Financial Information
Jump to a Section:
PART I
Item 1A. Risk Factors.
Technology, Information Protection, and Privacy Risks
A failure to keep pace with developments in technology could impair our operations or competitive position. The lodging industry continues to demand the use of sophisticated technology and systems, including those used for our reservation, revenue management, property management, human resources and payroll systems, our Loyalty Program, and technologies we make available to our guests and for our associates. These technologies and systems must be refined, updated, and/or replaced with more advanced systems on a regular basis, and our business could suffer if we cannot do that as quickly or effectively as our competitors or within budgeted costs and time frames. We also may not achieve the benefits that we anticipate from any new technology or system, and a failure to do so could result in higher than anticipated costs or could impair our operating results.
An increase in the use of third-party Internet services to book online hotel reservations could adversely impact our business. Some of our hotel rooms are booked through Internet travel intermediaries such as Expedia.com®, Priceline.com®, Booking.com™, Travelocity.com®, and Orbitz.com®, as well as lesser-known online travel service providers. These intermediaries initially focused on leisure travel, but now also provide offerings for corporate travel and group meetings. Although our Best Rate Guarantee and Member Rate programs have helped limit guest preference shift to intermediaries and greatly reduced the ability of intermediaries to undercut the published rates at our hotels, intermediaries continue to use a variety of aggressive online marketing methods to attract guests, including the purchase, by certain companies, of trademarked online keywords such as “Marriott” from Internet search engines such as Google®, Bing®, Yahoo®, and Baidu® to steer guests toward their websites (a practice that has been challenged by various trademark owners in federal court). Although we have successfully limited these practices through contracts with key online intermediaries, the number of intermediaries and related companies that drive traffic to intermediaries’ websites is too large to permit us to eliminate this risk entirely. Our business and profitability could be harmed if online intermediaries succeed in significantly shifting loyalties from our lodging brands to their travel services, diverting bookings away from our direct online channels, or through their fees, increase the overall cost of Internet bookings for our hotels. In addition, if we are not able to negotiate new agreements on satisfactory terms when our existing contracts with intermediaries (which generally have 2- to 3- year terms) come up for renewal, our business and prospects could be negatively impacted in a number of ways. For example, if newly negotiated agreements are on terms less favorable to our hotels than the expiring agreements, or if we are not able to negotiate new agreements and our hotels no longer appear on intermediary websites, our bookings could decline, our profits (and the operating profits of hotels in our system) could decline, and customers and owners may be less attracted to our brands. We may not be able to recapture or offset any such loss of business through actions we take to enhance our direct marketing and reservation channels or to rely on other channels or other intermediary websites.
We are exposed to risks and costs associated with protecting the integrity and security of company, associate, and guest data. In the operation of our business, we collect, store, use, and transmit large volumes of data regarding associates, guests, customers, owners, licensees, franchisees, and our own business operations, including credit card numbers, reservation and loyalty data, and other personal information, in various information systems that we maintain and in systems maintained by third parties, including our owners, franchisees, licensees, and service providers. The integrity and protection of this data is critical to our business. If this data is inaccurate or incomplete, we could make faulty decisions.
Our guests and associates also have a high expectation that we, as well as our owners, franchisees, licensees, and service providers, will adequately protect and appropriately use their personal information. The information, security, and privacy requirements imposed by laws and governmental regulation, our contractual obligations, and the requirements of the payment card industry are also increasingly demanding in the U.S., the European Union, Asia, and other jurisdictions where we operate. Our systems and the systems maintained or used by our owners, franchisees, licensees, and service providers may not be able to satisfy these changing legal and regulatory requirements and associate and guest expectations, or may require significant additional investments or time to do so. We may incur significant additional costs to meet these requirements, obligations, and expectations, and in the event of alleged or actual noncompliance we may experience increased operating costs, increased exposure to fines and litigation, and increased risk of damage to our reputation and brand.
The Data Security Incident could have numerous adverse effects on our business. As a result of the Data Security Incident, we are a party to numerous class action lawsuits brought by consumers and others in the U.S. and Canada, one securities class action lawsuit in the U.S., and one shareholder derivative lawsuit in the U.S. We may be named as a party in additional lawsuits and other claims may be asserted by or on behalf of guests, customers, hotel owners, shareholders or others seeking monetary damages or other relief. A number of federal, state and foreign governmental authorities have also made inquiries or opened investigations related to the Data Security Incident, including under various data protection and privacy regulations, such as the European Union’s General Data Protection Regulation. In addition, the major payment card networks require the completion of a forensic investigation by a certified investigative firm, which is underway. Responding to and resolving these lawsuits, claims and investigations may result in material remedial and other expenses which may not be covered by insurance, including fines. Governmental authorities investigating the Data Security Incident also may seek to impose undertakings, injunctive relief, consent decrees, or other civil or criminal penalties, which could, among other things, materially increase our data security costs or otherwise require us to alter how we operate our business. Card issuers or payment card networks may seek to attribute losses or other expenses to the Data Security Incident, and we cannot currently determine to what extent those losses and expenses may be our legal responsibility. Significant management time and Company resources have been, and may continue to be, devoted to the Data Security Incident. The Data Security Incident and publicity related to it could have a range of other adverse effects on our business or prospects, including causing or contributing to loss of consumer confidence, reduced consumer demand, reduced enrollment and/or participation in our Loyalty Program, loss of development opportunities, and associate retention and recruiting difficulties. These expenses and other adverse effects could have a material effect on our market share, reputation, business, financial condition, or results of operations. Although we maintain insurance designed to limit our exposure to losses such as those related to the Data Security Incident, that insurance may not be sufficient or available to cover all of our expenses or other losses (including fines) related to the Data Security Incident. Further, as a result of the Data Security Incident and market forces beyond our control, relevant insurance coverage may not be available in the future on commercially reasonable terms or at all.
Our remediation efforts related to the Data Security Incident will be costly and may not be effective. Following the Data Security Incident, we implemented additional technical measures on our network designed to contain and remove the threats identified during our investigation, secure the Starwood reservations database, and monitor for any further unauthorized activity. We also accelerated ongoing security enhancements to our network. We have incurred costs in connection with these remediation efforts to date, and we could incur additional significant costs as we take further steps designed to prevent unauthorized access to our network. The technical measures we have taken are based on our investigation of the causes of the Data Security Incident, but additional measures may be needed to prevent a similar incident in the future and such measures may not be sufficient to prevent other types of incidents. We cannot assure you that all potential causes of the incident have been identified and remediated and will not occur again.
Additional cyber-security incidents could have adverse effects on our business. The Data Security Incident was significant, went undetected for a long period of time and could have numerous adverse effects on our business, as discussed above. If we experience additional cyber security incidents or fail to detect and appropriately respond to additional cyber security incidents, the severity of the adverse effects on our business could be magnified. We have implemented security measures to safeguard our systems and data, and we intend to continue implementing additional measures in the future, but, as with the Data Security Incident, our measures may not be sufficient to maintain the confidentiality, security, or availability of the data we collect, store, and use to operate our business. Measures taken by our service providers or our owners, franchisees, licensees, and their service providers also may not be sufficient. Efforts to hack or circumvent security measures, efforts to gain unauthorized access to data, failures of systems or software to operate as designed or intended, viruses, “ransomware” or other malware, “phishing” or other types of business email compromises, operator error, or inadvertent releases of data have impacted, and may in the future impact, our information systems and records or those of our owners, franchisees, licensees, or service providers. Our reliance on computer, Internet-based, and mobile systems and communications, and the frequency and sophistication of efforts by third parties to gain unauthorized access or prevent authorized access to such systems, have greatly increased in recent years. We have experienced cyber-attacks, attempts to disrupt access to our systems and data, and attempts to affect the integrity of our data, and the frequency and sophistication of such efforts could continue to increase. In addition to the consequences of the Data Security Incident discussed above, any significant theft of, unauthorized access to, loss of, loss of access to, or fraudulent use of guest, associate, owner, franchisee, licensee, or company data could adversely impact our reputation and could result in legal, regulatory and other consequences, including remedial and other expenses, fines, or litigation. Depending on the nature and scope of the event, compromises in the security of our information systems or those of our owners, franchisees, licensees, or service providers or other disruptions in data services could lead to an interruption in the operation of our systems, resulting in operational inefficiencies and a loss of profits, negative publicity, and other adverse effects on our business, including lost sales, boycotts, reduced enrollment and/or participation in our Loyalty Program, litigation, loss of development opportunities, or associate retention and recruiting difficulties, all of which could affect our market share, reputation, business, financial condition, or results of operations. The techniques used to obtain unauthorized access, disable or degrade service, or sabotage information systems change frequently, can be difficult to detect for long periods of time, and can involve difficult or prolonged assessment or remediation periods even once detected, which could magnify the severity of these adverse effects. In addition, although we carry cyber/privacy liability insurance that is designed to protect us against certain losses related to cyber risks, that insurance coverage may not be sufficient to cover all expenses or other losses (including fines) or all types of claims that may arise in connection with cyber-attacks, security compromises, and other related incidents, and until we renew our current policy and a new policy period begins, our policy coverage limits will be reduced by the amount of claims paid related to the Data Security Incident. Furthermore, in the future such insurance may not be available on commercially reasonable terms, or at all.
Changes in privacy and data security laws could increase our operating costs, increase our exposure to fines and litigation, and adversely affect our ability to market our products effectively. We are subject to numerous, complex, and frequently changing laws, regulations, and contractual obligations designed to protect personal information, including in the U.S., the European Union, Asia, and other jurisdictions. Non-U.S. data privacy and data security laws, various U.S. federal and state laws, payment card industry security standards, and other information privacy and security standards are all applicable to us. Significant legislative or regulatory changes could be adopted in the future, including in reaction to the Data Security Incident or data breaches experienced by other companies. Compliance with changes in applicable data privacy laws and regulations and contractual obligations, including responding to investigations into our compliance, may restrict our business operations, increase our operating costs, increase our exposure to fines and litigation in the event of alleged non-compliance, and adversely affect our reputation. Following the Data Security Incident, the Information Commissioner’s Office in the United Kingdom (“ICO”) notified us that it had opened an investigation into our online privacy policy and related practices. This investigation is separate from the ICO’s investigation specifically related to the Data Security Incident. As a result of this investigation, we could be exposed to significant fines and remediation costs in addition to any imposed as a result of the Data Security Incident, and adverse publicity related to the investigation could adversely affect our reputation.
Additionally, we rely on a variety of direct marketing techniques, including email marketing, online advertising, and postal mailings. Any further restrictions in laws such as the CANSPAM Act, and various U.S. state laws, or new federal laws on marketing and solicitation or international privacy, e-privacy, and anti-spam laws that govern these activities could adversely affect the continuing effectiveness of email, online advertising, and postal mailing techniques and could force further changes in our marketing strategy. If this occurs, we may not be able to develop adequate alternative marketing strategies, which could impact the amount and timing of our sales of certain products. We also obtain access to potential guests and customers from travel service providers or other companies with whom we have substantial relationships, and we market to some individuals on these lists directly or by including our marketing message in the other company’s marketing materials. If access to these lists were to be prohibited or otherwise restricted, our ability to develop new guests and customers and introduce them to our products could be impaired.
Any disruption in the functioning of our reservation systems could adversely affect our performance and results. We manage global reservation systems that communicate reservations to our branded hotels that individuals make directly with us online, through our mobile apps, through our telephone call centers, or through intermediaries like travel agents, Internet travel websites, and other distribution channels. The cost, speed, accuracy and efficiency of our reservation systems are critical aspects of our business and are important considerations for hotel owners when choosing our brands. Our business may suffer if we fail to maintain, upgrade, or prevent disruption to our reservation systems. In addition, the risk of disruption in the functioning of our global reservation systems could increase with the ongoing systems integration that is part of our integration of Starwood. Disruptions in or changes to our reservation systems could result in a disruption to our business and the loss of important data.
Other Risks
Ineffective internal control over financial reporting could result in errors in our financial statements, reduce investor confidence, and adversely impact our stock price. As discussed in Part II, Item 8 “Management’s Report on Internal Control Over Financial Reporting” later in this report, in the 2018 fourth quarter, we identified a material weakness in internal control related to our accounting for our Loyalty Program, which resulted in errors in our previously issued financial statements for the 2018 first, second, and third quarters. Internal controls related to the implementation of ASU 2014-09 and the accounting for our Loyalty Program are important to accurately reflect our financial position and results of operations in our financial reports. We are in the process of remediating the material weakness, but our efforts may not be successful. If we are unable to remediate the material weakness in an appropriate and timely manner, or if we identify additional control deficiencies that individually or together constitute significant deficiencies or material weaknesses, our ability to accurately record, process, and report financial information and consequently, our ability to prepare financial statements within required time periods, could be adversely affected. Failure to maintain effective internal control over financial reporting could result in violations of applicable securities laws, stock exchange listing requirements, and the covenants under our debt agreements, subject us to litigation and investigations, negatively affect investor confidence in our financial statements, and adversely impact our stock price and ability to access capital markets.
Changes in laws and regulations could reduce our profits or increase our costs. We are subject to a wide variety of laws, regulations, and policies in jurisdictions around the world, including those for financial reporting, taxes, healthcare, cybersecurity, privacy, climate change, and the environment. Changes to such laws, regulations, or policies could reduce our profits. We also anticipate that many of the jurisdictions where we do business will continue to review taxes and other revenue raising measures, and any resulting changes could impose new restrictions, costs, or prohibitions on our current practices or reduce our profits. In particular, governments may revise tax laws, regulations, or official interpretations in ways that could significantly impact us, and other modifications could reduce the profits that we can effectively realize from our operations or could require costly changes to those operations or the way in which they are structured.
We could be subject to additional tax liabilities. We are subject to a variety of taxes in the U.S. (federal and state) and numerous foreign jurisdictions. We may recognize additional tax expense and be subject to additional tax liabilities due to changes in laws, regulations, administrative practices, principles, and interpretations related to tax, including changes to the global tax framework, competition, and other laws and accounting rules in various jurisdictions. Such changes could come about as a result of economic, political, and other conditions.
Our tax expense and liabilities may also be affected by other factors, such as changes in our business operations, acquisitions, investments, entry into new businesses and geographies, intercompany transactions, the relative amount of our foreign earnings, losses incurred in jurisdictions for which we are not able to realize related tax benefits, the applicability of special tax regimes, changes in foreign currency exchange rates, changes in our stock price, and changes in our deferred tax assets and liabilities and their valuation. Significant judgment is required in evaluating and estimating our tax expense and liabilities. In the ordinary course of our business, there are many transactions and calculations for which the ultimate tax determination is uncertain. For example, the legislation known as the U.S. Tax Cuts and Jobs Act of 2017 (the “2017 Tax Act”) requires complex computations to be performed that were not previously required by U.S. tax law, significant judgments to be made in interpretation of the provisions of the 2017 Tax Act, significant estimates in calculations, and the preparation and analysis of information not previously relevant or regularly produced. The U.S. Treasury Department, the U.S. Internal Revenue Service, and other standard-setting bodies will continue to interpret or issue guidance on how provisions of the 2017 Tax Act will be applied or otherwise administered. As future guidance is issued, we may make adjustments to amounts that we have previously recorded that may materially impact our financial statements in the period in which the adjustments are made.
We are also currently subject to tax controversies in various jurisdictions, and these jurisdictions may assess additional tax liabilities against us. Developments in an audit, investigation, or other tax controversy could have a material effect on our operating results or cash flows in the period or periods for which that development occurs, as well as for prior and subsequent periods. We regularly assess the likelihood of an adverse outcome resulting from these proceedings to determine the adequacy of our tax accruals. Although we believe our tax estimates are reasonable, the final outcome of audits, investigations, and any other tax controversies could be materially different from our historical tax accruals.
Delaware law and our governing corporate documents contain, and our Board of Directors could implement, anti-takeover provisions that could deter takeover attempts. Under the Delaware business combination statute, a shareholder holding 15 percent or more of our outstanding voting stock could not acquire us without Board of Director consent for at least three years after the date the shareholder first held 15 percent or more of the voting stock. Our governing corporate documents also, among other things, require supermajority votes for mergers and similar transactions. In addition, our Board of Directors could, without shareholder approval, implement other anti-takeover defenses, such as a shareholder rights plan.