Five Risk Factors to Consider for Upcoming 10-Ks

As we begin 2025, many public companies are turning their attention to drafting their annual Form 10-K. A significant portion of the filing is usually devoted to providing information regarding the risks that may materially affect the company’s business. While registrants should update risk factors, as necessary, throughout the year in their interim 10-Q filings, risk factors must be refreshed in Form 10-K by adding newly identified or emerging risks and by removing risks the registrant has determined to be no longer material.

There have been significant technological, political and economic developments in the past year that may impact the risks facing a wide spectrum of companies. When updating their risk factors, we recommend that public companies pay particular attention to the following developments, which in many cases are multi-faceted. Companies should carefully evaluate the potential impact each element of these developments may have on their business. It is important that risk factors are sufficiently tailored to a company’s particular circumstances. Risk factors should not be abstract or boilerplate and, where applicable, a company should explicitly state if it has experienced the risk.

Artificial intelligence risks

Artificial intelligence (AI) use cases and commercial adoption increased rapidly in 2024. We suggest that AI’s potential effects be reviewed by all registrants, regardless of industry. While some of the prominent AI players (e.g., Nvidia, Microsoft, Broadcom) have AI-specific risk factors dating back to 2018, registrants should investigate any material direct or indirect effects of AI on their business for 2025, including potential effects on suppliers and customers, as well as their own products and services. Companies might consider the following questions to assist in such analysis:

• Competitive risks: Are other companies in our industry adopting AI faster or more efficiently than we? Is our business especially prone to, or insulated from, disruption by AI?
• Regulatory risks: Would greater regulation of AI have a material adverse effect or a material positive effect on our business?
• General risks: Does our exposure to AI, whether direct or indirect, subject us to potential reputational (e.g., AI-washing) or cybersecurity harm? Do we need to revisit our cybersecurity and reputational harm risk factors? What circumstances might occur that would adversely impact our business model or financial projections?

Registrants who already have AI-related risk factors in their public filings should update those risk factors to reflect the current state of a rapidly changing commercial and regulatory landscape. For example, in 2024, some banks began using AI to detect fraud in real-time, the European Union’s AI Act was passed on Aug. 1, 2024, which is expected to shape AI deployment in Europe, and generative AI’s language models and image generation progress reached new heights, continuing to blur the distinction between human-created and machine-created content.

Political risks

Broadly speaking, new political leadership can bring with it different executive branch enforcement agendas. For example, with Donald Trump as the president-elect, there has been significant turnover at the Securities and Exchange Commission, including Gary Gensler’s resignation as chair of the Commission. Many registrants are reviewing prior and planned public statements addressing their stances, policies or practices related to topics such as diversity, equity and inclusion (DEI) and environmental, social and governance (ESG). For example, Target Corp. is in the midst of shareholder litigation alleging that Target misled investors about its efforts to guard against social and political risks related to its corporate DEI measures and practices, including sales of LGBTQ-themed merchandise. On Dec. 4, 2024, the U.S. District Court for the Middle District of Florida denied Target’s motion to dismiss. 

Additionally, Trump has announced that he may impose an additional 10% tariff on China, and 25% tariffs on Mexico and Canada. If the executive branch more aggressively pursues countervailing duty and anti-dumping investigations, tariffs for specific imports may increase regardless of whether new tariffs are implemented. Companies should consider whether such tariffs, if implemented, would have direct or indirect negative impacts on the company. For example, many companies rely on relatively lower cost foreign-made components and may therefore face higher production costs. Another possibility is retaliatory tariffs. Companies should review the international components of their supply chain and draft or update related risk factors accordingly.

International conflict risks

Over the course of 2024, and unfortunately likely to continue in 2025, international conflict has affected commerce worldwide. Most notably, the Ukraine/Russia conflict and various Middle East conflicts have received significant media coverage. Note that Russia-related sanctions have been instituted by the Office of Foreign Assets Control (OFAC). Geopolitical instability can lead to significant disruption in supply chain efficiency, adding cost and delays. Companies should review their international operations and suppliers, any related sanctions, restrictions or other governmental guidance and draft or update related risk factors accordingly.

Regulatory deference risks

On June 28, 2024, the U.S. Supreme Court ruled on Loper Bright Enterprises v. Raimondo, thereby overturning the Chevron Doctrine, a Supreme Court ruling from 1984 that provided for deference to U.S. regulatory agency regulations adopted pursuant to general federal statutory authority. This decision and other related decisions may create new legal avenues to challenge federal regulations, which may create unforeseen uncertainty, especially for businesses that have relied on a settled regulatory environment in their industry. Some companies, particularly life science companies, are updating their regulatory risk factors to include and specifically identify this decision. All companies, but particularly those that have historically been able to rely on an established regulatory environment, should evaluate the potential risks of challenges to agency rules that regulate their industry.

Reliance on third-party risks

Similar to a company’s assessment of its reliance on a single customer or small number of customers to generate a significant percentage of its revenues, companies should assess their reliance on any operationally significant third-party service providers. A high-profile example of third-party service provider reliance risk is the Crowdstrike outage that occurred in July 2024, which affected thousands of companies across multiple sectors, including transportation, healthcare and financial services. The outage was caused by a faulty update to CrowdStrike's security software, which was integrated into Microsoft's Azure platform. The outage caused estimated losses of at least $10 billion globally. Microsoft added a risk factor disclosing such risk. If a company has both a single customer reliance risk and a third-party service provider reliance risk, we suggest discussing those risks in separate risk factors.