iRobot (IRBT) Risk Analysis

To remain competitive, we must continue to invest in developing tools and processes to improve the speed at which we are able to develop competitive products. Historically, we have made significant investments to develop tools and processes, including designing multiple hardware-based platforms and developing a reusable software architecture for use across those platforms. The development of multiple hardware platforms and a reusable software architecture requires the expenditure of significant resources that may not result in the designed efficiencies. As part of our 2024 operational restructuring plan, we plan to lower research and development expenditures by shifting to greater reliance on our manufacturing partners for lower-value commodity engineering work. Our manufacturing partners' efforts to implement such designs and developments may be unsuccessful and the speed of product development may not improve. Failure to improve the speed of product development, whether through our direct work or through the work of our manufacturing partners, could materially harm our business, results of operations and financial condition. In addition, any new product that we develop may not be introduced in a timely or cost-effective manner, may contain defects, or may not achieve the market acceptance necessary to generate sufficient revenue. Our inability to reduce the cost to develop new products or product variants has substantially impacted, and may continue to substantially impact, our ability to offer products that compete favorably. A critical component of our iRobot Elevate turnaround strategy is the development and launch of a revitalized product lineup beginning in 2025. Any delays or interruptions in the development, manufacture or shipment of our new products, or any failure to effectively ramp up the manufacturers of new products, would be likely to result in lost sales and revenue and damage our reputation in the market, both of which would harm our business and results of operations. In addition, failure to launch anticipated products in a timely fashion could result in failure to maintain a set of competitive products and materially harm our brand, business, results of operations and financial condition. Additionally, we may not realize the benefits of modifying our operations to increase the speed of product development, implementing our recent restructuring, increasing reliance on our partners for product development, which could result in a loss of potential revenue and increase our product return rate.

Currently, we maintain significant operations in Asia, where a majority of our products are manufactured. Subject to contractual confidentiality obligations, we are required to share significant product design materials with third-parties necessary for the design and manufacture of our products. We cannot be sure that our data or intellectual property will not be compromised through cyber-intrusion, theft or other means, particularly when the data or intellectual property is held by partners in foreign jurisdictions. Should our intellectual property be compromised, it may be difficult to enforce our rights in China and other foreign jurisdictions in which we operate.

The threats to network and data security are increasingly diverse and sophisticated. Despite our efforts and processes to prevent cybersecurity incidents and data breaches, our devices, as well as our servers, computer systems, and those of third parties that we use in our operations are vulnerable to intentional or inadvertent insider personnel and vendor misconduct, cybersecurity risks, including cyber attacks such as viruses and worms, phishing attacks, distributed denial-of-service attacks, ransomware, and similar disruptions from unauthorized tampering with our servers and computer systems or those of third parties that we use in our operations, which could lead to interruptions, delays, loss of critical data, and loss of consumer confidence. In addition, we have in the past and may in the future be the target of numerous attack vectors and methods, including email scams, social engineering, smishing, vishing, and identity spoofing, which attempt to acquire sensitive information or company assets. Despite our efforts to create security barriers to such threats, we may not be able to entirely mitigate these risks. These threats may be increased due to work-from-home policies implemented by us and our customers, suppliers and distributors. Any cyber attack that attempts to obtain our data and assets, disrupt our service, or otherwise access our systems, or those of third parties we use, if successful, could adversely affect our business, operating results, and financial condition, be expensive to remedy, and damage our reputation. Our contracts may not contain limitations of liability, and even where they do, there can be no assurance that limitations of liability in our contracts are sufficient to protect us from liabilities, damages, or claims related to our privacy and data security obligations. Further, our cyber insurance may not protect against all of the costs and liabilities arising from a cyber attack.

We are a U.S.-based company subject to taxes in multiple U.S. and foreign tax jurisdictions. Our profits, cash flow and effective tax rate could be adversely affected by changes in the tax rules and regulations in the jurisdictions in which we do business, unanticipated changes in statutory tax rates and changes to our global mix of earnings.

Our latest floor cleaning robots, as well as additional products in development, collect, store, process, and use certain customer data, which subjects us to governmental regulation and other legal obligations related to privacy, information security, and data protection, and any security breaches or our actual or perceived failure to comply with such legal obligations could harm our business. We collect, store, process, and use personal information and other user data, and we rely on third parties that are not directly under our control to do so as well. If we experience a cybersecurity incident, or if our security measures, some of which are managed by third parties, are breached or fail, unauthorized persons may be able to obtain access to or acquire sensitive user data, which may expose us to a risk of loss, litigation, or regulatory proceedings. Depending on the nature of the information compromised, in the event of a cybersecurity incident, data breach or other unauthorized access to or acquisition of our user data, we may also have obligations to notify users about the cybersecurity incident or data breach, and we may need to provide some form of remedy, such as a subscription to a credit monitoring service, for the individuals affected by the cybersecurity incident or data breach. In addition, the regulatory environment surrounding information security and privacy is increasingly demanding, with frequent imposition of new and changing requirements. For example, the EU GDPR, UK GDPR, and the CCPA impose significant requirements on how we collect, process and transfer personal data, as well as significant fines for non-compliance. In the United States, at the federal level, failing to take appropriate steps to keep consumers' personal information secure may constitute unfair acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act (the FTCA), 15 U.S.C § 45(a). The FTC expects a company's data security measures to be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business and the cost of available tools to improve security and reduce vulnerabilities. In addition, laws similar to the CCPA have been passed in numerous other states and other states have proposed new privacy laws. State laws are changing rapidly and there are discussions in the U.S. Congress of new comprehensive federal data privacy laws to which we could become subject to, if enacted. With respect to the collection and processing of personal data relating to the European Union ("EU"), European Economic Area ("EEA") and United Kingdom ("UK"), we are subject to the EU General Data Protection Regulation ("EU GDPR"), the UK General Data Protection Regulation ("UK GDPR"), as well as applicable data protection laws in effect in the Member States of the EEA and in the UK (including the UK Data Protection Act 2018) which govern the processing of personal data in connection with (a) the offering of goods or services to/the monitoring of the behavior of individuals in the UK and EEA; or (b) the activities of any of our establishments in the UK or any EEA Member State. The UK's data protection regime is independent from but aligned to the EU's data protection regime. In this Annual Report on Form 10-K, references to "GDPR" encompasses both the EU GDPR and UK GDPR, unless specified otherwise. The GDPR is wide-ranging in scope and imposes numerous requirements on companies that process personal data, including requiring additional disclosures to individuals regarding data processing activities, requiring that safeguards are implemented to protect the security and confidentiality of personal data, limiting retention periods for personal data, creating mandatory data breach notification requirements in certain circumstances, and requiring that certain measures (including contractual requirements) are put in place when engaging third-party service providers. The GDPR also imposes strict rules on the transfer of personal data to countries outside of the UK and EEA that do not ensure an adequate level of protection, including the United States in certain circumstances, unless derogation exists or a valid GDPR transfer mechanism (for example, the European Commission approved Standard Contractual Clauses (SCCs) and the UK International Data Transfer Agreement or Addendum (UK IDTA) have been put in place, and transfer impact assessments conducted. Any inability to transfer personal data from the UK or EEA to the United States in compliance with data protection laws may impede our operations and may adversely affect our business and financial position. Following the UK's exit from the EU on January 31, 2020, or Brexit, there will be increasing scope for divergence in application, interpretation and enforcement of the data protection laws between these territories. For example, the UK introduced a Data (Use and Access) Bill into the UK legislative process with the intention for this bill to reform the UK's data protection regime following Brexit. If passed, the final version of the Data (Use and Access) Bill may have the effect of further altering the similarities between the UK and EEA data protection regimes and threaten the UK adequacy decision from the EU Commission allowing the free flow of personal data from the UK to the EEA, which may lead to additional compliance costs and could increase our overall risk. This lack of clarity on future UK laws and regulations and their interaction with those of the EEA could add legal risk, uncertainty, complexity, and cost to our handling of European personal data and our privacy and security compliance programs, and could require us to implement different compliance measures for the UK and EEA. Failure to comply with the requirements of the GDPR and the related national data protection laws of the EEA Member States and the UK may result in fines up to €20 million (£17.5 million for the UK GDPR) or 4% of a company's global annual revenues for the preceding financial year, whichever is higher. The GDPR also confers a private right of action on data subjects and consumer associations to lodge complaints with supervisory authorities, seek judicial remedies, and obtain compensation for damages resulting from violations of the GDPR. Complying with these European data protection laws may impose significant costs or otherwise require us to divert resources or implement changes to our business processes, and any actual or perceived non-compliance could result in significant penalties, claims and reputational damage. Compliance with changes in privacy and information security laws and standards may result in significant expense due to increased investment in technology and the development of new operational processes. Moreover, a growing number of legislative and regulatory bodies have adopted consumer notification requirements in the event of unauthorized access to or acquisition of certain types of personal data. Such breach notification and consumer privacy laws continue to evolve and may be inconsistent from one jurisdiction to another. Complying with these obligations could cause us to incur substantial costs and could increase negative publicity surrounding any incident that compromises user data. Further, we may be or become subject to data localization laws mandating that data collected in a foreign country be processed and stored only within that country. Russia adopted such a law in 2014, and a similar law became effective in China in November 2021. If other countries in which we have customers were to adopt a data localization law, we could be required to expand our data storage facilities there or build new ones in order to comply. The expenditure this would require, as well as costs of compliance generally, could harm our financial condition. Regulators and legislators in the United States are also increasingly scrutinizing and restricting certain personal data transfers and transactions involving foreign countries. For example, the Biden Administration's executive order Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern as implemented by Department of Justice regulations issued in December 2024, prohibits data brokerage transactions involving certain sensitive personal data categories, including health data, genetic data, and biospecimens, to countries of concern, including China. The regulations also restrict certain investment agreements, employment agreements and vendor agreements involving such data and countries of concern, absent specified cybersecurity controls. Any failure or perceived failure by us to comply with any applicable federal, state or foreign laws and regulations relating to data privacy and security could result in damage to our reputation, as well as proceedings or litigation by governmental agencies or other third parties, including class action privacy litigation in certain jurisdictions, which would subject us to significant fines, sanctions, awards, injunctions, penalties or judgments. Any of the foregoing could have a material adverse effect on our business, financial condition, results of operations and prospects.

To execute our business stabilization plan and return to profitability, we must attract and retain additional, highly-qualified personnel. Competition for hiring these employees is intense, especially with regard to engineers with high levels of experience in designing, developing and integrating robots and engineers with expertise in artificial intelligence, machine learning, data science and cloud applications. Many of the companies with which we compete for hiring experienced employees have greater resources than we have. If we fail to attract new technical personnel or fail to retain and motivate our current employees, our business and future growth prospects could be severely harmed. In addition, we have experienced increased employee turnover as a result of general market conditions, the impact of several reductions in force executed over the past several years, and the termination of the proposed acquisition by Amazon. These factors may cause additional attrition and affect the morale of our current employees and might adversely affect our reputation among job seekers. Significant or prolonged turnover or revised hiring priorities may negatively affect our operations and culture, as well as our ability to successfully maintain our processes and procedures. New hires require significant training and, in most cases, take significant time before they achieve full productivity. New employees may not become as productive as we expect, and we may be unable to hire or retain significant numbers of qualified individuals. Moreover, we may be forced to adjust salaries or other compensation in order to retain key talent. Job seekers and existing personnel often consider the value of the equity awards they receive in connection with their employment. The recent decline in our stock price may impact the actual or perceived value of our equity awards for current employees or new hires, and we may need to grant additional or larger equity awards to offer attractive compensation packages to hire and retain employees. If our retention efforts are not successful or our team member turnover rate continues to increase in the future, our business, results of operations and financial condition could be materially and adversely affected. In 2024, we commenced and largely completed an operational restructuring plan to more closely align our cost structure with near-term revenue expectations and drive profitability. A critical component of our operational restructuring plan was the significant reduction of our overall global workforce. Completion of the restructuring plan may have continuing adverse effects on our workforce, including negative effects on employee morale, increased employee attrition, increased difficulty in hiring new employees, and diversion of management attention. Additionally, as we are operating our business with fewer employees, we face additional risks that we might not be able to execute on our strategic plans and product roadmap, which may have an adverse effect on our business, financial condition, and operating results.

The expansion of our direct-to-consumer channel could alienate some of our channel partners and cause a reduction in product sales from these partners. Channel partners may perceive themselves to be at a disadvantage based on the direct-to-consumer sales offered through our website. Due to these and other factors, conflicts in our sales channels could arise and cause channel partners to divert resources away from the promotion and sale of our products. Any of these situations could adversely impact our business and results of operations.

We spend significant amounts on advertising and other marketing campaigns, such as television, digital and print advertising, and social media, as well as increased promotional activities, to acquire new customers, and we expect to continue to spend significant amounts to increase awareness of our consumer robot products. For fiscal 2024, 2023 and 2022, sales and marketing expenses were $138.8 million, $199.3 million, and $290.1 million, respectively, representing approximately 20.4%, 22.4% and 24.5%, of our revenue, respectively. While we seek to structure our advertising campaigns in the manner that we believe is most likely to encourage people to purchase our products, we may fail to identify advertising opportunities that satisfy our anticipated return on advertising spend as we scale our investments in marketing or to fully understand or estimate the conditions and behaviors that drive customer behavior. If any of our advertising campaigns prove less successful than anticipated in attracting customers, we may not be able to recover our advertising spend, and our revenue may fail to meet our expectations, either of which could have an adverse effect on our business. There can be no assurance that our advertising and other marketing efforts will result in increased sales of our products.