We have also outsourced several information technology support services
and administrative functions to third-party service providers, including
cloud-based service providers, and may outsource other functions in the
future to achieve cost savings and efficiencies. If these service providers
do not perform effectively due to breach or system failure, we may not be
able to achieve the expected benefits and our business may be disrupted.
The COVID-19 pandemic has resulted in many of our employees,
contractors and other corporate partners working remotely, increasing
reliance on information technology systems that are outside our direct
control. These systems are potentially vulnerable to cyber-based attacks
and security breaches. In addition, cyber criminals are increasing their
attacks on individual employees with business email compromise scams
designed to trick victims into transferring sensitive data or funds, or steal
credentials that compromise information systems.
The actions and controls we have implemented and are implementing
to date, or which we seek to cause or have caused third-party providers
to implement, may be insufficient to protect our systems, information or
other intellectual property. Further, we anticipate continuing to devote
significant resources to maintaining and upgrading our security measures
generally, including those we employ to protect personal information
against these cybersecurity threats.
Further, as we pursue our strategy to grow through acquisitions and to
pursue new initiatives that improve our operations and cost structure, we
are also expanding and improving our information technologies, resulting
in a larger technological presence and corresponding exposure to
cybersecurity risk. Failure to adequately assess and identify cybersecurity
risks associated with acquisitions and new initiatives could increase our
vulnerability to such risks.
Our efforts to prevent security breaches and cybersecurity incidents, and to
implement effective disaster recovery plans, may not be entirely effective
to insulate us from technology disruption or protect us from adverse
effects on our results of operations. Additionally, information technology
systems continue to evolve and, in order to remain competitive, we must
implement new technologies in a timely and efficient manner. For example,
we may incorporate emerging artificial intelligence (AI) solutions into our
platform, offerings, services and features, and these applications may
become important in our operations over time. Our failure to implement
timely and/or successfully new technologies, including AI, may adversely
affect our competitiveness and, consequently, our results of operations.
Our failure to comply with data privacy regulations
could adversely affect our business.
There are new and emerging data privacy laws, as well as frequent
updates and changes to existing data privacy laws, in most jurisdictions
in which we operate. Given the complexity of these laws and the often-
onerous requirements they place on businesses regarding the collection,
storage, handling, use, disclosure, transfer, and security of personal data, it
is important for us to understand their impact and respond accordingly.
Failure to comply with data privacy laws can result in substantial fines or
penalties, legal liability and / or reputational damage.
In the UK and Europe, the General Data Protection Regulation (the
GDPR), which came into effect in 2018, places stringent requirements on
companies when handling personal data. There continues to be a growing
trend of other countries adopting similar laws.
Additionally, there continues to be significant uncertainty with respect
to the California Consumer Privacy Act of 2018 (the CCPA), which went
into effect on January 1, 2020, and imposes additional obligations on
companies regarding the handling of personal information and provides
certain individual privacy rights to persons whose information is collected.
Both the GDPR and the CCPA are continuously evolving and developing
and may be interpreted and applied differently from jurisdiction to
jurisdiction and may create inconsistent or conflicting requirements. For
example, the California Privacy Rights Act (the CPRA), which was approved
by California voters as a ballot initiative in November 2020, modifies the
CCPA significantly, further enhancing and extending an individual’s rights
over their personal data and the obligations placed on companies that
handle this data. The resulting new regulations became effective on
January 1, 2023. Most notably, employee and business data were brought
into scope, which raises the compliance requirements for us significantly,
in terms of internal controls, processes and governance requirements.
Furthermore, since 2020, several other U.S. states have enacted (and
additional U.S. states are considering enacting) stringent consumer
privacy laws, which may impose varying standards and requirements
on our data collection, use and processing activities. Continued state by
state introduction of privacy laws can be expected to lead to significantly
greater complexity in our compliance requirements globally, which could
result in complaints from data subjects and/or action from regulators. If
we do not provide sufficient resources to ensure we are able to respond,
adapt and implement the necessary requirements to respond to the
various forthcoming changes, which could include federal data privacy
requirements in the US, while continuing to maintain our compliance with
global data privacy laws, this could adversely impact our reputation and
we could face exposure to fines levied by regulators, which could have a
significant financial impact on our business.
Our level of indebtedness and the terms of
our indebtedness could adversely affect our
business and liquidity position.
As described in Note 12, “Debt and Other Financing Arrangements,” in
the Notes to Consolidated Financial Statements in Item 8, as of July 1,
2023, we had approximately $10.4 billion of total indebtedness, which
primarily includes our outstanding senior notes. Additionally, we have
the ability to borrow under our revolving credit facility, which supports
our U.S. commercial paper program.
Our level of indebtedness could have important consequences for us,
including:
z limiting our ability to obtain additional financing, if needed, for working
capital, capital expenditures, acquisitions, debt service requirements
or other purposes;
z increasing our vulnerability to adverse economic, industry or
competitive developments;
z limiting our flexibility in planning for, or reacting to, changes in our
business and our industry; and
z placing us at a competitive disadvantage compared to our competitors
that have less debt.
Our indebtedness may increase from time to time for various reasons,
including fluctuations in operating results, working capital needs,
capital expenditures, potential acquisitions, joint ventures and/or share
repurchase programs. Our level of indebtedness and the ultimate cost of
such indebtedness could have a negative impact on our liquidity, cost of
future debt financing and financial results, and our credit ratings may be
adversely affected as a result of the incurrence of additional indebtedness.
A significant downgrade in our credit ratings or adverse conditions in
the capital markets may increase the cost of borrowing for us or limit our
access to capital. In the future, our cash flow and capital resources may
not be sufficient for payments of interest on and principal of our debt,
and any alternative financing measures available may not be successful
and may not permit us to meet our scheduled debt service obligations.
Item 1A. Risk Factors
PART I
15SYSCO CORPORATION // 2023 Form 10-K