target. We and third parties we utilize as vendors to support our business and operations have experienced, and expect to
continue to experience, these types of threats and incidents. We and our third-party service providers have experienced and
expect to continue to experience threats from sophisticated nation-state actors and organized criminal groups who engage in
attacks (including advanced persistent threat intrusions) that add to the risks to our IT systems (including our cloud services
providers’ systems), internal networks, our customers’ systems and the information that they store and process. Our customers,
including the U.S. government, are increasingly requiring cybersecurity protections and mandating cybersecurity standards in
our products, and we may incur additional costs to comply with such demands. We deploy countermeasures to deter, prevent,
detect, respond to and mitigate these threats, including identity and access controls, data protection, vulnerability assessments,
product software designs which we believe are less susceptible to cyber-attacks, monitoring of our IT networks and systems,
maintenance of backup and protective systems and the incorporation of cybersecurity design throughout the lifecycle of our
products. Despite these efforts, the Company has experienced, and will likely continue to experience, attacks and resulting
breaches or breakdowns of the Company’s, or its third-party service providers’, databases or systems. Cybersecurity incidents,
depending on their nature and scope, have resulted, and may in the future result, in the misappropriation, destruction, corruption
or unavailability of critical data and confidential or proprietary information (our own or that of third parties) and the disruption
of business operations. Such incidents have remained, and could in the future remain, undetected for an extended period of
time, and the losses arising from such incidents could exceed our available insurance coverage for such matters. In addition,
security breaches impacting our IT systems have in certain cases resulted in, and in the future could result in, a risk of loss or
unauthorized disclosure or theft of information, which could lead to enforcement actions, litigation, regulatory or governmental
audits, investigations and possible liability.
An increasing number of our products, services and technologies, including our OpenBlue software platform, are delivered with
digital capabilities and accompanying interconnected device networks, which include sensors, data, building management
systems and advanced computing and analytics capabilities. If we are unable to manage the lifecycle cybersecurity risk in
development, deployment and operation of our digital platforms and services, they could become susceptible to cybersecurity
incidents and lead to third-party claims that our product failures have caused damages to our customers. This risk is enhanced
by the increasingly connected nature of our products and the role they play in managing building systems.
During the fourth quarter of fiscal 2023, we experienced a cybersecurity incident that disrupted portions of our internal
information technology infrastructure and applications consisting of unauthorized access by a third party, exfiltration of data
and the deployment of ransomware, which in turn caused disruptions and limitation of access to portions of our business
applications that support aspects of our operations and corporate functions. As a result of this incident, we experienced
disruptions to our normal operations which had an adverse impact on our financial performance, as discussed in Item 7,
Management’s Discussion and Analysis of Financial Condition and Results of Operations. We have and may continue to incur
significant costs in connection with the cybersecurity incident and any future cybersecurity incidents, including infrastructure
investments or remediation efforts. Further, we could experience other additional consequences in the future as a result of the
incident, including, reputational damage, exposure to legal claims or enforcement actions and fines levied by governmental
organizations, which in turn could materially and adversely affect our results of operations. In addition, limitations on our
ability to analyze and investigate the incident due to limitations on the availability of historical logs and other forensic data may
impact our ability to identify all of the impacts and root causes of the cybersecurity incident. There can be no assurance that
additional unauthorized access or cyber incidents will not occur or that we will not suffer material losses in the future.
Unauthorized access or cyber incidents could occur more frequently and on a more significant scale to those we have suffered
to date. We could also experience similar consequences as a result of future cybersecurity incidents. Other potential
consequences of future cybersecurity incidents could include the theft of intellectual property and the diminution in the value of
our investment in research, development and engineering, which in turn could materially and adversely affect our
competitiveness and results of operations.
We identified a material weakness in our internal control over financial reporting which, if not remediated
appropriately or timely, could result in the loss of investor confidence and adversely impact our business operations and
our stock price.
As a result of the cybersecurity incident experienced beginning in September 2023, and as disclosed in Part II, Item 9A of this
report, we have identified a material weakness in our internal control over financial reporting related to not maintaining
sufficient information technology (“IT”) controls to prevent or detect, on a timely basis, unauthorized access to certain of the
Company’s financial reporting systems. Accordingly, management concluded that our internal control over financial reporting
was not effective as of September 30, 2023. If we are unable to remediate the material weakness, or if we are otherwise unable
to maintain effective internal control over financial reporting, then our ability to record, process and report financial information
accurately, and to prepare financial statements within required time periods, could be adversely affected. If our financial
statements are not accurate, investors may not have a complete understanding of our operations. Likewise, if our financial
statements are not filed on a timely basis, we could be in violation of covenants contained in the agreements governing our debt
13