could also affect the value of our foreign holdings in our TRSs, negatively impacting our ability to remain qualified for taxation as a REIT.Even if we remain qualified for taxation as a REIT, some of our business activities are subject to corporate level income tax and foreign taxes, which will continue to reduce our cash flows, and we will have potential deferred and contingent tax liabilities.Even if we remain qualified for taxation as a REIT, we may be subject to some federal, state, local and foreign taxes, including taxes on any undistributed income, and state, local or foreign income, franchise, property and transfer taxes. In addition, we could in certain circumstances be required to pay an excise or penalty tax, which could be significant in amount, in order to utilize one or more relief provisions under the Code to maintain our qualification for taxation as a REIT.A portion of our business is conducted through TRSs because certain of our business activities could generate nonqualifying REIT income as currently structured and operated.A portion of our business is conducted through wholly-owned TRSs because certain of our business activities could generate nonqualifying REIT income as currently structured and operated. The income of our domestic TRSs will continue to be subject to federal and state corporate income taxes. In addition, our international assets and operations will continue to be subject to taxation in the foreign jurisdictions where those assets are held or those operations are conducted. Any of these taxes would decrease our earnings and our available cash.We will also be subject to a federal corporate level income tax at the highest regular corporate income tax rate on gain recognized from a sale of a REIT asset where our basis in the asset is determined by reference to the basis of the asset in the hands of a C corporation (such as an asset that we hold in one of our qualified REIT subsidiaries ("QRSs") following the liquidation or other conversion of a former TRS). This tax is generally applicable to any disposition of such an asset during the five-year period after the date we first owned the asset as a REIT asset, to the extent of the built-in-gain based on the fair market value of such asset on the date we first held the asset as a REIT asset. In addition, any depreciation recapture income that we recognize because of accounting method changes that we make in connection with our acquisition activities will be fully subject to this tax.Complying with REIT requirements may limit our ability to hedge effectively and increase the cost of our hedging and may cause us to incur tax liabilities.The REIT provisions of the Code limit our ability to hedge assets, liabilities, revenues and expenses. Generally, income from hedging transactions that we enter into to manage risk of interest rate changes with respect to borrowings made or to be made by us to acquire or carry real estate assets and income from certain currency hedging transactions related to our non-United States operations, as well as income from qualifying counteracting hedges, do not constitute "gross income" for purposes of the REIT gross income tests. To the extent that we enter into other types of hedging transactions, the income from those transactions is likely to be treated as nonqualifying income for purposes of the REIT gross income tests. As a result of these rules, we may need to limit our use of advantageous hedging techniques or implement those hedges through our TRSs. This could increase the cost of our hedging activities because our TRSs would be subject to tax on income or gains resulting from hedges entered into by them and may expose us to greater risks associated with changes in interest rates or exchange rates than we would otherwise want to bear. In addition, hedging losses in any of our TRSs generally will not provide any tax benefit, except for being carried forward for possible use against future income or gain in the TRSs.Distributions payable by REITs generally do not qualify for preferential tax rates.Dividends payable by United States corporations to noncorporate stockholders, such as individuals, trusts and estates, are generally eligible for reduced United States federal income tax rates applicable to "qualified dividends". Distributions paid by REITs generally are not treated as "qualified dividends" under the Code, and the reduced rates applicable to such dividends do not generally apply. However, for tax years beginning before 2026, REIT dividends paid to noncorporate stockholders that meet specified holding period requirements are generally taxed at an effective tax rate lower than applicable ordinary income tax rates due to the availability of a deduction under the Code for specified forms of income from passthrough entities. More favorable rates will nevertheless continue to apply to regular corporate "qualified" dividends, which may cause some investors to perceive that an investment in a REIT is less attractive than an investment in a non-REIT entity that pays dividends, thereby reducing the demand and market price of our common stock.18IRON MOUNTAIN 2023 FORM 10-KTable of Contents Part IThe ownership and transfer restrictions contained in our certificate of incorporation may not protect our qualification for taxation as a REIT, could have unintended antitakeover effects and may prevent our stockholders from receiving a takeover premium.16IRON MOUNTAIN 2021 FORM 10-KTable of Contents Part IIron Mountain Incorporated (“IMI”) is a holding company, and, therefore, its ability to make payments on its various debt obligations depends in large part on the operations of its subsidiaries. In order for us to remain qualified for taxation as a REIT, no more than 50% of the value of outstanding shares of our capital stock may be owned, beneficially or constructively, by five or fewer individuals at any time during the last half of each taxable year. In addition, rents from "affiliated tenants" will not qualify as qualifying REIT income if we own 10% or more by vote or value of the customer, whether directly or after application of attribution rules under the Code. Subject to certain exceptions, our certificate of incorporation prohibits any stockholder from owning, beneficially or constructively, more than (i) 9.8% in value of the outstanding shares of all classes or series of our capital stock or (ii) 9.8% in value or number, whichever is more restrictive, of the outstanding shares of any class or series of our capital stock. We refer to these restrictions collectively as the "ownership limits" and we included them in our certificate of incorporation to facilitate our compliance with REIT tax rules. The constructive ownership rules under the Code are complex and may cause the outstanding stock owned by a group of related individuals or entities to be deemed to be constructively owned by one individual or entity. As a result, the acquisition of less than 9.8% of our outstanding common stock (or the outstanding shares of any class or series of our capital stock) by an individual or entity could cause that individual or entity or another individual or entity to own constructively in excess of the relevant ownership limits. Any attempt to own or transfer shares of our common stock or of any of our other capital stock in violation of these restrictions may result in the shares being automatically transferred to a charitable trust or may be void. Even though our certificate of incorporation contains the ownership limits, there can be no assurance that these provisions will be effective to prevent our qualification for taxation as a REIT from being jeopardized, including under the affiliated tenant rule. Furthermore, there can be no assurance that we will be able to monitor and enforce the ownership limits. If the restrictions in our certificate of incorporation are not effective and, as a result, we fail to satisfy the REIT tax rules described above, then, absent an applicable relief provision, we will fail to remain qualified for taxation as a REIT.In addition, the ownership and transfer restrictions could delay, defer or prevent a transaction or a change in control that might involve a premium price for our stock or otherwise be in the best interest of our stockholders. As a result, the overall effect of the ownership and transfer restrictions may be to render more difficult or discourage any attempt to acquire us, even if such acquisition may be favorable to the interests of our stockholders. Legislative or other actions affecting REITs could have a negative effect on us or our stockholders.At any time, the federal or state income tax laws governing REITs, the administrative interpretations of those laws, or local laws impacting our REIT structure for our international operations may be amended. Federal, state and local tax laws are constantly under review by persons involved in the legislative process, the United States Internal Revenue Service, the United States Department of the Treasury and state and local taxing authorities. Federal, state and local tax laws are constantly under review by persons involved in the legislative process, the IRS, the United States Department of the Treasury (“Treasury”) and state and local taxing authorities. Changes to the tax laws, regulations and administrative interpretations or local laws governing our international operations, which may have retroactive application, could adversely affect us. In addition, some of these changes could have a more significant impact on us as compared to other REITs due to the nature of our business and our substantial use of TRSs, particularly non-United States TRSs, or how we have structured our operations outside the United States to comply with REIT qualification requirements. We cannot predict with certainty whether, when, in what forms, or with what effective dates, the tax laws, regulations, administrative interpretations or local laws applicable to us may be changed or if such laws would impact our ability to remain qualified for taxation as a REIT or the costs of doing so. GENERAL RISK FACTORSOur cash distributions are not guaranteed and may fluctuate.As a REIT, we are generally required to distribute at least 90% of our REIT taxable income to our stockholders. Furthermore, we are committed to growing our dividends, and have stated this publicly.Our board of directors, in its sole discretion, will determine, on a quarterly basis, the amount of cash to be distributed to our stockholders based on a number of factors including, but not limited to, our results of operations, cash flow and capital requirements, economic conditions, tax considerations, borrowing capacity and other factors, including debt covenant restrictions that may impose limitations on cash payments, future acquisitions and divestitures, any stock repurchase program and general market demand for our space and related services. Consequently, our distribution levels may fluctuate and we may not be able to meet our public commitments with respect to dividend growth.Our business could be adversely impacted if there are deficiencies in our disclosure controls and procedures or internal control over financial reporting.The design and effectiveness of our disclosure controls and procedures and internal control over financial reporting may not prevent all errors, misstatements or misrepresentations. While management will continue to review the effectiveness of our disclosure controls and procedures and internal control over financial reporting, there can be no guarantee that our internal control over financial reporting will be effective in accomplishing all control objectives all of the time. Furthermore, our disclosure controls and procedures and internal control over financial reporting with respect to entities that we do not control or manage may be substantially more limited than those we maintain with respect to the subsidiaries that we have controlled or managed over the course of time. Deficiencies, including any material weakness, in our internal control over financial reporting which may occur in the future could result in misstatements of our results of operations, restatements of our financial statements, a decline in our stock price, or otherwise materially adversely affect our business, reputation, results of operations, financial condition or liquidity.IRON MOUNTAIN 2023 FORM 10-K19Table of ContentsPart IWe face competition for customers.We compete with multiple businesses in all geographic areas where we operate; our current or potential customers may choose to use those competitors instead of us. In addition, if we are successful in winning record storage customers from competitors, the process of moving their stored records into our facilities is often costly and time consuming. In addition, if we are successful in winning customers from competitors, the process of moving their stored records into our facilities is often costly and time consuming. We also compete, in some of our business lines, with our current and potential customers’ internal storage and information management services capabilities and their cloud-based alternatives. These organizations may not begin or continue to use us for their future storage and information management service needs.The performance of our businesses relies on our ability to attract, develop, and retain talented personnel, while controlling our labor costs.We are highly dependent on skilled and qualified personnel to operate our businesses. Furthermore, our contracts with the United States Government require us to use personnel with security clearances, and we may not be successful or may experience delays in attracting, training or retaining qualified personnel with the requisite skills or security clearances. The failure to attract and retain qualified employees or to effectively control our labor costs could negatively affect our competitive position and operating results. Our ability to control labor costs and attract qualified personnel is subject to numerous external factors, including prevailing wages, labor shortages, the impact of legislation or regulations governing wages and hours, labor relations, immigration, healthcare and other benefits, other employment-related costs and the hiring practices of our competitors.ITEM 1B. UNRESOLVED STAFF COMMENTS.None.ITEM 1C.ITEM 1B. CYBERSECURITY.RISK MANAGEMENT AND STRATEGY We maintain a robust information security program that is designed to protect our information and the information of our customers. Our information security program is based on a recognized cybersecurity framework established by the National Institute of Standards and Technology (“NIST”) and establishes controls to mitigate critical areas of cybersecurity risk. Our information security program has adopted all elements of the NIST cybersecurity framework, including the six functions of identify, protect, detect, respond, recover and govern, as well as each of the categories and control groups thereunder. This does not imply that we meet any particular technical standards, specifications, or requirements, but only that we use the NIST framework as a guide to ensure our information security program is designed to manage cybersecurity risks relevant to our business. Among other things, the cybersecurity controls in our information security program address information access rights, incident monitoring and response processes, information technology system configuration, network security, security architecture planning, mobile device security and compliance with information security policy requirements and protocols. These cybersecurity controls are designed to oversee, identify and mitigate risks from all cybersecurity threats, including those arising from our use of third-party service providers. Our cybersecurity controls are evaluated regularly by our internal information security team and we engage a third party examiner to assess the maturity of our information security program against the NIST cybersecurity framework no less frequently than bi-annually. Additionally, our information security program is assessed periodically by a federal regulator in the United States as part of its routine audit of the Company. In addition to our internal assessments, we also assess our third-party service providers on a regular basis using a risk-based approach that assigns a risk calculation to each such service provider. Results of our assessments are tracked and evaluated to ensure these third parties comply with our cybersecurity standards. Our reputation for providing secure information storage to customers is critical to the success of our business, and protecting against material cyber risks is an integral part of maintaining that reputation. A successful cybersecurity breach could lead to theft or misuse of our or our customers’ proprietary or confidential information or our employees’ personal information and result in third-party claims against us, regulatory penalties and reputational harm. A successful breach of the security of our IT systems could lead to theft or misuse of our customers’ proprietary or confidential information or our employees’ personal information and result in third party claims against us, regulatory penalties, and reputational harm. As part of our information security program, we also actively monitor emerging cyber attack patterns to develop custom detection capabilities and mitigation techniques to protect against material risk of cybersecurity threats. Upon encountering a cybersecurity incident, our information security team responds using our detailed cyber security incident response plan (“CSIRP”), which is based on industry best practices, relevant legal requirements and our contractual commitments. Among other things, the CSIRP sets forth the specific criteria used to assess a cybersecurity incident, mitigate risks of adverse consequences associated with any such incident, protocols to escalate the management of the incident and the process to inform our executive management team and any impacted functions of our business. All cybersecurity incidents are assessed to determine whether disclosure is required pursuant to any contractual or regulatory requirements and any material cybersecurity incident is also reported to our board of directors (our “Board”). To date, our information security program has been successful in protecting against risks from cybersecurity threats, and we have not had any cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. 20IRON MOUNTAIN 2023 FORM 10-KTable of Contents Part IOur risk management organization, which is led by our Chief Risk Officer, manages our information security program along with enterprise risk management, business continuity, internal audit and physical security.10IRON MOUNTAIN 2021 FORM 10-KTable of Contents Part IAttacks on our internal IT systems could damage our reputation, cause us to lose revenues, and adversely affect our business, financial condition and results of operations. Our risk management team routinely reports on cybersecurity matters to our executive management team and our Board. Our Chief Information Security Officer, who reports directly to our Chief Risk Officer, leads a dedicated information security team that manages our information security program. The information security team is made primarily of full-time employees; however, we routinely engage consultants to provide supplemental labor and additional expertise in specific areas on an as-needed basis. Our information security team is organized based on industry best practices in alignment with NIST recommendations. All of the leaders in our information security team have over 10 years of cybersecurity experience and most of our information security staff maintain cybersecurity program certifications such as CMU Cybersecurity Executive Certification, ISACA Certifications (CISSP & CISM) and other relevant vendor certifications. Our information security team also regularly undergoes continuing education to ensure our implementation of best-in-class techniques. GOVERNANCE Our Board reviews and discusses significant risks with executive management, including cybersecurity risk, that affect us. Although our executive management team and our Board work together on risk matters, our Board has the ultimate oversight authority over all enterprise risks, including cybersecurity risk. Our Board reserves the right to, and periodically does consult with third-party advisors and experts to assist our Board in understanding and anticipating future cybersecurity threats and trends. The risk and safety committee of our Board (the “RSC”) is specifically tasked with reviewing and monitoring cybersecurity and information security risk, as well as the risk management strategies, systems and policies and processes implemented, established and reported on by our executive management team. The RSC is also primarily responsible for assisting our Board with oversight of our enterprise risk management program. As part of the risk management team, our Chief Information Security Officer reports key performance indicators of our information security program to the RSC at least three times a year to facilitate the committee’s oversight of the effectiveness of the program through objective measurements, including metrics regarding software patching, IT asset management, cyber incident management and cybersecurity training. Reports by our Chief Information Security Officer also include detailed information on the activities of our cyber incident response team to allow for analysis of trends and the identification of any control gaps that require remediation.Our executive management team, with oversight from our Board, is responsible for our enterprise risk management process and the day-to-day supervision and mitigation of enterprise risks, including cybersecurity risk. Our enterprise risk management program includes our executive management team receiving regular reports from our operations personnel. Our executive management team has established an enterprise risk committee (the "ERC"), which is chaired by our Chief Risk Officer and is otherwise comprised of each of our other executive vice presidents. The ERC oversees our risk and compliance activities to ensure that management has appropriate policies, structures and systems in place for managing risks of the business, including cybersecurity risk. Our executive management team reviews and prioritizes significant risks, allocates resources for risk mitigation. Our Chief Risk Officer and other members of our risk management team provide reports at each meeting of the RSC on areas of potential risks to us, including cybersecurity risk. We also maintain a business information security committee (the "ISC") with employee representation across geographies, business lines and business functions. The ISC includes a cross functional group of our employees with expertise and responsibilities in areas such as operations, digital product solutions, information technology, compliance, security, finance, privacy, internal audit and legal risk mitigation. The ISC is managed by our Chief Information Security Officer and meets regularly to receive updates on our cybersecurity posture, emerging risks and new cybersecurity capabilities. Members of the ISC act as points of contact during incident response activities to provide oversight and logistical support to the information security team..