Key Considerations for Updating 2024 Annual Report Risk Factors

With the 2025 annual reporting season upon us, public companies should consider potential updates to their risk factors for their Form 10-Ks and 20-Fs in light of recent economic, political, technological, and regulatory developments.¹

As a starting point, this alert features (i) a list of key developments that US public companies should consider as they update risk factors in Part I and (ii) critical drafting considerations in Part II. Each company will, of course, need to assess its own material risks and tailor its risk factor disclosure to its particular circumstances.

As further described below, calendar year-end companies should review and update their risk factors by assessing the material risks that impact their businesses. Well-drafted risk factors play a crucial role in defending public companies against allegations of fraud under the US federal securities laws, and companies should therefore take the time to update their risk factor disclosure and tailor risks to their own facts and circumstances.

Part I: Key Developments to Consider when Updating 2024 Annual Report Risk Factor Disclosures

1. Risk Factor Considerations on Artificial Intelligence ("AI")

While the use of AI technologies is in the early stages of widespread adoption and continues to rapidly evolve, companies are increasingly considering the extent to which AI will be used in their operations. Risks related to AI include operational risks such as the potential for errors or inaccuracies in work product developed with AI; privacy-related risks, such as compliance with required privacy notices or receipt of consents; risks related to intellectual property rights with respect to both the inputs to the program (including leakage of confidential or proprietary information or infringement) and the program outputs (including infringement by and ownership rights to AI work product); risks related to AI's impact on the workforce; content related risks for public AI generated outputs; and ethical risks related to the potential for inherent biases in the algorithm or programming, among others. The complexity of, and lack of transparency into, many AI models and the speed of technological advancements may make it difficult for companies to understand and assess their proper operation and fully recognize the related risks. Cybersecurity-related issues are also a significant risk for AI.

In addition, the legal and regulatory environment relating to AI is uncertain and rapidly evolving, both in the US and internationally, and includes new regulations targeted specifically at AI as well as updates to or developments in intellectual property, privacy, consumer protection, employment, and other laws regarding the use of AI.² These laws and regulations could require changes in a company's implementation of AI technology, increase compliance costs and/or increase the risk of non-compliance. Any of these risks could expose a company to liability or adverse legal or regulatory consequences and reputational harm. There is also the risk of AI-related competition and threats to current business models, as evolving AI technologies may increase competition, alter consumer demand or render existing technologies obsolete. In assessing whether and to what extent AI should be addressed in risk factors, companies should consider their disclosure on AI across their annual report, website, press releases and other public statements in light of their operations and industry, and determine whether risks related to AI pose a material risk to their businesses and prospects.

Appropriate risk factor disclosure is crucial to address SEC concerns of  "AI-washing," or misleading investors as to their true artificial intelligence capabilities.³ Companies should ensure that they accurately address risks related to their particular use of AI technologies and that they have a reasonable basis for any claims they make about AI.

2. Risk Factor Considerations on Cybersecurity

Cybersecurity incidents, data misuse, and ransomware attacks continue to be top of mind for both companies and investors, particularly in light of evolving technologies such as AI. Unauthorized access and data breaches pose threats of theft, misuse, or loss of sensitive data, including personal, financial, and proprietary information which can result in operational disruptions, impact a company's reputation, customer trust, and financial condition, and lead to legal liabilities, regulatory fines, and costly remediation efforts. Reliance on third-party vendors can introduce additional vulnerabilities. Further, timely detection, identification, and response to evolving cyber threats remain challenging, requiring significant resources for cybersecurity measures, technology upgrades, training, and incident response. Cybersecurity insurance may offer some protection, but it may not fully cover all losses or liabilities.

In assessing cybersecurity risk factor disclosures, companies should take note of recent enforcement actions and comment letters from the SEC. Four recent enforcement actions emphasize the importance of not downplaying the extent of a cybersecurity breach and providing accurate disclosure related to cybersecurity risks. In one of these cases, the SEC pointed out that "the relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew the warned of risks had already materialized." Companies should also remain mindful of the SolarWinds SEC enforcement action, which focused in large part on risk factor disclosure failures.⁴ A federal judge ultimately dismissed all of the SEC's allegations related to SolarWinds' risk factor disclosures (among other disclosures), noting that the company did sufficiently disclose the "types and nature of the cybersecurity risks SolarWinds faced and the grave potential consequences" to it and that while some of the disclosure was formulaic, "viewed in totality" the disclosure provided acceptable "breadth, specificity and clarity."⁵ These cases provide important guidance as to the relevant disclosure standards for companies' cybersecurity risk factor disclosure. Risk factor disclosure should sufficiently alert investors about the types and nature of the specific cybersecurity risks faced, taking into account the company's specific business model, and the potential consequences to the company stemming from a cyber incident. In addition to not characterizing already-experienced risks as hypothetical or generic, companies should be sure to evaluate and update existing disclosure to reflect changing circumstances and the company's changed risk profile as a result of any recent cybersecurity incidents. Companies should also consider disclosures around the potential impact of a cybersecurity incident on customer and vendor relationships, good will, reputation and competitiveness.

Cyber disclosure must also be consistent across the annual report and accurately reflect a company's cybersecurity risk profile, particularly in light of the new disclosure companies required under Part I, Item 1C (for more information, see our alert, Key Considerations for the 2025 Annual Reporting and Proxy Season: Your Upcoming Form 10-K). Companies should also continue to take into account the SEC's 2018 cybersecurity disclosure guidance, which called on companies to "disclose previous or ongoing cybersecurity incidents or other past events in order to place discussions of these risks in the appropriate context," specified a number of issues to consider for risk factor disclosure, including "costs associated with maintaining cybersecurity protections" and "third party supplier and service provider risks," and directed companies to consider "the aspects of the company's business and operations that give rise to material cybersecurity risks and the potential costs and consequences of such risks."⁶ Comment letters have also touched on discrepancies in reporting, so companies should ensure that cybersecurity risks or incidents are disclosed consistently across all filings, as appropriate.⁷

3. Climate

Recent extreme weather events, including the wildfires in Los Angeles and devastating hurricanes, flooding and heat waves experienced in 2024, underscore the physical, financial, and operational risks associated with severe weather and climate issues. Weather events can disrupt company operations and supply chains, create shortages of raw materials, impact workforce availability and cause damage to business infrastructure. It is important that companies carefully consider and disclose any such risks that could materially impact their business, results of operations or financial condition.

Companies should also consider whether they face risks related to compliance with climate-related regulations that should be disclosed. While the SEC's climate disclosure rules have been voluntarily stayed, other jurisdictions have implemented laws that may affect a company's climate-related risks. For example, companies that do business in California should consider the potential impacts of California legislation which, although subject to ongoing litigation and promulgation of regulations, would require disclosure related to greenhouse gas emissions and climate-related financial risks. Similarly, companies that generate substantial revenues from within the EU should be considering the applicability of the Corporate Sustainability Reporting Directive, which may, even for non-EU domiciled companies, require detailed disclosures in relation to a range of sustainability-related issues, including climate change, and any associated risks, such as increased compliance costs and operational expenses resulting from regulations. Companies should also consider and disclose, if material, risks related to non-compliance with such regulations, and also consider whether any additional disclosures necessitated by climate-related regulations could require corresponding updates to their risk factor disclosures.

Companies must navigate these regulatory changes while also addressing the financial implications of transitioning to a low-carbon economy, which may reduce demand for carbon-intensive products and require investments in sustainable technologies. If market and consumer behavior shifts towards a preference for sustainable products, failure to meet these changing preferences can adversely impact demand and damage a company's reputation. Implementing environmental initiatives involves financial risks and costs, and failure to achieve targets can result in reputational harm. Companies should carefully consider whether any of these multifaceted risks are relevant to their business and, if so, ensure they are accurately disclosed.

While the SEC did not issue any comment letters related to companies' climate-change related risk factor disclosures in 2024,⁸ the SEC's 2021 sample comment letter to companies remains instructive when drafting climate-related risk factors⁹ and companies should continue to exercise care when making environmental or other sustainability-focused statements to ensure that any risks related to such statements are accurately disclosed and that there is consistency among all of the company's filed and non-filed public disclosures.

4. Risk Factor Disclosure Related to Political Changes in the US

With the upcoming transition in the US to a new presidential administration, companies should consider disclosure of any potential risks related to these or other anticipated changes of the new administration if they could be material to their business. Some areas of possible impact include:

• US trade policies and practices: President-elect Trump has discussed implementing a 10-20% tariff on US imports, a 25% tariff on imports from Mexico and Canada, and increasing the tariff on Chinese products to at least 60%. Whether and to what extent these tariffs will be imposed remains to be seen, but if tariffs are imposed or increased, materials and goods that US companies import may face higher prices, which could lead to reduced margins or increased prices that could cause decreased consumer demand. However, for some companies that operate and source materials only in the US, this could present financial benefits and potentially result in growth.
• Environmental regulations: President-elect Trump has discussed pursuing an agenda that focuses on deregulation, particularly with respect to environmental and climate change-related regulations. While this could be a boon to companies in the traditional energy sectors, such policies could be detrimental to more sustainable-focused energy companies or industries.
• Immigration: One clear focus of the Trump campaign was a promise to reduce or eliminate illegal immigration, which could have an impact on businesses, particularly agriculture, construction, hospitality, home health care and child/elder care.
• Changes to regulatory agencies: It is possible that the Trump administration could institute significant changes to certain regulatory agencies and seek to institute the "Department of Government Efficiency," or "DOGE," tasked with making changes to eliminate regulations, cut expenditures, and restructure federal agencies, some of which could impact public companies. For example, the incoming administration has discussed several changes to the reach and oversight of the Food and Drug Administration, which could affect its relationship with the pharmaceutical industry, transparency in decision making and ultimately the cost and availability of prescription drugs, as well as oversight over clinical trials and pharmaceutical development, all of which could pose risks (or opportunities) for companies in related industries. Similarly, there have been discussions of "reigning in" regulatory agencies such as the Federal Trade Commission, the Federal Communications Commission and the Federal Energy Regulatory Commission, all of which could impact how companies do business and could pose risks related to business operations and financial outlook.

5. International Geopolitics

Ongoing conflicts across the globe, such as in Russia-Ukraine and the Middle East, international tensions such as between the US and China and political turmoil in Europe, may pose material risks to companies, particularly those with significant operations or investments in impacted regions. For example, companies that utilize the Red Sea trade routes in the Middle East have and could continue to experience significant disruptions in the flow of goods or materials and/or increased shipping costs to avoid this route as a result of Iranian-backed Houthi attacks. Companies should evaluate these risks and consider updating their risk factor disclosure to reflect the current landscape. It is imperative that companies tailor these risks to their particular situation and operations, including considerations with respect to their employee base, investments, sanctions, legal or regulatory uncertainties, commodity prices, business relationships and assets.¹⁰

Given heightened geopolitical tensions, companies should also consider risks related to sanctions imposed on countries with which they have business relationships. For example, sanctions have recently been expanded to include additional third-country suppliers and networks that materially support Russia's ongoing activities in Ukraine. These existing sanctions, along with potential new ones in response to escalating conflicts in regions such as the South China Sea, can result in supply chain disruptions, contractual disputes, litigation, asset freezes, business continuity disruptions, capital restrictions, countersanctions, heightened cybersecurity concerns, changes in customer demand, and reputational risk. As in all cases, it is important that impacted companies accurately describe the risks that apply to their particular facts and circumstances.

In addition, companies with substantial operations in other countries face specific risks that should be considered and disclosed if material. Risks include unexpected changes in regulatory requirements, export and import restrictions, tariffs and trade barriers, difficulties in staffing and managing foreign operations, longer payment cycles, problems in collecting accounts receivable, potential adverse tax consequences, exchange rate fluctuations, increased risks of piracy, limits on the ability to enforce intellectual property rights, limitations on fund transfers and other legal and political risks. Such risks should be considered when drafting updates to risk factor disclosures.

Part II: Four Important Drafting Considerations when Updating Annual Memo Risk Factor Disclosures

1. Avoid Boilerplate Disclosures

The SEC has consistently stressed the importance of companies customizing their risk factor disclosures to reflect their unique facts and circumstances, steering clear of generic and boilerplate language. This is in line with Item 503(c) of Regulation S-K, which advises companies against presenting risks that are applicable to any issuer or offering. Recent SEC comment letters highlight this focus, urging companies to "contextualize risk factors so your reader can grasp the specific risks as they pertain to you," avoid "overly broad and boilerplate language, and provide more precise information to emphasize actual risks," and to "particularize to your company or remove those risk factors that fail to meet these standards."¹¹

2. Carefully Scrutinize Hypothetical Statements

It is crucial that hypothetical statements in risk factor disclosures (e.g., indicating that an event "could" or "may" occur rather than "has" or "did" occur) undergo thorough scrutiny and evaluation. The SEC remains vigilant on this issue and has instituted enforcement actions against numerous companies for disclosing as hypothetical risks that have already transpired. Beyond the threat of enforcement, shareholders have pursued claims under Section 10(b) of the Securities Exchange Act of 1934, as amended, arguing that statements in a company's risk factors were materially misleading because the company suggested that an event only "may" or "could" happen, when, in reality, it was no longer hypothetical at the time of disclosure. One recent such case, Facebook, Inc. v. Amalgamated Bank, reached the Supreme Court in 2024, although the Court dismissed the appeal, and prior cases have underscored this issue (see for example, Time to Revisit Risk Factors in Periodic Reports).¹² Given the potential risks from an SEC enforcement and shareholder litigation perspective, companies should carefully review any hypothetical risk factor language and clarify whether a disclosed potential risk has actually occurred in some manner.¹³

3. A Note on Forward-Looking Statements

Well-drafted risk factors can protect a company from liability for forward-looking statements and serve as a form of free liability insurance to protect a company when disclosing both projections as they relate to financial information and non-financial information. In particular, companies should take into account financial models that support their projections and confirm that material risks related to these projections, including financial models, bases and assumptions that support them, are sufficiently disclosed.

4. Review for Internal Consistency and Consistency Across Public Disclosures

When drafting or reviewing risk factors, companies should ensure consistency with other sections of their annual report, as risk factors do not exist in isolation and should make sense within the context of the entire disclosure document. This involves examining the Business and MD&A sections (for foreign private issuers, the equivalents of Items 4 and 5 of Form 20-F) and the financial statements to ensure that any significant factors, changes, and liabilities are appropriately addressed. Providing cross-references to other sections of the annual report can be effective (e.g., linking cybersecurity risk management disclosures to the cybersecurity risk factors); however, any material risks must also be disclosed within the risk factor section itself. Companies should also review all public disclosures on a given topic for consistency, as the SEC may review both filed and non-filed disclosures when assessing accuracy.

5. Remember to Update or Delete Risk Factors That Have Changed in Importance or Are No Longer Relevant 

When evaluating risk factor disclosures, it is essential not only to update for newly-realized risks but also to evaluate whether all of the enumerated risks remain material and relevant. Companies should remove, update, or revise risks that no longer present material concerns or where the potential impact has changed significantly. For instance, a survey of Form 10-Ks filed in 2024 by select Fortune 50 and mid-cap companies revealed that most references to COVID-19 had been replaced with more generic public health crisis references or deleted entirely. As a reminder, risk factors should be updated through the filing date of the annual report, rather than as of the end of the fiscal period covered by the report.

6. Reminders on the Risk Factor Presentation:

• Ordering of Risks. While it is not mandatory to order risks by their magnitude or potential impact, it is generally considered best practice to do so. Item 105 of Regulation S-K specifies that risks should be "organized logically," and Item 3.B of Form 20-F encourages companies to list risk factors in order of their priority to the company. Companies should consider the order that makes the most sense for investors. Additionally, companies must group related risk factors under relevant headings and provide sub-captions for each risk factor. Although this is not a technical requirement for foreign private issuers, they commonly follow this practice in their Form 20-Fs. Moreover, risk factors should be specific to the company or its industry. Any risk factors that are generic and apply to any registrant or offering must be disclosed at the end of the risk factor section under the caption "General Risk Factors." Again, while this is not a technical requirement for foreign private issuers, they often include this in their Form 20-Fs. These requirements have been in effect since 2020, and companies should review their groupings and headings annually to ensure their risk factor section is appropriately organized and updated.
• Risk Factor Summaries. If your risk factor section exceeds 15 pages, you are required to include a summary of the principal risk factors in a series of concise, bulleted, or numbered statements that is no longer than two pages. This summary should be placed at the "forepart" or beginning of the Form 10-K. To avoid repetition, companies can combine this summary with the forward-looking statement legend, provided the legend is appropriately titled to reflect its dual purposes, such as "Cautionary Note Regarding Forward-Looking Statements and Risk Factor Summary." While this requirement does not apply to Form 20-F, it applies to foreign private issuers' registration statements on Forms F-1, F-3 and F-4, because such forms specifically refer to Item 105 of Regulation S-K.

The following White & Case attorneys authored this alert: Maia Gez, Scott Levi, Michelle Rutta, Melinda Anderson, and Danielle Herrick.

^{1 See Item 105 of Regulation S-K, available here.
2 For the most up to date information on AI regulations worldwide, see our "AI Watch: Global Regulatory Tracker." See, for example, "Raft of California AI Legislation Adds to Growing Patchwork of US Regulation," "Regulators and Businesses Race to Keep up with Rapid Innovation" and "Foster innovation or mitigate risk? AI regulation in Latin America."
3 See "New Settlements Demonstrate the SEC's Ongoing Efforts to Hold Companies Accountable for AI-Washing."
4 The SEC argued that the company's SEC filings "contained general, high-level risk disclosures" that the SEC alleged "failed to address known risks" and that the company's filings described a specific vulnerability as something that "could potentially" allow an attacker to compromise information, when in fact the vulnerability had already been utilized to do so on at least three occasions. The company also stated that it was both "still investigating" and had hired third-party cybersecurity experts to assist in an investigation of "whether a vulnerability in the Orion monitoring products was exploited" when it already knew that the vulnerability had been exploited on at least three prior occasions. Complaint, SEC v. SolarWinds Corp. and Brown, No. 1:23-cv-9518 (S.D.N.Y. Oct. 30, 2023). Also, see our alert, "Time to Revisit Risk Factors in Periodic Reports."
5 SEC v. SolarWinds Corp., No. 1:23-cv-9518 (S.D.N.Y. July 18, 2024), at 72.
6 See page 13 at Commission Statement and Guidance on Public Company Cybersecurity Disclosures. The 2018 guidance as it pertains to risk factors remains a useful point of consideration. Companies may also want to consider the December 2019 guidance from the SEC focused on risks related to the potential theft or compromise of their technology, data, or intellectual property in connection with their international operations.
7 For example, noting that a Form 8-K discloses what appears to be a material impact related to a cyber incident, but that the same incident is not disclosed in the company's subsequent Form 10-Q. See comment letter to Asbury Automotive Group Inc. (October 7, 2024).
8 The only climate-change related comment letters issued in 2024 involved asking investment funds to improve disclosure about how they consider climate change-related impacts on companies in their investment strategy. The SEC did issue a number of comment letters in 2023.
9 The sample comment letter highlighted areas companies should consider for risk factor disclosure, including the material effects of transition risks related to climate change, such as policy and regulatory changes that could impose operational and compliance burdens, market trends that may alter business opportunities, credit risks, or technological changes, as well as any material litigation risks related to climate change.
10 In May 2022, the SEC posted a sample comment letter to companies emphasizing their potential disclosure obligations related to direct or indirect impacts that Russia's actions in Ukraine and the international response have or may have on their business. This guidance can help companies considering updates about other global conflicts that might affect their businesses. The SEC advised that, where material, companies should provide detailed disclosures regarding risks related to actual or potential disruptions in supply chains and the heightened risk of cyberattacks by state actors.
In July 2023, the SEC also issued a sample comment letter related to risks for companies with operations in China. With respect to risk factor disclosure, the Staff noted it has been continuing to issue comments seeking more "specific and prominent disclosure about material risks related to the role of the government of the People's Republic of China in the operations of China-based companies." To the extent that companies have operations in China, they should take into account the sample comment letter, as well as recent developments in the region, while preparing their risk factor disclosure.
11 In a recent speech, former Director Erik Gerding reiterated this point, emphasizing that boilerplate risk factors do not serve investors well, who gain more from understanding how risks specifically impact a particular issuer. See "Remarks at the Practicing Law Institute's 55th Annual Institute on Securities Regulation."
12 In this case, the company faced allegations that the risk factors in its 2016 Form 10-K were misleading because they presented the risk of misuse of user data as merely hypothetical, when Facebook knew that a third-party developer (Cambridge Analytica) had already improperly collected and harvested such data. The SEC previously settled its enforcement action against Facebook based on the same issue.
13 Disclosure may be required whether or not the degree of occurrence is material on its own. For more information, see our prior alert, "Time to Revisit Risk Factors in Periodic Reports."}

_{White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.}

_{This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.}

_{© 2025 White & Case LLP}