Risk Factors - IRM

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

$IRM Risk Factor changes from 00/02/22/24/2024 to 00/02/14/25/2025

Item 1A. Risk Factors" included in this Annual Report.SUSTAINABILITYAt Iron Mountain, we are using our influence and expertise to drive innovations that protect and elevate the effectiveness of our customers’ endeavors, while also creating a meaningful, positive impact on individuals, the environment, and our overall performance.SUSTAINABILITYAt Iron Mountain, we are using our influence and expertise to drive innovations that will not only protect and elevate the power of our customers’ work, but make a lasting, positive impact on people, planet, and performance. Iron Mountain is committed to sustainable growth, and this is highlighted through initiatives and targets within our company.Iron Mountain is committed to sustainable growth, and this is highlighted through initiatives and targets within the company. We aim to minimize our environmental impact, foster a culture and processes that support the well-being of our global teams, and to be a catalyst for positive change within our communities.We transparently report on our sustainability efforts and the advancement of our objectives by using widely adopted reporting frameworks such as the Global Reporting Initiative, CDP and EcoVadis. In addition, we continue to further align our reporting with the recommendations of the Financial Stability Board’s Task Force on Climate-related Financial Disclosures.Our work continues to receive recognition. In 2024, the Science Based Targets initiative ("SBTi") validated our targets, which are aligned with the Paris Climate Agreement aspiration of limiting the global temperature increase to 1.5 degrees Celsius. Our data center team was recognized with the Decarbonization of Electricity award from BroadGroup International for their work and thought leadership on carbon-free energy.As of December 31, 2024, we are a constituent of multiple indexes that focus on corporate sustainability standards, including several MSCI All Country World Indexes (ACWI), such as the ACWI Low Carbon Leaders, ACWI Climate Paris Aligned, ACWI ESG Leaders and ACWI Socially Responsible Index (SRI). We have also been a constituent of the FTSE4Good Index for more than ten years. A copy of our sustainability report is available on the "Who we are" section of our website, www. A copy of our sustainability responsibility report is available on the "Who we are" section of our website, www. ironmountain.com, under the heading "Sustainability". We are not including the information contained on or available through our website as part of, or incorporating such information by reference into, this Annual Report.IRON MOUNTAIN 2024 FORM 10-K7Table of ContentsPart IINTERNET WEBSITEOur internet address is www.IRON MOUNTAIN 2023 FORM 10-K19Table of ContentsPart IWe face competition for customers. ironmountain.com.

Under the "Investors" section on our website, we make available, free of charge, our Annual Reports on Form 10-K, our Quarterly Reports on Form 10-Q, our Current Reports on Form 8-K and amendments to those reports filed or furnished pursuant to Section 13(a) or 15(d) of the Securities Exchange Act of 1934 (the "Exchange Act") as soon as reasonably practicable after such forms are filed with or furnished to the SEC. We are not including the information contained on or available through our website as a part of, or incorporating such information by reference into, this Annual Report. Copies of our corporate governance guidelines, code of ethics and the charters of our audit, compensation, finance, nominating and governance and risk and safety committees are available on the "Investors" section of our website, www. Copies of our corporate governance guidelines, code of ethics and the charters of our audit, compensation, finance, nominating and governance, risk and safety, and technology committees are available on the "Investors" section of our website, www. ironmountain.com, under the heading "Corporate Governance".8IRON MOUNTAIN 2024 FORM 10-KTable of Contents Part IITEM 1A. RISK FACTORS.We face many risks. If any of the events or circumstances described below actually occur, we and our businesses, financial condition or results of operations could suffer, and the trading price of our debt or equity securities could decline. Our current and potential investors should consider the following risks and the information contained under the heading "Cautionary Note Regarding Forward-Looking Statements" before deciding to invest in our securities.BUSINESS RISKSFailure to execute our strategic growth plan may adversely impact our financial condition and results of operations.As part of our strategic growth plan, including Project Matterhorn, we expect to invest in our existing businesses, including records and information management storage and services businesses in our higher-growth markets, data centers, digital solutions, ALM business and other complementary businesses, and in new businesses, business strategies, products, services, technologies and geographies.As part of our strategic growth plan, including Project Matterhorn, we expect to invest in our existing businesses, including records and information management storage and services businesses in our higher-growth markets, data centers, ALM business and other complementary businesses, and in new businesses, business strategies, products, services, technologies and geographies. These initiatives may involve significant risks and uncertainties, including:•our inability to maintain relationships with key customers and suppliers or to execute on our plan to incorporate the digitization of our customers’ records and new digital information technologies into our offerings;•failure to achieve satisfactory returns on new product offerings, acquired companies, joint ventures, growth initiatives or other investments, particularly in markets where we do not currently operate or have a substantial presence;•our inability to identify suitable companies to acquire, invest in or partner with;•our inability to complete acquisitions or investments on satisfactory terms;•our inability to structure acquisitions or investments in a manner that complies with our debt covenants or is consistent with our leverage ratio goals;•challenges in managing costs to offset the impact of inflationary pressure;•increased demands on our management, operating systems, internal controls and financial and physical resources and, if necessary, our inability to successfully expand our infrastructure; •incurring additional debt necessary to acquire suitable companies or make other growth investments if we are unable to pay the purchase price or make the investment out of working capital or the issuance of our common stock or other equity securities;•our inability to manage the budgeting, forecasting and other process control issues presented by future growth, particularly with respect to new lines of business;•insufficient revenues to offset expenses and liabilities associated with new investments; and•our inability to attract, develop and retain skilled employees to lead and support our strategic growth plan, particularly in new businesses, technologies, products or offerings outside our core competencies. These initiatives may involve significant risks and uncertainties, including:•our inability to maintain relationships with key customers and suppliers or to execute on our plan to incorporate the digitization of our customers’ records and new digital information technologies into our offerings;•failure to achieve satisfactory returns on new product offerings, acquired companies, joint ventures, growth initiatives, or other investments, particularly in markets where we do not currently operate or have a substantial presence;•our inability to identify suitable companies to acquire, invest in or partner with;•our inability to complete acquisitions or investments on satisfactory terms;•our inability to structure acquisitions or investments in a manner that complies with our debt covenants and is consistent with our leverage ratio goals;•challenges in managing costs to offset the impact of inflationary pressure;•increased demands on our management, operating systems, internal controls and financial and physical resources and, if necessary, our inability to successfully expand our infrastructure; •incurring additional debt necessary to acquire suitable companies or make other growth investments if we are unable to pay the purchase price or make the investment out of working capital or the issuance of our common stock or other equity securities;•our inability to manage the budgeting, forecasting and other process control issues presented by future growth, particularly with respect to new lines of business;•insufficient revenues to offset expenses and liabilities associated with new investments; and•our inability to attract, develop and retain skilled employees to lead and support our strategic growth plan, particularly in new businesses, technologies, products or offerings outside our core competencies. Our new ventures are inherently risky and we can provide no assurance that such strategies and offerings will be successful in achieving the desired returns within a reasonable timeframe, if at all, and that they will not adversely affect our business, reputation, financial condition and operating results. If stored records and tapes become less active, our service revenue growth and profits from related services may decline.Our Records Management and Data Management service revenue growth is being negatively impacted by declining activity rates as stored records and tapes are becoming less active and more archival. The amount of information available to customers digitally or in their own information systems has been steadily increasing in recent years, and we believe this trend will continue. As a result, our customers are less likely than they have been in the past to retrieve records and rotate tapes, thereby reducing their activity levels. At the same time, many of our costs related to records and tape related services remain relatively fixed. In addition, our reputation for providing secure information storage is critical to our success, and actions to manage cost structure, such as outsourcing certain transportation, security or other functions, could negatively impact our reputation and adversely affect our business, and, if we are unable to appropriately align our cost structure with decreased levels of service activity, our operating results could be adversely affected. IRON MOUNTAIN 2024 FORM 10-K9Table of ContentsPart IOur customers continue to evolve the way they store records, which could impact our storage revenue. IRON MOUNTAIN 2023 FORM 10-K9Table of ContentsPart IOur customers may shift from paper and tape storage to alternative technologies that may shift our revenue mix away from storage revenue. We derive substantial revenues from rental fees for the storage of physical records and computer backup media and from storage related services. Volume in and demand for our traditional storage related services has evolved as our customers adopt alternative storage technologies or as retention requirements change, which may require significantly less space than traditional physical records and tape storage; however, volumes in our Global RIM Business segment were relatively steady in 2024 and we expect them to remain relatively consistent in the near term. We can provide no assurance that our customers will continue to store most or a portion of their records as paper documents or as tapes, or that the paper documents or tapes they do store with us will require our storage related services at the same levels as they have in the past. A significant shift by our customers to storage of data through non-paper or non-tape-based technologies, whether now existing or developed in the future, could adversely affect our businesses. In addition, the digitization of records may shift our revenue mix from the more predictable storage revenue to service revenue, which is inherently more volatile.We and our customers are subject to laws and governmental regulations relating to data privacy and cybersecurity, and our customers’ demands in this area are increasing. This may cause us to incur significant expenses and non-compliance with such regulations and demands could harm our business.We and our customers are subject to numerous laws and regulations relating to data privacy and cybersecurity. These regulations are complex, change frequently and have tended to become more stringent over time. In addition, a growing number of regulatory bodies have adopted data breach notification requirements and increased enforcement of regulations regarding the use, access, accuracy and security of personal information. Finally, as a result of the continued emphasis on information security and instances in which personal information has been compromised, our customers are requesting that we take increasingly sophisticated measures to enhance security and comply with cybersecurity and data privacy regulations and that we assume higher liability under our contracts. Finally, as a result of the continued emphasis on information security and instances in which personal information has been compromised, our customers are requesting that we take increasingly sophisticated measures to enhance security and comply with data privacy regulations, and that we assume higher liability under our contracts. We have an established global privacy compliance program and devote substantial resources, and may in the future have to devote significant additional resources, to facilitate compliance with global laws and regulations, our customers’ data privacy, data residency and security demands, and to investigate, defend or remedy actual or alleged violations or breaches. We have an established privacy compliance framework and devote substantial resources, and may in the future have to devote significant additional resources, to facilitate compliance with global laws and regulations, our customers’ data privacy, data residency and security demands, and to investigate, defend or remedy actual or alleged violations or breaches. Any failure by us to comply with, or remedy any violations or breaches of, laws and regulations or customer requirements could negatively impact our operations, result in the imposition of fines and penalties, contractual liability and litigation, significant costs and expenses and reputational harm.Expansion into Global Digital Solutions and ALM services means that our privacy and security risk profile is increasing.Expansion into Digital and ALM services means that our privacy and security risk profile is increasing. In particular, we are hosting increasing volumes of customer digital data, including sensitive and confidential data, and disposing of customer data-bearing devices. This may result in increased regulatory exposure, contractual liability and security expectations from customers. Finally, emerging AI regulations, increasing use of AI and generative AI tools and their integration into our businesses may require additional resources and create additional compliance and cybersecurity risks. Finally, emerging artificial intelligence ("AI") regulations, increasing use of AI and generative AI tools and their integration into our businesses may require additional resources and create additional compliance and cybersecurity risks. Attacks on our internal IT systems could damage our reputation, cause us to lose revenues and adversely affect our business, financial condition and results of operations. Attacks on our internal IT systems could damage our reputation, cause us to lose revenues, and adversely affect our business, financial condition and results of operations. Our reputation for providing secure information storage to customers is critical to the success of our business. Our reputation or brand, and specifically, the trust our customers place in us, could be negatively impacted in the event of perceived or actual failures by us to store information securely. Although we seek to prevent and detect attempts by unauthorized users to gain access to our IT systems, and incur significant costs to do so, our IT and network infrastructure has in the past been and may in the future be vulnerable to attacks by hackers, including state-sponsored organizations with significant financial and technological resources, breaches due to employee error, fraud or malice or other disruptions (including, but not limited to, computer viruses and other malware, denial of service and ransomware), which may involve a breach requiring us to notify regulators, clients or employees and enlist identity theft protection. Moreover, until we have migrated businesses we acquire onto our IT systems or ensured compliance with our information technology security standards, we have in the past and may in the future face additional risks because of the continued use of predecessor IT systems. We utilize remote work arrangements and outsource certain support services, including cloud storage systems and cloud computing services, to third parties, which has in the past and may in the future subject our IT and other sensitive information to additional risk. A successful breach of the security of our IT systems could lead to theft or misuse of our customers’ proprietary or confidential information or our employees’ personal information and result in third party claims against us, regulatory penalties and reputational harm. Although we maintain insurance coverage for various cybersecurity risks, there is no guarantee that all costs or losses incurred will be fully insured. Damage to our reputation could make us less competitive, which could negatively impact our business, financial condition and results of operations.Failure to successfully integrate acquired businesses could negatively impact our balance sheet and results of operations.Strategic acquisitions are an important element of our growth strategy and the success of any acquisition we make depends in part on our ability to integrate the acquired business and realize anticipated synergies. The process of integrating acquired businesses, particularly in new markets or for new offerings, may involve difficulties and may require a disproportionate amount of our management’s attention and our financial and other resources. The process of integrating acquired businesses, particularly in new markets or for new offerings, may involve unforeseen difficulties and may require a disproportionate amount of our management’s attention and our financial and other resources. 10IRON MOUNTAIN 2024 FORM 10-KTable of Contents Part IFor example, the success of our significant acquisitions depends, in large part, on our ability to realize the anticipated benefits, including cost savings or revenue acceleration from combining the acquired businesses with ours. To realize these anticipated benefits, we must be able to successfully integrate our business and the acquired businesses, and this integration is complex and time-consuming. We may encounter challenges in the integration process including the following:•challenges and difficulties associated with managing our larger, more complex, company;•conforming standards, controls, procedures and policies, business cultures and compensation and benefits structures between the two businesses;•consolidating corporate and administrative infrastructures;•coordinating geographically dispersed organizations;•retaining critical acquired talent;•potential unknown liabilities and unforeseen expenses or delays associated with an acquisition; and•our ability to deliver on our strategy going forward.Further, our acquisitions subject us to liabilities (including tax liabilities) that may exist at an acquired company, some of which may be unknown. Although we and our advisors conduct due diligence on the businesses we acquire, there can be no guarantee that we are aware of all liabilities of an acquired company. These liabilities, and any additional risks and uncertainties related to an acquired company not known to us or that we may deem immaterial or unlikely to occur at the time of the acquisition, could negatively impact our future business, financial condition and results of operations.We can give no assurance that we will ultimately be able to effectively integrate and manage the operations of any acquired business or realize anticipated synergies. The failure to successfully integrate the cultures, operating systems, procedures and information technologies of an acquired business could have a material adverse effect on our financial condition and results of operations.Our future growth depends in part upon our ability to continue to effectively manage and execute on revenue management.Our organic revenue growth has been positively impacted by our ability to effectively introduce, expand and monitor revenue management. If we are not able to continue and effectively manage pricing, our results of operations could be adversely affected and we may not be able to execute on our strategic growth plan.Our customer contracts may not always limit our liability and may sometimes contain terms that could subject us to significant liability or lead to disputes in contract interpretation.Our customer contracts typically contain standardized provisions limiting our liability regarding the services we perform and the loss or destruction of, or damage to, records, information or other items stored with us; however, some of our contracts with large customers and governmental entities and some of the contracts assumed in our acquisitions contain no such limits or contain non-standard limits.Our customer contracts typically contain standardized provisions limiting our liability regarding the services we perform and the loss or destruction of, or damage to, records, information, or other items stored with us; however, some of our contracts with large customers and some of the contracts assumed in our acquisitions contain no such limits or contain non-standard limits. We can provide no assurance that our limitation of liability provisions will be enforceable in all instances or, if enforceable, that they would otherwise protect us from liability. In the past, we have had relatively few disputes with our customers regarding the terms of their customer contracts, and most disputes to date have not been material, but we can provide no assurance that we will not have material disputes in the future. Moreover, as we expand our operations into new businesses, including Global Digital Solutions, ALM, and the storage of valuable items, and respond to customer demands for higher limitation of liability, our exposure to contracts with higher or no limitations of liability and disputes with customers over contract interpretation may increase. Moreover, as we expand our operations into new businesses, including digital solutions, ALM, and the storage of valuable items, and respond to customer demands for higher limitation of liability, our exposure to contracts with higher or no limitations of liability and disputes with customers over contract interpretation may increase. Although we maintain a comprehensive insurance program, we can provide no assurance that we will be able to maintain insurance policies on acceptable terms or with high enough coverage amounts to cover losses to us in connection with customer contract disputes.IRON MOUNTAIN 2024 FORM 10-K11Table of ContentsPart IAs a global company, we are subject to the unique risks of operating in many countries.As of December 31, 2024, we operated in 61 countries. The global nature of our business and our growth strategy, which includes continued acquisitions and investments in countries where we do not currently operate, is subject to numerous risks, including:•fluctuations of currency exchange rates in the markets in which we operate;•the impact of laws and regulations that apply to us in countries in which we operate or have made investments; in particular, we are subject to sanctions and anti-corruption laws, such as the Foreign Corrupt Practices Act and the United Kingdom Bribery Act, and, although we have implemented internal controls, policies and procedures and training to deter prohibited practices, our employees, partners, contractors or agents may violate or circumvent such policies and the law; •costs and difficulties associated with managing global operations, including cross-border sales;•the volatility of certain economies in which we operate;•political uncertainties and changes in the global political climate or other global events, such as war or other military conflict, trade wars or global pandemics, which may create additional risk in relation to our global operations, which may become more pronounced as we consolidate operations across countries and need to move data across borders; •the risk that business partners upon whom we depend for technical assistance or management and acquisition expertise in some markets will not perform as expected;•difficulties attracting and retaining local management and key employees to operate our business in certain countries; and•cultural differences and differences in business practices and operating standards, as well as risks and challenges in expanding into countries where we have no prior operational experience. The global nature of our business and our growth strategy, which includes continued acquisitions and investments in countries where we do not currently operate, is subject to numerous risks, including:•fluctuations of currency exchange rates in the markets in which we operate;•the impact of laws and regulations that apply to us in countries in which we operate or have made investments; in particular, we are subject to sanctions and anti-corruption laws, such as the Foreign Corrupt Practices Act and the United Kingdom Bribery Act, and, although we have implemented internal controls, policies and procedures and training to deter prohibited practices, our employees, partners, contractors or agents may violate or circumvent such policies and the law; •costs and difficulties associated with managing global operations, including cross-border sales;•the volatility of certain economies in which we operate;•political uncertainties and changes in the global political climate or other global events, such as trade wars or global pandemics, which may create additional risk in relation to our global operations, which may become more pronounced as we consolidate operations across countries and need to move data across borders; •the risk that business partners upon whom we depend for technical assistance or management and acquisition expertise in some markets will not perform as expected;•difficulties attracting and retaining local management and key employees to operate our business in certain countries; and•cultural differences and differences in business practices and operating standards, as well as risks and challenges in expanding into countries where we have no prior operational experience. If we fail to meet our commitment to transition to more renewable and sustainable sources of energy, it may negatively impact our ability to attract and retain customers, employees and investors who focus on this commitment. Furthermore, changes to environmental laws and standards may increase the cost to operate some of our businesses. This could impact our results of operations, our competitiveness and the trading value of our stock.We have made a commitment to prioritize sustainable energy practices, reduce our carbon footprint and transition to more renewable and sustainable sources of energy, particularly in our Global Data Center Business. We have made progress towards reducing our carbon footprint, but if we are not successful in continuing this reduction or if our customers, employees and investors are not satisfied with our sustainability efforts, it may negatively impact our ability to attract and retain customers, employees and investors who focus on this commitment. This could negatively impact our results of operations and the trading of our stock.Furthermore, changes in environmental laws in any jurisdiction in which we operate could increase compliance costs or impose limitations on our operations. For example, our emergency generators at our data centers are subject to regulations and permit requirements governing air pollutants, and the heating, ventilation and air conditioning and fire suppression systems at some of our data centers and data management locations may include ozone-depleting substances that are subject to regulation. While environmental regulations do not normally impose material costs upon operations at our facilities, unexpected events, equipment malfunctions, human error and changes in law or regulations, among other factors, could result in unexpected costs, which could be material.Our use of joint ventures or other co-investment vehicles could expose us to additional risks and liabilities, including our lack of sole decision-making authority and our reliance on joint venture or other co-investment vehicle partners who may have economic and business interests that are inconsistent with our business interests.Our use of joint ventures or other co-investment vehicles could expose us to additional risks and liabilities, including our reliance on joint venture or other co-investment vehicles partners who may have economic and business interests that are inconsistent with our business interests and our lack of sole decision-making authority. As part of our growth strategy, particularly in connection with our international and data center expansion, we currently, and may in the future, co-invest with third parties using joint ventures or other co-investment vehicles. These ventures can result in our holding non-controlling interests in, or not having sole control over managing the affairs of, a property or portfolio of properties, business, partnership, joint venture or other entity. These ventures can result in our holding non-controlling interests in, or having responsibility for managing the affairs of, a property or portfolio of properties, business, partnership, joint venture or other entity. In connection with our pursuit or entrance into any such venture, we may be subject to additional risks, including:•our ability to sell our interests in the venture may be limited by the venture agreement;•we may not have the right to exercise sole decision-making authority regarding the properties, business, partnership, venture or other entity;•we may be liable for the venture's failure to comply with applicable law despite only having a non-controlling interest in the venture;•if our partners become bankrupt or fail to fund their share of required capital contributions, we may choose or be required to contribute unplanned capital; •our partners may have economic, tax or other interests or goals that are inconsistent with our interests or goals, which could affect our ability to negotiate satisfactory venture terms, to operate the property or business or to maintain our qualification for taxation as a REIT; and•disputes may arise between us and our partners that result in litigation or arbitration that would increase our expenses and divert the attention of our officers and directors. In connection with our pursuit or entrance into any such venture, we may be subject to additional risks, including:•our ability to sell our interests in the venture may be limited by the venture agreement; •we may not have the right to exercise sole decision-making authority regarding the properties, business, partnership, venture or other entity;•we may be liable for the venture's failure to comply with applicable law despite only having a non-controlling interest in the venture;•if our partners become bankrupt or fail to fund their share of required capital contributions, we may choose or be required to contribute unplanned capital; and•our partners may have economic, tax or other interests or goals that are inconsistent with our interests or goals, and that could affect our ability to negotiate satisfactory venture terms, to operate the property or business or maintain our qualification for taxation as a REIT. 12IRON MOUNTAIN 2024 FORM 10-KTable of Contents Part IEach of these factors may result in returns on these investments being less than we expect or in losses, and our financial and operating results may be adversely affected.14IRON MOUNTAIN 2023 FORM 10-KTable of Contents Part IUnexpected events, including those resulting from climate change or geopolitical events, could disrupt our operations and adversely affect our reputation and results of operations. Significant costs or disruptions at our data centers could adversely affect our business, financial condition and results of operations.Our Global Data Center Business depends on providing customers with highly reliable facilities, power infrastructure and operations solutions, and we will need to retain and hire qualified personnel to manage our data centers. Service interruptions or significant equipment damage could result in difficulty maintaining service-level commitment obligations that we owe to certain of our customers. Service interruptions or equipment damage may occur at one or more of our data centers because of numerous factors, including: human error; equipment failure; physical, electronic and cybersecurity breaches; fire, hurricane, flood, earthquake and other natural disasters; water damage; fiber cuts; extreme temperatures; power loss or telecommunications failure; war, terrorism and any related conflicts or similar events worldwide; and sabotage and vandalism. Service interruptions or equipment damage may occur at one or more of our data centers because of numerous factors, including: human error; equipment failure; physical, electronic and cyber security breaches; fire, hurricane, flood, earthquake and other natural disasters; water damage; fiber cuts; extreme temperatures; power loss or telecommunications failure; war, terrorism and any related conflicts or similar events worldwide; and sabotage and vandalism. We purchase significant amounts of electricity and water for cooling from suppliers that are subject to environmental laws, regulations and permit requirements. These environmental requirements are subject to material change, which could result in increases in our suppliers’ compliance costs that may be passed through to us or otherwise constrain the availability of such resources. In addition, climate change may increase the likelihood that our data centers are affected by some of these factors.While these risks could impact our overall business, they could have a more significant impact on our Global Data Center Business, where we have service-level commitment obligations to certain of our customers. As a result, service interruptions or significant equipment damage at our data centers could result in difficulty maintaining service-level commitments to these customers and potential claims related to such failures. Because our data centers are critical to many of our customers’ businesses, service interruptions or significant equipment damage at our data centers could also result in lost profits or other indirect or consequential damages to our customers, which could in turn result in contractual liability to our customers or impair our ability to obtain and retain customers, which would adversely affect both our ability to generate revenue and our results of operations.We also rely on third party telecommunications carriers to provide internet connectivity to our customers. These carriers may elect not to offer or to restrict their services within our data centers or may elect to discontinue such services. Furthermore, carriers may face business difficulties, which could affect their ability to provide telecommunications services or the quality of such services. If connectivity is interrupted or terminated, our financial condition and results of operations may be adversely affected. Events such as these may also impact our reputation as a data center provider which could adversely affect our results of operations.Our Global Data Center Business is susceptible to regional and local costs of power, power shortages, planned or unplanned power outages and limitations on the availability of adequate power resources.Our Global Data Center Business is susceptible to regional costs of power, power shortages, planned or unplanned power outages and limitations on the availability of adequate power resources. We rely on third parties to provide power to our data centers. We are therefore subject to an inherent risk that such third parties may fail to deliver such power in adequate quantities or on a consistent basis. If the power delivered to our data centers is insufficient or interrupted, we would be required to provide power through the operation of our on-site generators, generally at a significantly higher operating cost. Additionally, global fluctuations in the price of power can increase the cost of energy, and we may be limited in our ability to, or may not always choose to, pass these increased costs on to our customers. We face additional risks in expanding our Global Data Center Business, including the significant amount of capital required.Expanding our Global Data Center Business requires significant capital. In addition, we may be required to commit significant operational and financial resources in connection with the organic growth of our Global Data Center Business substantially in advance of such newly developed data centers generating revenue. In addition, we may be required to commit significant operational and financial resources in connection with the organic growth of our Global Data Center Business, generally 12 to 24 months in advance of securing customer contracts, and we may not have enough customer demand to support these data centers when they are built. We are currently experiencing rising construction costs which reflect the increase in cost of labor and raw materials, as well as supply chain and logistical challenges. Unexpected disruptions to our supply chain, continued inflationary pressures or high interest rates, tariffs, delays in construction, limited financing availability, constrained supplies of new power, or changes in customer requirements could significantly affect the cost or timing of our planned expansion projects, have consequences under our project financing and partnership agreements, and interfere with our ability to meet commitments to customers who have contracted for space in new data centers under construction. All construction-related data center projects require us to carefully select, manage, and rely on the experience of one or more design firms, general contractors, and associated subcontractors during the design and construction process, and to obtain critical government permits and authorizations. Should a design firm, general contractor, significant subcontractor, or key supplier experience financial or operational problems during the design or construction process or fail to perform properly, or should we be unable to obtain, or experience delays in obtaining, all necessary zoning, land-use, building, occupancy and other governmental permits and authorizations, we could experience significant delays, increased costs to complete the project, penalties under customer preleases and other negative impacts to the expected return on our committed capital. There can be no assurance we will have sufficient customer demand to support the data centers we have acquired or built, or that we will not be adversely affected by the risks noted above under "Significant costs or disruptions at our data centers could adversely affect our business, financial condition and results of operations", which could make it difficult for us to realize expected returns on our investments, if any. There can be no assurance we will have sufficient customer demand to support the data centers we have acquired, or that we will not be adversely affected by the risks noted above under "Significant costs or disruptions at our data centers could adversely affect our business, financial condition and results of operations", which could make it difficult for us to realize expected returns on our investments, if any. IRON MOUNTAIN 2024 FORM 10-K13Table of ContentsPart IOur ALM business may be subject to additional risks, including those related to its client and geographic concentration, government trade policies, and macroeconomic conditions. A significant portion of the revenue from our ALM business is derived from a limited number of clients and tied to cyclical projects involving the decommissioning and destruction of IT assets and the disposition of components of such assets to purchasers in concentrated geographies. Though we generally enter into long-term contracts with such clients, the volume of work we perform for specific clients may vary over the life of each contract due to various factors including changes in client behavior or macroeconomic conditions impacting the availability of new IT assets in the marketplace. There can be no assurance that we will be able to retain our current volumes, existing clients or that, if we were to lose one or more of our significant clients, we would be able to replace such clients with clients that generate a comparable amount of revenue. Further, many of the purchasers of the decommissioned IT asset components are geographically concentrated, particularly within mainland China. If governments enact trade policies or environmental regulations that restrict or increase the cost of exporting IT assets into China or other markets in which we sell decommissioned IT asset components or recyclable materials, or increase the enforcement of such policies, then the revenue from the sale of these assets may be negatively impacted. If governments enact trade policies that restrict the export of IT assets into China or other markets in which we sell decommissioned IT asset components, or increase the enforcement of such policies, then the revenue from the sale of these assets may be negatively impacted. Additionally, uncertain macroeconomic conditions, particularly within mainland China, may reduce our purchasers’ demand for the IT asset components that we sell, thereby reducing our revenues and earnings.Failure to comply with certain regulatory and contractual requirements under our United States Government contracts could adversely affect our revenues, operating results and financial position and reputation.Having the United States Government as a customer subjects us to certain regulatory and contractual requirements. Failure to comply with these requirements could subject us to investigations, price reductions, up to treble damages, and civil penalties. Noncompliance with certain regulatory and contractual requirements could also result in us being suspended or debarred from future United States Government contracting. We may also face private derivative securities claims because of adverse government actions. Any of these outcomes could have a material adverse effect on our revenues, operating results, financial position and reputation.We may be subject to certain costs and potential liabilities associated with the real estate required for our business.As of December 31, 2024, we operated approximately 1,350 facilities worldwide, including approximately 550 in the United States, and face special risks attributable to the real estate we own or lease, which could have a material adverse effect on our revenues, operating results and financial position.As of December 31, 2023, we operated approximately 1,400 facilities worldwide, including approximately 600 in the United States, and face special risks attributable to the real estate we own or lease. Such risks include:•acquisition and occupancy costs that make it difficult to meet anticipated margins and difficulty locating suitable facilities due to a relatively small number of available buildings having the desired characteristics in some real estate markets; •increases in rent expense and property taxes as a result of the increasing demand for industrial real estate;•uninsured losses or damage to our facilities due to an inability to obtain full coverage on a cost-effective basis for some casualties, such as fires, hurricanes and earthquakes, or any coverage for certain losses, such as losses from riots or terrorist activities;•inability to use our real estate holdings effectively and costs associated with vacating or consolidating facilities if the demand for physical storage were to diminish;•liability under environmental laws for the costs of investigation and cleanup of contaminated real estate owned or leased by us, whether or not (i) we know of, or were responsible for, the contamination, or (ii) the contamination occurred while we owned or leased the property; and•costs of complying with fire protection and safety standards.Some of our current and formerly owned or leased properties were previously used by entities other than us for industrial or other purposes, or were affected by waste generated from nearby properties, that involved the use, storage, generation and/or disposal of hazardous substances and wastes, including petroleum products. In some instances, this prior use involved the operation of underground storage tanks or the presence of asbestos-containing materials. Where we are aware of environmental conditions that require remediation, we undertake appropriate activity, in accordance with all legal requirements. Although we have from time to time conducted limited environmental investigations and remedial activities at some of our former and current facilities, we have not undertaken an environmental review of all of our properties, including those we have acquired. We therefore may be potentially liable for environmental costs like those discussed above and may be unable to sell, rent, mortgage or use contaminated real estate owned or leased by us. Environmental conditions for which we might be liable may also exist at properties that we may acquire in the future. In addition, future regulatory action and environmental laws may impose costs for environmental compliance that do not exist today.14IRON MOUNTAIN 2024 FORM 10-KTable of Contents Part IUnexpected events, including those resulting from climate change or geopolitical events, could disrupt our operations and adversely affect our reputation and results of operations.Unexpected events, including fires or explosions at our facilities, war or other military conflict, terrorist activities, natural disasters such as earthquakes and wildfires, unplanned power outages, supply disruptions, failure of equipment or systems, and severe weather events, such as droughts, heat waves, hurricanes, and flooding, could adversely affect our reputation and results of operations through physical damage to our facilities, equipment and customers' inventory and through physical damage to, or disruption of, local infrastructure. During the past several years, we have seen an increase in the frequency and intensity of severe weather events and we expect this trend to continue due to climate change. Some of our key facilities worldwide are vulnerable to severe weather events, and global weather pattern changes may also pose long-term risks of physical impacts to our business. Our customers rely on us to securely store and timely retrieve their critical information, and, while we maintain disaster recovery and business continuity plans that would be implemented in these situations, these unexpected events could result in customer service disruption, physical damage to one or more key operating facilities and the information stored in those facilities, the closure of one or more key operating facilities or the disruption of information systems, each of which could negatively impact our reputation and results of operations. In addition, these unexpected events could negatively impact our reputation if such events result in adverse publicity, governmental investigations or litigation or if customers do not otherwise perceive our response to be adequate. Fluctuations in commodity prices may affect our operating revenues and results of operations.Our operating revenues and results of operations are impacted by significant changes in commodity prices. In particular, our secure shredding operations generate revenue from the sale of shredded paper for recycling. Additionally, our ALM business may be affected by the prices of scrap metals. Significant declines in the cost of paper or scrap metals may negatively impact our revenues and results of operations, and increases in other commodity prices, including steel, may negatively impact our results of operations. Further, significant declines in the cost of paper may continue to negatively impact our revenues and results of operations, and increases in other commodity prices, including steel, may negatively impact our results of operations. Failure to manage and adequately implement our new IT systems could negatively affect our business.We rely on IT infrastructure, including hardware, networks, software, people and processes, to provide information to support assessments and conclusions about our operating performance. We are in the process of upgrading a number of our IT systems, including consolidating our existing finance operations platforms, and we face risks relating to these transitions. For example, we may incur greater costs than we anticipate training our personnel on the new systems, we may experience service disruptions or errors in accurately capturing data or retaining our records, and we may be delayed in meeting our various reporting obligations. There can be no assurance that we will manage our IT systems and implement these new systems as planned or that we will do so without disruptions to our operations, which could have an adverse effect on our business, financial condition, results of operations and cash flows.RISKS RELATED TO OUR INDEBTEDNESSOur indebtedness could adversely affect our financial health and prevent us from fulfilling our obligations under our various debt instruments.As of December 31, 2024, our total long-term debt was approximately $13,836.4 million, stockholders' deficit was approximately $503.6 million, stockholders equity was approximately $211. 1 million and we had cash and cash equivalents of approximately $155.7 million.8 million. Our indebtedness could have important consequences to our current and potential investors. These risks include:•inability to satisfy our obligations with respect to our various debt instruments;•inability to make borrowings to fund future working capital, capital expenditures and strategic growth opportunities, including acquisitions, further organic development of, and investment into, our Global Data Center, ALM and Global Digital Solutions businesses and other service offerings, and other general corporate requirements, including possible required repurchases, redemptions or prepayments of our various indebtedness;•limits on our distributions to stockholders; in this regard if these limits prevented us from satisfying our REIT distribution requirements, we could fail to remain qualified for taxation as a REIT or, if these limits do not jeopardize our qualification for taxation as a REIT but do nevertheless prevent us from distributing 100% of our REIT taxable income, we will be subject to federal corporate income tax, and potentially a nondeductible excise tax, on the retained amounts;•limits on future borrowings under our existing or future credit arrangements, which could affect our ability to pay our indebtedness or to fund our other liquidity needs;•inability to generate sufficient funds to cover required interest payments;•restrictions on our ability to refinance our indebtedness on commercially reasonable terms;•limits on our flexibility in planning for, or reacting to, changes in our business and the information management services industry; and•inability to adjust to adverse economic conditions that could place us at a disadvantage to our competitors with less debt and who, therefore, may be able to take advantage of opportunities that our indebtedness prevents us from pursuing. These risks include:•inability to satisfy our obligations with respect to our various debt instruments;•inability to make borrowings to fund future working capital, capital expenditures and strategic growth opportunities, including acquisitions, further organic development of, and investment into, our Global Data Center Business, ALM and Fine Arts businesses and other service offerings, and other general corporate requirements, including possible required repurchases, redemptions or prepayments of our various indebtedness;•limits on our distributions to stockholders; in this regard if these limits prevented us from satisfying our REIT distribution requirements, we could fail to remain qualified for taxation as a REIT or, if these limits do not jeopardize our qualification for taxation as a REIT but do nevertheless prevent us from distributing 100% of our REIT taxable income, we will be subject to federal corporate income tax, and potentially a nondeductible excise tax, on the retained amounts;•limits on future borrowings under our existing or future credit arrangements, which could affect our ability to pay our indebtedness or to fund our other liquidity needs;•inability to generate sufficient funds to cover required interest payments;•restrictions on our ability to refinance our indebtedness on commercially reasonable terms;•limits on our flexibility in planning for, or reacting to, changes in our business and the information management services industry; and•inability to adjust to adverse economic conditions that could place us at a disadvantage to our competitors with less debt and who, therefore, may be able to take advantage of opportunities that our indebtedness prevents us from pursuing. IRON MOUNTAIN 2024 FORM 10-K15Table of ContentsPart ICertain of our indebtedness, including indebtedness under our Credit Agreement (as defined below), is paid at floating interest rates, and as a result, our interest expense or the cost of our debt may increase due to rising interest rates or changes to benchmark rates.Restrictive debt covenants may limit our ability to pursue our growth strategy.Our Credit Agreement and our indentures contain covenants restricting or limiting our ability to, among other things:•incur additional indebtedness;•pay dividends or make other restricted payments;•make asset dispositions;•create or permit liens;•sell, transfer or exchange assets;•guarantee certain indebtedness;•make acquisitions and other investments; and•enter into partnerships, joint ventures and co-investment vehicles.These restrictions and our long-term commitment to maintain our leverage ratio may adversely affect our ability to pursue acquisitions and other growth strategies, including our strategic growth plan.These restrictions and our long-term commitment to maintain our leverage ratio may adversely affect our ability to pursue our acquisition and other growth strategies, including our strategic growth plan. We may not have the ability to raise the funds necessary to finance the repurchase of outstanding senior notes upon a change of control event as required by our indentures.Upon the occurrence of a "change of control", as defined in our indentures, we will be required to offer to repurchase all of our outstanding senior notes. However, it is possible that we will not have sufficient funds at the time of a change of control to make the required repurchase of any outstanding notes or that restrictions in our Credit Agreement will not allow such repurchases. Failure to make the required repurchases could result in cross defaults or payment acceleration events under our other debt instruments. Certain important corporate events, however, such as leveraged recapitalizations that would increase the level of our indebtedness, would not constitute a "change of control" under our indentures.IMI is a holding company, and, therefore, its ability to make payments on its various debt obligations depends in large part on the operations of its subsidiaries.IMI is a holding company; substantially all of its assets consist of the equity in its subsidiaries, and substantially all of its operations are conducted by its direct and indirect consolidated subsidiaries. As a result, its ability to make payments on its debt obligations will be dependent upon the receipt of sufficient funds from its subsidiaries, whose ability to distribute funds may be limited by local capital requirements, joint venture and co-investment vehicle structures and other applicable restrictions. However, our various debt obligations are guaranteed, on a joint and several and full and unconditional basis, by IMI’s U.S. subsidiaries that represent the substantial majority of its U.S. operations.RISKS RELATED TO OUR TAXATION AS A REITIf we fail to remain qualified for taxation as a REIT, we will be subject to tax at corporate income tax rates and will not be able to deduct distributions to stockholders when computing our taxable income.We have elected to be taxed as a REIT for federal income tax purposes beginning with our 2014 taxable year. We believe that our organization and method of operation comply with the rules and regulations promulgated under the Internal Revenue Code of 1986, as amended (the "Code"), such that we will continue to qualify for taxation as a REIT. However, we can provide no assurance that we will remain qualified for taxation as a REIT. We also have invested in subsidiaries that have elected or that we expect will elect to be taxed as REITs and therefore must independently satisfy all REIT qualification requirements. We also have invested in a subsidiary that has elected to be taxed as a REIT and therefore must independently satisfy all REIT qualification requirements, and we may in the future invest in other such subsidiaries. We may in the future invest in other such subsidiary REITs. If such a subsidiary REIT were to fail to qualify as a REIT, it may cause us to fail to remain qualified for taxation as a REIT. If such subsidiary REIT were to fail to qualify as a REIT, it may cause us to fail to remain qualified for taxation as a REIT. If we fail to remain qualified for taxation as a REIT, including as a result of a cascading failure of any subsidiary REIT to remain qualified as a REIT, we will be subject to federal income taxation at corporate income tax rates unless certain relief provisions apply.Qualification for taxation as a REIT involves the application of highly technical and complex provisions of the Code to our operations, as well as various factual determinations concerning matters and circumstances not entirely within our control. There are limited judicial or administrative interpretations of applicable REIT provisions of the Code.If, in any taxable year, we fail to remain qualified for taxation as a REIT and are not entitled to relief under the Code:•we will not be allowed a deduction for distributions to stockholders in computing our taxable income;•we will be subject to federal and state income tax on our taxable income at regular corporate income tax rates; and•we would not be eligible to elect REIT status again until the fifth taxable year that begins after the first year for which we failed to qualify for taxation as a REIT.16IRON MOUNTAIN 2024 FORM 10-KTable of Contents Part IAny such corporate tax liability could be substantial and would reduce the amount of cash available for other purposes.16IRON MOUNTAIN 2023 FORM 10-KTable of Contents Part IAs a REIT, failure to make required distributions would subject us to federal corporate income tax. If we fail to remain qualified for taxation as a REIT, we may need to borrow additional funds or liquidate some investments to pay any additional tax liability. Accordingly, funds available for investment and distributions to stockholders could be reduced.As a REIT, failure to make required distributions would subject us to federal corporate income tax.We expect to continue paying regular quarterly distributions; however, the amount, timing and form of our regular quarterly distributions will be determined, and will be subject to adjustment, by our board of directors. To remain qualified for taxation as a REIT, we are generally required to distribute at least 90% of our REIT taxable income (determined without regard to the dividends paid deduction and excluding net capital gain) each year, or in limited circumstances, the following year, to our stockholders. Generally, we expect to distribute all or substantially all of our REIT taxable income. If our cash available for distribution falls short of our estimates, we may be unable to maintain distributions that approximate our REIT taxable income and may fail to remain qualified for taxation as a REIT. In addition, our cash flows from operations may be insufficient to fund required distributions as a result of nondeductible expenditures or as a result of differences in timing between the actual receipt of income and the payment of expenses and the recognition of income and expenses for federal income tax purposes.To the extent that we satisfy the 90% distribution requirement but distribute less than 100% of our REIT taxable income, we will be subject to federal corporate income tax on our undistributed taxable income. In addition, we will be subject to a 4% nondeductible excise tax on our undistributed taxable income if the actual amount that we distribute to our stockholders for a calendar year is less than the minimum amount specified under the Code.We may be required to borrow funds, sell assets or raise equity to satisfy our REIT distribution requirements, to comply with asset ownership tests or to fund capital expenditures, future growth and expansion initiatives.In order to satisfy our REIT distribution requirements and maintain our qualification and taxation as a REIT, or to fund capital expenditures, future growth and expansion initiatives, we may need to borrow funds, sell assets or raise equity, even if our financial condition or the then-prevailing market conditions are not favorable for these borrowings, sales or offerings. Furthermore, the REIT distribution requirements and our commitment to investors on dividend growth may result in increasing our financing needs to fund capital expenditures, future growth and expansion initiatives, which would increase our indebtedness. An increase in our outstanding debt could lead to a downgrade of our credit ratings, which could negatively impact our ability to access credit markets. Further, certain of our current debt instruments limit the amount of indebtedness we and our subsidiaries may incur. Additional financing, therefore, may be unavailable, more expensive or restricted by the terms of our outstanding indebtedness. For a discussion of risks related to our substantial level of indebtedness, see "Risks Related to Our Indebtedness".Complying with REIT requirements may limit our flexibility, cause us to forgo otherwise attractive opportunities that we would otherwise pursue to execute our strategic growth plan, or otherwise reduce our income and amounts available for distribution to our stockholders.To remain qualified for taxation as a REIT, we must satisfy tests concerning, among other things, the sources of our income, the nature and diversification of our assets and the amounts we distribute to our stockholders. Thus, compliance with these tests may require us to refrain from certain activities and may hinder our ability to make certain attractive investments, including the purchase of non-REIT qualifying operations or assets, the expansion of non-real estate activities, and investments in the businesses to be conducted by our taxable REIT subsidiaries ("TRSs"), and, to that extent, limit our opportunities and our flexibility to change our business strategy and execute on our strategic growth plan. This may restrict our ability to acquire certain businesses, enter into joint ventures or co-investment vehicles, or acquire minority interests of companies. Furthermore, acquisition opportunities in domestic and international markets may be adversely affected if we need or require the target company to comply with some REIT requirements prior to closing.We conduct a significant portion of our business activities, including our information management services businesses and several of our international operations, through domestic and foreign TRSs. Under the Code, no more than 20% of the value of the assets of a REIT may be represented by securities of one or more TRSs. Similar rules apply to other nonqualifying assets. These limitations may affect our ability to make additional investments in non-REIT qualifying operations or assets or in international operations through TRSs.If we fail to comply with specified asset ownership tests applicable to REITs as measured at the end of any calendar quarter, we generally must correct such failure within 30 days after the end of the applicable calendar quarter or qualify for statutory relief provisions to avoid losing our qualification for taxation as a REIT. As a result, we may be required to liquidate assets or to forgo our pursuit of otherwise attractive investments or executing on portions of our strategic growth plan. These actions may reduce our income and amounts available for distribution to our stockholders.IRON MOUNTAIN 2024 FORM 10-K17Table of ContentsPart IAs a REIT, we are limited in our ability to fund distribution payments using cash generated through our TRSs.IRON MOUNTAIN 2023 FORM 10-K11Table of ContentsPart IAs a global company, we are subject to the unique risks of operating in many countries. Our ability to receive distributions from our TRSs is limited by the rules with which we must comply to maintain our qualification for taxation as a REIT. In particular, at least 75% of our gross income for each taxable year as a REIT must be derived from real estate, which generally includes gross income from providing customers with secure storage space or colocation or wholesale data center space. Consequently, no more than 25% of our gross income may consist of dividend income from our TRSs and other nonqualifying types of income. Thus, our ability to receive distributions from our TRSs may be limited, which may impact our ability to fund distributions to our stockholders using cash flows from our TRSs. Specifically, if our TRSs become highly profitable, we might become limited in our ability to receive net income from our TRSs in an amount required to fund distributions to our stockholders commensurate with that profitability.In addition, a significant amount of our income and cash flows from our TRSs is generated from our international operations. In many cases, there are local withholding taxes and currency controls that may impact our ability or willingness to repatriate funds to the United States to help satisfy REIT distribution requirements.Our extensive use of TRSs, including for certain of our international operations, may cause us to fail to remain qualified for taxation as a REIT.Our operations include an extensive use of TRSs. The net income of our TRSs is not required to be distributed to us, and income that is not distributed to us generally is not subject to the REIT income distribution requirement. However, there may be limitations on our ability to accumulate earnings in our TRSs and the accumulation or reinvestment of significant earnings in our TRSs could result in adverse tax treatment. In particular, if the accumulation of cash in our TRSs causes (i) the fair market value of our securities in our TRSs to exceed 20% of the fair market value of our assets or (ii) the fair market value of our securities in our TRSs and other nonqualifying assets to exceed 25% of the fair market value of our assets, then we will fail to remain qualified for taxation as a REIT. Further, a substantial portion of our operations are conducted overseas, and a material change in foreign currency rates could also affect the value of our foreign holdings in our TRSs, negatively impacting our ability to remain qualified for taxation as a REIT.Even if we remain qualified for taxation as a REIT, some of our business activities are subject to corporate level income tax and foreign taxes, which will continue to reduce our cash flows, and we will have potential deferred and contingent tax liabilities.Even if we remain qualified for taxation as a REIT, we may be subject to some federal, state, local and foreign taxes, including taxes on any undistributed income, and state, local or foreign income, franchise, property and transfer taxes. In addition, we could in certain circumstances be required to pay an excise or penalty tax, which could be significant in amount, in order to utilize one or more relief provisions under the Code to maintain our qualification for taxation as a REIT.A portion of our business is conducted through TRSs because certain of our business activities could generate nonqualifying REIT income as currently structured and operated. The income of our domestic TRSs will continue to be subject to federal and state corporate income taxes. In addition, our international assets and operations will continue to be subject to taxation in the foreign jurisdictions where those assets are held or those operations are conducted. Any of these taxes would decrease our earnings and our available cash.We will also be subject to a federal corporate level income tax at the highest regular corporate income tax rate on gain recognized from a sale of a REIT asset where our basis in the asset is determined by reference to the basis of the asset in the hands of a C corporation (such as an asset that we hold in one of our qualified REIT subsidiaries ("QRSs") following the liquidation or other conversion of a former TRS). This tax is generally applicable to any disposition of such an asset during the five-year period after the date we first owned the asset as a REIT asset, to the extent of the built-in-gain based on the fair market value of such asset on the date we first held the asset as a REIT asset. In addition, any depreciation recapture income that we recognize because of accounting method changes that we make in connection with our acquisition activities will be fully subject to this tax.Complying with REIT requirements may limit our ability to hedge effectively and increase the cost of our hedging and may cause us to incur tax liabilities.The REIT provisions of the Code limit our ability to hedge assets, liabilities, revenues and expenses. Generally, income from hedging transactions that we enter into to manage risk of interest rate changes with respect to borrowings made or to be made by us to acquire or carry real estate assets and income from certain currency hedging transactions related to our non-United States operations, as well as income from qualifying counteracting hedges, do not constitute "gross income" for purposes of the REIT gross income tests. To the extent that we enter into other types of hedging transactions, the income from those transactions is likely to be treated as nonqualifying income for purposes of the REIT gross income tests. As a result of these rules, we may need to limit our use of advantageous hedging techniques or implement those hedges through our TRSs. This could increase the cost of our hedging activities because our TRSs would be subject to tax on income or gains resulting from hedges entered into by them and may expose us to greater risks associated with changes in interest rates or exchange rates than we would otherwise want to bear. In addition, hedging losses in any of our TRSs generally will not provide any tax benefit, except for being carried forward for possible use against future income or gain in the TRSs.18IRON MOUNTAIN 2024 FORM 10-KTable of Contents Part IDistributions payable by REITs generally do not qualify for preferential tax rates, which could reduce the demand for and market price of our common stock.16IRON MOUNTAIN 2023 FORM 10-KTable of Contents Part IAs a REIT, failure to make required distributions would subject us to federal corporate income tax. Dividends payable by United States corporations to noncorporate stockholders, such as individuals, trusts and estates, are generally eligible for reduced United States federal income tax rates applicable to "qualified dividends". Distributions paid by REITs generally are not treated as "qualified dividends" under the Code, and the reduced rates applicable to such dividends do not generally apply. However, for tax years beginning before 2026, REIT dividends paid to noncorporate stockholders that meet specified holding period requirements are generally taxed at an effective tax rate lower than applicable ordinary income tax rates due to the availability of a deduction under the Code for specified forms of income from passthrough entities. More favorable rates will nevertheless continue to apply to regular corporate "qualified" dividends, which may cause some investors to perceive that an investment in a REIT is less attractive than an investment in a non-REIT entity that pays dividends, thereby reducing the demand and market price of our common stock.The ownership and transfer restrictions contained in our certificate of incorporation may not protect our qualification for taxation as a REIT, could have unintended antitakeover effects and may prevent our stockholders from receiving a takeover premium.In order for us to remain qualified for taxation as a REIT, no more than 50% of the value of outstanding shares of our capital stock may be owned, beneficially or constructively, by five or fewer individuals at any time during the last half of each taxable year. In addition, rents from "affiliated tenants" will not qualify as qualifying REIT income if we own 10% or more by vote or value of the customer, whether directly or after application of attribution rules under the Code. Subject to certain exceptions, our certificate of incorporation prohibits any stockholder from owning, beneficially or constructively, more than (i) 9.8% in value of the outstanding shares of all classes or series of our capital stock or (ii) 9.8% in value or number, whichever is more restrictive, of the outstanding shares of any class or series of our capital stock. We refer to these restrictions collectively as the "ownership limits" and we included them in our certificate of incorporation to facilitate our compliance with REIT tax rules. The constructive ownership rules under the Code are complex and may cause the outstanding stock owned by a group of related individuals or entities to be deemed to be constructively owned by one individual or entity. As a result, the acquisition of less than 9.8% of our outstanding common stock (or the outstanding shares of any class or series of our capital stock) by an individual or entity could cause that individual or entity or another individual or entity to own constructively in excess of the relevant ownership limits. Any attempt to own or transfer shares of our common stock or of any of our other capital stock in violation of these restrictions may result in the shares being automatically transferred to a charitable trust or may be void. Even though our certificate of incorporation contains the ownership limits, there can be no assurance that these provisions will be effective to prevent our qualification for taxation as a REIT from being jeopardized, including under the affiliated tenant rule. Furthermore, there can be no assurance that we will be able to monitor and enforce the ownership limits. If the restrictions in our certificate of incorporation are not effective and, as a result, we fail to satisfy the REIT tax rules described above, then, absent an applicable relief provision, we will fail to remain qualified for taxation as a REIT.In addition, the ownership and transfer restrictions could delay, defer or prevent a transaction or a change in control that might involve a premium price for our stock or otherwise be in the best interest of our stockholders. As a result, the overall effect of the ownership and transfer restrictions may be to render more difficult or discourage any attempt to acquire us, even if such acquisition may be favorable to the interests of our stockholders. Legislative or other actions affecting REITs could have a negative effect on us or our stockholders.At any time, the federal or state income tax laws governing REITs, the administrative interpretations of those laws, or local laws impacting our REIT structure for our international operations may be amended. Federal, state and local tax laws are constantly under review by persons involved in the legislative process, the United States Internal Revenue Service, the United States Department of the Treasury and state and local taxing authorities. Changes to the tax laws, regulations and administrative interpretations or local laws governing our international operations, which may have retroactive application, could adversely affect us. In addition, some of these changes could have a more significant impact on us as compared to other REITs due to the nature of our business and our substantial use of TRSs, particularly non-United States TRSs, or how we have structured our operations outside the United States to comply with REIT qualification requirements. We cannot predict with certainty whether, when, in what forms, or with what effective dates, the tax laws, regulations, administrative interpretations or local laws applicable to us may be changed or if such laws would impact our ability to remain qualified for taxation as a REIT or the costs of doing so. GENERAL RISK FACTORSOur cash distributions are not guaranteed and may fluctuate.As a REIT, we are generally required to distribute at least 90% of our REIT taxable income to our stockholders. Furthermore, we are committed to growing our dividends, and have stated this publicly.Our board of directors, in its sole discretion, will determine, on a quarterly basis, the amount of cash to be distributed to our stockholders based on a number of factors including, but not limited to, our results of operations, cash flow and capital requirements, economic conditions, tax considerations, borrowing capacity and other factors, including debt covenant restrictions that may impose limitations on cash payments, future acquisitions and divestitures, any stock repurchase program and general market demand for our space and related services. Consequently, our distribution levels may fluctuate and we may not be able to meet our public commitments with respect to dividend growth.IRON MOUNTAIN 2024 FORM 10-K19Table of ContentsPart IOur business could be adversely impacted if there are deficiencies in our disclosure controls and procedures or internal control over financial reporting.IRON MOUNTAIN 2023 FORM 10-K7Table of ContentsPart IIron Mountain is committed to transparent reporting on our sustainability efforts and we leverage widely adopted reporting frameworks to report annually on our results. The design and effectiveness of our disclosure controls and procedures and internal control over financial reporting may not prevent all errors, misstatements or misrepresentations. While management will continue to review the effectiveness of our disclosure controls and procedures and internal control over financial reporting, there can be no guarantee that our internal control over financial reporting will be effective in accomplishing all control objectives all of the time. Furthermore, our disclosure controls and procedures and internal control over financial reporting with respect to entities that we do not control or manage may be substantially more limited than those we maintain with respect to the subsidiaries that we have controlled or managed over the course of time. Deficiencies, including any material weakness, in our internal control over financial reporting which may occur in the future could result in misstatements of our results of operations, restatements of our financial statements, a decline in our stock price, or otherwise materially adversely affect our business, reputation, results of operations, financial condition or liquidity.We face competition for customers.We compete with multiple businesses in all geographic areas where we operate; our current or potential customers may choose to use those competitors instead of us. In addition, if we are successful in winning record storage customers from competitors, the process of moving their stored records into our facilities is often costly and time consuming. We also compete, in some of our business lines, with our current and potential customers’ internal storage and information management services capabilities and their cloud-based alternatives. These organizations may not begin or continue to use us for their future storage and information management service needs.The performance of our businesses relies on our ability to attract, develop, and retain talented personnel, while controlling our labor costs.We are highly dependent on skilled and qualified personnel to operate our businesses. Furthermore, our contracts with the United States Government require us to use personnel with security clearances, and we may not be successful or may experience delays in attracting, training or retaining qualified personnel with the requisite skills or security clearances. The failure to attract and retain qualified employees or to effectively control our labor costs could negatively affect our competitive position and operating results. Our ability to control labor costs and attract qualified personnel is subject to numerous external factors, including prevailing wages, labor shortages, the impact of legislation or regulations governing wages and hours, labor relations, immigration, healthcare and other benefits, other employment-related costs and the hiring practices of our competitors.ITEM 1B. UNRESOLVED STAFF COMMENTS.None.ITEM 1C. CYBERSECURITY.RISK MANAGEMENT AND STRATEGY We maintain a robust information security program that is designed to protect our information and the information of our customers. Our information security program is based on a recognized cybersecurity framework established by the National Institute of Standards and Technology ("NIST") and establishes controls to mitigate critical areas of cybersecurity risk. Our information security program has adopted all elements of the NIST cybersecurity framework, including the six functions of identify, protect, detect, respond, recover and govern, as well as each of the categories and control groups thereunder. This does not imply that we meet any particular technical standards, specifications, or requirements, but only that we use the NIST framework as a guide to ensure our information security program is designed to manage cybersecurity risks relevant to our business. Among other things, the cybersecurity controls in our information security program address information access rights, incident monitoring and response processes, information technology system configuration, network security, security architecture planning, mobile device security and compliance with information security policy requirements and protocols. These cybersecurity controls are designed to oversee, identify and mitigate risks from all cybersecurity threats, including those arising from our use of third-party service providers. Our cybersecurity controls are evaluated regularly by our internal information security team, and we engage a third party examiner to assess the maturity of our information security program against the NIST cybersecurity framework no less frequently than bi-annually. Additionally, our information security program is assessed periodically by a federal regulator in the United States as part of its routine audit of the Company. In addition to our internal assessments, we also assess our third-party service providers on a regular basis using a risk-based approach that assigns a risk calculation to each such service provider. The results of our assessments are tracked and evaluated to ensure these third parties comply with our cybersecurity standards. Results of our assessments are tracked and evaluated to ensure these third parties comply with our cybersecurity standards. We require all employees to undertake data protection and cybersecurity training and compliance programs annually.20IRON MOUNTAIN 2024 FORM 10-KTable of Contents Part IOur reputation for providing secure information storage to customers is critical to the success of our business, and protecting against material cybersecurity risks is an integral part of maintaining that reputation.10IRON MOUNTAIN 2023 FORM 10-KTable of Contents Part IFor example, the success of our significant acquisitions depends, in large part, on our ability to realize the anticipated benefits, including cost savings or revenue acceleration from combining the acquired businesses with ours. A successful cybersecurity breach could lead to theft or misuse of our or our customers’ proprietary or confidential information or our employees’ personal information and result in third-party claims against us, regulatory penalties and reputational harm. As part of our information security program, we also actively monitor emerging cyberattack patterns to develop custom detection capabilities and mitigation techniques to protect against material risk of cybersecurity threats. As part of our information security program, we also actively monitor emerging cyber attack patterns to develop custom detection capabilities and mitigation techniques to protect against material risk of cybersecurity threats. Upon encountering a cybersecurity incident, our information security team responds using our detailed cybersecurity incident response plan ("CSIRP"), which is based on industry best practices, relevant legal requirements and our contractual commitments. Upon encountering a cybersecurity incident, our information security team responds using our detailed cyber security incident response plan (“CSIRP”), which is based on industry best practices, relevant legal requirements and our contractual commitments. Among other things, the CSIRP sets forth the specific criteria used to assess a cybersecurity incident, mitigate risks of adverse consequences associated with any such incident, protocols to escalate the management of the incident and the process to inform our executive management team and any impacted functions of our business. All cybersecurity incidents are assessed to determine whether disclosure is required pursuant to any contractual or regulatory requirements and any material cybersecurity incident is also reported to our board of directors (our "Board"). To date, our information security program has been successful in protecting against risks from cybersecurity threats, and we have not had any cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. Additional information about cybersecurity risks we face is discussed in Item 1A of Part I, “Risk Factors,” under the heading “Attacks on our internal IT systems could damage our reputation, cause us to lose revenues, and adversely affect our business, financial condition and results of operations”, which should be read in conjunction with the information above.GOVERNANCE Our Board reviews and discusses significant risks with executive management, including cybersecurity risk, that affect us. GOVERNANCE Our Board reviews and discusses significant risks with executive management, including cybersecurity risk, that affect us. Although our executive management team and our Board work together on risk matters, our Board has the ultimate oversight authority over all enterprise risks, including cybersecurity risk. Our Board reserves the right to, and periodically does, consult with third-party advisors and experts to assist our Board in understanding and anticipating future cybersecurity threats and trends. The risk and safety committee of our Board (the "RSC") is specifically tasked with reviewing and monitoring cybersecurity and information security risk, as well as the risk management strategies, systems and policies, and processes implemented, established and reported on by our executive management team. The RSC is also primarily responsible for assisting our Board with oversight of our enterprise risk management program. Our executive management team, with oversight from our Board, is responsible for our enterprise risk management process and the day-to-day supervision and mitigation of enterprise risks, including cybersecurity risk.Our executive management team, with oversight from our Board, is responsible for our enterprise risk management process and the day-to-day supervision and mitigation of enterprise risks, including cybersecurity risk. Our enterprise risk management program includes our executive management team receiving regular reports from our operations personnel. As part of our enterprise risk program, our executive management team has established an enterprise risk committee (the "ERC"), which is chaired by our Chief Risk Officer and is otherwise composed of each of our other executive vice presidents. The ERC oversees our risk and compliance activities to ensure that management has appropriate policies and management plans in place for managing risks of the business, including cybersecurity risk, as well as reviewing and prioritizing significant risks and allocating resources for risk mitigation. The ERC oversees our risk and compliance activities to ensure that management has appropriate policies, structures and systems in place for managing risks of the business, including cybersecurity risk. Our Chief Risk Officer provides reports at each meeting of the RSC on areas of potential risks to us, including cybersecurity risk, and our Chief Information Security Officer provides quarterly reports to the RSC on the key performance indicators of our information security program to facilitate the RSC’s oversight of the program through objective measurements, including metrics regarding software patching, IT asset management, cyber incident management and cybersecurity training. Reports by our Chief Information Security Officer also include detailed information on the activities of our cyber incident response team to allow for analysis of trends and the identification of any control gaps that require remediation.We also maintain a business information security committee (the "ISC") with employee representation across geographies, business lines and business functions. We also maintain a business information security committee (the "ISC") with employee representation across geographies, business lines and business functions. The ISC includes a cross functional group of our employees with expertise and responsibilities in areas such as operations, digital product solutions, information technology, compliance, security, finance, privacy, internal audit and legal risk mitigation. The ISC is managed by our Chief Information Security Officer and meets regularly to receive updates on our cybersecurity posture, emerging risks and new cybersecurity capabilities. Members of the ISC act as points of contact during incident response activities to provide oversight and logistical support to the information security team.The information security team is made primarily of full-time employees; however, we routinely engage consultants to provide supplemental labor and additional expertise in specific areas on an as-needed basis. The information security team is made primarily of full-time employees; however, we routinely engage consultants to provide supplemental labor and additional expertise in specific areas on an as-needed basis. Our information security team is organized based on industry best practices in alignment with NIST recommendations. All of the leaders in our information security team have over 10 years of cybersecurity experience and most of our information security staff maintain cybersecurity program certifications such as CMU Cybersecurity Executive Certification, ISACA Certifications (CISSP & CISM) and other relevant vendor certifications. Our information security team also regularly undergoes continuing education to ensure our implementation of best-in-class techniques. IRON MOUNTAIN 2024 FORM 10-K21Table of ContentsPart I.